Operator: QSai LLC (CISO Marketplace)
Site / Platform: cisodiy
Domains Covered: cisodiy.pages.dev, ciso.diy, www.ciso.diy
Effective Date: 2026-06-14
Next Scheduled Review: 2027-06-14
Jurisdictions in Scope: EU, US, US-CA, global
> Document Status: PROPOSED — this template must be ratified by the Data Protection Officer (and legal counsel where required) before publication. It does not constitute legal advice.
1. [Who We Are](#1-who-we-are)
2. [Scope of This Notice](#2-scope-of-this-notice)
3. [Data We Collect and Why](#3-data-we-collect-and-why)
4. [Lawful Basis for Processing](#4-lawful-basis-for-processing)
5. [How We Use Your Data](#5-how-we-use-your-data)
6. [Sharing and Disclosure](#6-sharing-and-disclosure)
7. [International Transfers](#7-international-transfers)
8. [Retention and Disposal](#8-retention-and-disposal)
9. [Cookies and Similar Technologies](#9-cookies-and-similar-technologies)
10. [Data-Subject Rights](#10-data-subject-rights)
11. [California Residents — CCPA / CPRA](#11-california-residents--ccpa--cpra)
12. [Children's Privacy](#12-childrens-privacy)
13. [Security](#13-security)
14. [Data Breaches](#14-data-breaches)
15. [Changes to This Policy](#15-changes-to-this-policy)
16. [Contact and Complaints](#16-contact-and-complaints)
QSai LLC (CISO Marketplace) ("we", "us", "our") operates the website(s) and platform(s) accessible at cisodiy.pages.dev, ciso.diy, www.ciso.diy (collectively, "cisodiy").
For the purposes of the EU General Data Protection Regulation (GDPR) and equivalent legislation, QSai LLC (CISO Marketplace) is the data controller in respect of personal data collected through cisodiy.
For the purposes of the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), QSai LLC (CISO Marketplace) is the business.
Our designated contact for all privacy matters is our Data Protection Officer (DPO). Contact details are in [Section 16](#16-contact-and-complaints).
This Privacy Policy applies to all personal data and personal information (the terms are used interchangeably in this document to cover definitions under both GDPR and CCPA) collected through:
This policy does not apply to third-party websites linked from cisodiy. We encourage you to review the privacy notices of any third-party sites you visit.
Where cisodiy offers e-commerce or marketplace functionality, additional terms apply as set out in Payments are processed by Stripe; see our Refund & Return and Shipping policies..
We collect only personal data that is adequate, relevant, and limited to what is necessary for the purposes described below (data-minimisation principle, GDPR Art. 5(1)(c)).
The categories of personal data we collect are:
payment/billing, personal, contact/email
> Implementer note: Replace payment/billing, personal, contact/email with a structured list for each site deployment. Recommended format per category: Category name — specific fields — source (direct / automatic / third party) — purpose. Example categories include: Identity Data, Contact Data, Account Credentials, Usage & Log Data, Transaction Data, Communications Data, Cookie & Device Data, Marketing Preferences.
We do not knowingly collect special-category (sensitive) personal data (e.g., health, racial or ethnic origin, political opinions, biometric data) unless a separate, explicit consent or statutory basis applies and is documented in our Records of Processing Activities (RoPA).
For each processing activity, we identify and document a lawful basis as required by GDPR Art. 6. The primary bases we rely on are:
| Lawful Basis | When We Use It |
|---|---|
| Contract (Art. 6(1)(b)) | Processing necessary to provide a service you have requested or to take steps at your request before entering a contract (e.g., creating an account, processing a transaction). |
| Legitimate Interests (Art. 6(1)(f)) | Processing necessary for our legitimate business interests, where those interests are not overridden by your rights — for example, fraud prevention, IT security, product improvement, and direct marketing to existing customers. A Legitimate Interests Assessment (LIA) is documented internally for each such activity. |
| Consent (Art. 6(1)(a)) | Where you have given free, specific, informed, and unambiguous consent — for example, subscribing to a newsletter, or accepting non-essential cookies. You may withdraw consent at any time without detriment. |
| Legal Obligation (Art. 6(1)(c)) | Where processing is necessary to comply with a legal obligation to which we are subject (e.g., tax records, anti-money laundering checks). |
| Vital Interests (Art. 6(1)(d)) | In rare circumstances, to protect someone's life. |
Where we process special-category data, we additionally identify a condition under GDPR Art. 9(2) and document this in our RoPA.
