Privacy Policy

How we collect, use, and protect your personal information when you use PCI DSS Dashboard.

Last updated: January 2025

Introduction

Oneiric d.o.o. ("we", "us", or "our") operates the PCI DSS Dashboard platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our Service.

Key Points: We collect only the data necessary to provide our compliance management service. We do not sell your data. We implement strong security measures to protect your information. You have rights over your personal data.

Information We Collect

Information You Provide

When you register for and use PCI DSS Dashboard, you may provide us with:

  • Account Information: Name, email address, password, organization name, and job title
  • Profile Information: Phone number, profile picture, and preferences
  • Compliance Data: Information you enter about your systems, policies, assessments, and compliance status
  • Documents: Files you upload including policies, evidence, scan reports, and other compliance documentation
  • Communications: Messages you send to us for support or feedback

Information Collected Automatically

When you access our Service, we automatically collect:

  • Log Data: IP address, browser type, operating system, referring URLs, pages visited, and timestamps
  • Device Information: Device type, screen resolution, and browser settings
  • Usage Data: Features used, actions performed, and time spent on the platform
  • Cookies: Session identifiers and authentication tokens (see Cookies section below)

How We Use Your Information

We use the information we collect to:

Purpose Examples
Provide the Service Create your account, store your compliance data, generate reports
Communicate with You Send task reminders, security alerts, service updates, and support responses
Improve the Service Analyze usage patterns, fix bugs, develop new features
Ensure Security Detect fraud, prevent unauthorized access, maintain audit logs
Legal Compliance Respond to legal requests, enforce our terms, protect our rights

Information Sharing

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

Service Providers

We work with trusted third-party companies that help us operate our Service:

  • Cloud Hosting: To store and process your data securely
  • Email Services: To send transactional emails and notifications
  • Analytics: To understand how our Service is used (anonymized data only)
  • Payment Processing: To handle subscription payments (we do not store your payment card details)

These providers are contractually obligated to protect your data and use it only for the services they provide to us.

Legal Requirements

We may disclose your information if required by law or in response to valid legal requests, such as:

  • Court orders or subpoenas
  • Government or regulatory agency requests
  • To protect our rights, property, or safety
  • To investigate potential violations of our terms

Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

With Your Consent

We may share your information for other purposes with your explicit consent.

Data Security

We implement appropriate technical and organizational measures to protect your personal information:

  • Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Role-based access with principle of least privilege
  • Authentication: Secure password hashing and session management
  • Monitoring: Continuous security monitoring and logging
  • Backups: Regular encrypted backups with secure storage
  • Auditing: Comprehensive audit trails for all system access

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

Data Retention

We retain your information for as long as necessary to provide our Service and fulfill the purposes described in this policy:

  • Active Accounts: Data is retained while your account is active
  • Deleted Accounts: Personal data is deleted within 30 days of account deletion request
  • Compliance Data: Retained according to your organization's settings and applicable legal requirements
  • Audit Logs: Retained for 7 years to support compliance and security requirements
  • Backups: Retained for up to 90 days after data is deleted from production

Cookies and Tracking

We use cookies and similar technologies to operate our Service:

Essential Cookies

Required for the Service to function:

  • Session Cookie: Maintains your logged-in session
  • CSRF Token: Protects against cross-site request forgery attacks

Analytics

We use Google Analytics on our marketing pages to understand visitor behavior. This data is anonymized and does not include personal information from within the application. You can opt out using browser settings or the Google Analytics Opt-out Browser Add-on.

Your Rights

Depending on your location, you may have certain rights regarding your personal information:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your personal data
  • Portability: Request your data in a portable format
  • Objection: Object to certain processing activities
  • Restriction: Request limitation of processing

To exercise these rights, please contact us at privacy@oneiric.me. We will respond within 30 days.

For detailed information about your rights under GDPR, please see our GDPR Compliance page.

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. When we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

Children's Privacy

Our Service is not intended for children under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately and we will take steps to delete such information.

Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal information.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the updated policy on this page
  • Updating the "Last updated" date
  • Sending an email notification for significant changes

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Have Questions?

If you have any questions about our Privacy Policy or how we handle your data, we're here to help.

privacy@oneiric.me