For California residents, we describe our specific CCPA / CPRA collection purposes and consumer rights in [Section 11](#11-california-residents--ccpa--cpra).
We use the personal data we collect for the following purposes, always consistent with the lawful basis identified above and the purpose for which the data was originally collected (purpose-limitation principle):
1. Service Delivery — To operate, maintain, and improve cisodiy, including account management, authentication, and customer support.
2. Transactional Communications — To send confirmations, invoices, technical notices, and security alerts directly related to your use of cisodiy.
3. Marketing Communications — To send promotional content where you have consented or where we have a legitimate interest in marketing similar products or services to existing customers. You may opt out at any time (see [Section 10](#10-data-subject-rights)).
4. Security and Fraud Prevention — To detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activities, and to protect the rights and property of QSai LLC (CISO Marketplace) and its users.
5. Legal and Regulatory Compliance — To comply with applicable laws, regulations, court orders, and requests from law-enforcement or regulatory authorities.
6. Analytics and Product Development — To analyse usage patterns, diagnose technical problems, and inform decisions about new features. Where possible, we use aggregated or pseudonymised data for this purpose.
7. Contractual Obligations — Where required under Payments are processed by Stripe; see our Refund & Return and Shipping policies. or other agreements between you and QSai LLC (CISO Marketplace).
We will not use your personal data for automated decision-making that produces legal or similarly significant effects without your explicit consent or another GDPR Art. 22 justification, and we will inform you separately if such processing is proposed.
We do not sell your personal data to third parties.
We share personal data only in the following circumstances, and only to the extent necessary:
We engage trusted third-party service providers who process data on our behalf under written data-processing agreements that impose equivalent data-protection obligations. Categories of service providers include, but are not limited to: cloud infrastructure providers, email delivery services, analytics providers, payment processors, customer-support platforms, and security/monitoring vendors.
Where cisodiy operates a marketplace or partner ecosystem, we may share data with vetted partners solely for the purpose of fulfilling a service you have requested. These partners are identified in relevant service-specific disclosures.
We may disclose personal data where required or permitted by law — for example, in response to a court order, subpoena, or regulatory investigation, or to protect the safety of any person.
In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred to a successor entity, subject to equivalent privacy protections. Affected individuals will be notified as required by applicable law.
We may share aggregated, anonymised, or de-identified information that cannot reasonably identify you, for industry research, analytics, or marketing purposes.
QSai LLC (CISO Marketplace) operates in EU, US, US-CA, global. Personal data may be transferred to, and processed in, countries outside your home jurisdiction, including countries that may not provide an equivalent level of data protection.
When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to a third country, we ensure an adequate level of protection through one or more of the following mechanisms:
You may request a copy of the relevant transfer mechanism by contacting us at privacy@cisomarketplace.com.
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required or permitted by law — consistent with our internal Data Retention & Disposal Policy (SEC-DRP-001).
Key retention principles:
As a general guide (specific periods are defined in the RoPA):
| Data Category | Indicative Retention Period |
|---|---|
| Account and identity data | Duration of account + [X] years after closure |
| Transaction records | [X] years (tax / legal obligation) |
| Marketing consent records | Duration of consent + [X] years |
| System and access logs | [X] months (security / audit) |
| Support / correspondence | [X] years after resolution |
> Implementer note: Replace bracketed [X] values with periods from the ratified retention schedule before publication.
Consistent with our internal Cookie & Consent Policy (QSai-PRV-003), cisodiy uses cookies and similar tracking technologies (collectively, "cookies").
Cookies are small data files placed on your device. We also use pixels, local storage, and similar mechanisms. Cookies may be first-party (set by cisodiy.pages.dev, ciso.diy, www.ciso.diy) or third-party (set by our service providers).
| Category | Purpose | Consent Required? |
|---|---|---|
| Strictly Necessary | Essential for the website to function (e.g., session management, security). Cannot be disabled. | No (legitimate interest / necessity) |
| Functional / Preference | Remember your settings and preferences (e.g., language, region). | Yes |
| Analytics / Performance | Understand how visitors use the site; improve performance. Data is aggregated where possible. | Yes |
| Marketing / Advertising | Deliver relevant advertisements; track campaign effectiveness. | Yes |
Consent records (who consented, when, and to what version of the consent notice) are logged and retained for audit purposes.
A full, up-to-date inventory of cookies used on cisodiy, including names, providers, purposes, and lifespans, is available in our Cookie Declaration, accessible via the consent management banner on cisodiy.pages.dev, ciso.diy, www.ciso.diy.
Depending on your jurisdiction, you have the following rights in relation to your personal data. We process all rights requests in line with our internal Data Subject Rights (DSAR) Policy (QSai-PRIV-003). We will respond without undue delay and, in any event, within the statutory deadline (generally 30 calendar days under GDPR; 45 calendar days under CCPA, extendable once by a further 45 days with notice).
| Right | What It Means | How to Exercise |
|---|---|---|
| Access (Right to Know) | Obtain confirmation of whether we process your data and receive a copy of it. | Submit a DSAR via privacy@cisomarketplace.com or our designated request form. |
| Rectification / Correction | Have inaccurate or incomplete data corrected. | Submit a DSAR or update your account settings directly. |
| Erasure (Right to Delete) | Request deletion of your personal data where there is no lawful reason to continue processing. | Submit a deletion request via privacy@cisomarketplace.com. We will confirm completion or explain any applicable exemption. |
| Restriction of Processing | Ask us to pause processing of your data in defined circumstances (e.g., while accuracy is contested). | Submit a DSAR via privacy@cisomarketplace.com. |
| Data Portability | Receive your data in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible. | Submit a portability request via privacy@cisomarketplace.com. |
| Object | Object to processing based on legitimate interests or for direct marketing. Direct-marketing objections are absolute; others are assessed against our compelling grounds. | Use the unsubscribe link in any marketing email, or submit a request via privacy@cisomarketplace.com. |
| Opt-Out of Sale / Sharing | Prevent us from selling or sharing your personal information (applicable primarily under CCPA; see Section 11). | Use the "Do Not Sell or Share My Personal Information" link on cisodiy.pages.dev, ciso.diy, www.ciso.diy, or contact us at privacy@cisomarketplace.com. |
| Withdraw Consent | Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. | Use the consent management banner for cookies, the unsubscribe link for marketing emails, or contact privacy@cisomarketplace.com. |
| Non-Discrimination | We will not discriminate against you for exercising any privacy right. | N/A — this is a standing commitment. |
To protect against fraudulent requests, we will verify your identity before processing a DSAR. Verification requirements are proportionate to the sensitivity of the data and the nature of the request. We will not require excessive personal data for verification.
You may designate an authorised agent to submit requests on your behalf. We may require written proof of authorisation and may verify your identity directly.
If we decline your request, we will explain the reason. You may appeal our decision by contacting privacy@cisomarketplace.com with the subject line "DSAR Appeal." If you remain dissatisfied, you have the right to lodge a complaint with the relevant supervisory authority (see [Section 16](#16-contact-and-complaints)).
This section supplements the rest of this policy and applies solely to residents of the State of California. It is provided in compliance with the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA).
In the preceding 12 months, we have collected personal information falling within the following CCPA categories (the specific data fields are detailed in Section 3 via payment/billing, personal, contact/email):
We collect the above categories for the business purposes described in Section 5.
We do not sell personal information for monetary consideration. To the extent we engage in cross-context behavioural advertising ("sharing" under CPRA), you have the right to opt out via the "Do Not Sell or Share My Personal Information" link on cisodiy.pages.dev, ciso.diy, www.ciso.diy.
Where we collect sensitive personal information as defined by CPRA (e.g., precise geolocation, account log-in credentials), we use it only as necessary to provide the services you request and do not use or disclose it for inferring characteristics about you. You have the right to limit our use and disclosure of sensitive personal information.
| CCPA / CPRA Right | Description |
|---|---|
| Right to Know | Request disclosure of the categories and specific pieces of personal information collected, the sources, the business purposes, and third parties with whom it is shared. |
| Right to Delete | Request deletion of personal information we have collected, subject to legal exceptions. |
| Right to Correct | Request correction of inaccurate personal information. |
| Right to Opt-Out | Opt out of the sale or sharing of personal information. |
| Right to Limit Use of Sensitive PI | Limit our use of sensitive personal information to necessary service provision. |
| Right to Non-Discrimination | We will not deny goods or services, charge different prices, or provide a different quality of service because you exercised a CCPA right. |
To exercise these rights, submit a verifiable consumer request to privacy@cisomarketplace.com or use the methods described in Section 10. We will respond within 45 calendar days (extendable to 90 days with notice).
California Civil Code §1798.83 permits California residents to request information about disclosures of personal information to third parties for their direct-marketing purposes. To make such a request, contact us at privacy@cisomarketplace.com.
cisodiy is not directed to children under the age of 16 (or under 13 where US COPPA applies). We do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a child, please contact us immediately at privacy@cisomarketplace.com and we will take prompt steps to delete the information.
We implement appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised access, accidental loss, destruction, or damage — consistent with the integrity-and-confidentiality principle (GDPR Art. 5(1)(f)) and our internal Information Security policies.
Measures include, but are not limited to:
No transmission over the internet is 100% secure. We encourage you to use strong, unique passwords and to contact us promptly if you suspect any unauthorised use of your account.
In the event of a personal-data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:
This is governed by our internal Data Breach Notification Policy. If you discover or suspect a breach involving your data, please contact us immediately at privacy@cisomarketplace.com.
We review this Privacy Policy at least annually (next scheduled review: 2027-06-14) and whenever there is a material change to our processing activities, applicable law, or our technology stack.
When we make material changes, we will:
Your continued use of cisodiy after the effective date of a revised policy constitutes acceptance of the changes, to the extent permitted by applicable law.
Previous versions of this policy are available on request by contacting privacy@cisomarketplace.com.
For all privacy-related enquiries, data-subject rights requests, consent withdrawals, or complaints, please contact us:
Data Protection Officer
QSai LLC (CISO Marketplace)
Email: privacy@cisomarketplace.com
Please mark your subject line clearly (e.g., "DSAR Request", "Cookie Complaint", "CCPA Request") to ensure prompt routing. We aim to acknowledge all enquiries within 5 business days.
If you are located in the EEA or UK and believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local data-protection supervisory authority — for example:
We would appreciate the opportunity to address your concerns before you contact a supervisory authority and encourage you to reach out to us first.
California residents who believe their CCPA / CPRA rights have been violated may contact the California Privacy Protection Agency (CPPA) at [cppa.ca.gov](https://cppa.ca.gov) or the California Attorney General at [oag.ca.gov/privacy](https://oag.ca.gov/privacy).
This document is a PROPOSED master template authored by the Data Protection Officer. It becomes authoritative only upon ratification by the DPO and, where legally required, qualified legal counsel. It does not constitute legal advice. Jurisdictional variations must be assessed and applied by a qualified privacy professional before deployment in any specific territory covered by EU, US, US-CA, global.
Document ID: DP-PP-MASTER-001
Owner: Data Protection Officer
Classification: Public (upon ratification)
Version: 1.0 — PROPOSED
Effective Date: 2026-06-14
Next Review: 2027-06-14