Privacy Policy and Data Protection Notice
Effective Date: 12 July 2026 · Version: 2.0
This Privacy Policy and Data Protection Notice (this “Policy”) is issued by Boardmentor LTD, doing business as CISM Prep (“CISM Prep,” “Company,” “we,” “us,” or “our”), in its capacity as the controller or business responsible for determining the purposes and means of Processing Personal Data in connection with the Services.
This Policy governs the collection, use, storage, analysis, disclosure, sale, sharing, transfer, retention, deletion, and other Processing of Personal Data arising from or relating to the website and web application available at https://cismexam.com, together with the examination-preparation, study, account, payment-entitlement, support, analytics, advertising, and related services made available through them (collectively, the “Services”).
The Company has adopted this Policy to provide a legally operative and reasonably comprehensive statement of its Processing practices. This Policy is a notice and not a waiver, limitation, or enlargement of any right or obligation arising under Applicable Data Protection Law. A person who does not agree with the Processing described herein should not provide Personal Data to the Company and should discontinue use of the Services, subject always to any Processing that remains lawful or necessary notwithstanding such discontinuation.
Article I — Definitions and Rules of Construction
§ 1.1 Defined Terms
For purposes of this Policy, the following terms have the meanings set forth below:
“Applicable Data Protection Law” means any privacy, data-protection, direct-marketing, electronic-communications, consumer-protection, cybersecurity, breach-notification, or similar law, regulation, binding code, or legally enforceable requirement applicable to a particular Processing activity.
“Personal Data” or “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person or household. Personal Data does not include information lawfully rendered anonymous in such a manner that the person is no longer reasonably identifiable.
“Processing” means any operation or set of operations performed upon Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, analysis, inference, use, disclosure, dissemination, transmission, combination, restriction, deletion, anonymization, and destruction.
“Service Provider” means a processor, contractor, professional adviser, merchant, platform, or other third party that Processes Personal Data for, on behalf of, at the direction of, or in connection with the Company, subject to contractual, statutory, professional, or other legally enforceable obligations as applicable to the relationship.
“Sell,” “Sale,” “Share,” “Sharing,” and “Targeted Advertising” shall have the meanings assigned to those terms by the Applicable Data Protection Law governing the relevant Processing. Depending on the applicable definition, a Sale or Sharing may include a disclosure for cross-context behavioral advertising, audience matching, campaign measurement, attribution, or other valuable consideration, notwithstanding that no monetary payment is made to the Company.
§ 1.2 Construction
Unless the context requires otherwise: (a) the singular includes the plural and vice versa; (b) the words “include,” “includes,” and “including” are illustrative and not limiting; (c) a reference to a law includes any amendment, consolidation, replacement, or successor provision; (d) headings are inserted solely for convenience and do not limit the construction of this Policy; and (e) a reference to a Section or Article is a reference to a section or article of this Policy.
Article II — Scope, Capacity, and Application
§ 2.1 Covered Services
This Policy applies exclusively to Personal Data Processed by or on behalf of CISM Prep in connection with the Services made available through cismexam.com. A separately branded website, platform, application, or service that publishes its own privacy notice is governed by that separate notice and not by this Policy.
§ 2.2 Controller Capacity
Boardmentor LTD is the controller or responsible business with respect to the Processing for which it determines the purposes and means. Certain payment merchants, advertising platforms, authentication providers, or other third parties may act as independent controllers or businesses with respect to Processing they undertake for their own purposes. Their independent Processing is governed by their respective notices and legal obligations.
§ 2.3 Acknowledgment; Consent Distinguished
Accessing or using the Services constitutes acknowledgment that this Policy has been made available. Such acknowledgment does not constitute consent where Applicable Data Protection Law requires consent to be specific, informed, freely given, unambiguous, express, or separately obtained. Where consent is the applicable legal basis, the Company will rely upon the consent mechanism associated with the relevant Processing and not merely upon the existence of this Policy.
§ 2.4 Third-Party Properties
The Services may contain links to, integrations with, or functionality supplied by third parties. Except where the Company determines the purposes and means of the relevant Processing, the Company does not control and is not responsible for the independent privacy, security, or data-handling practices of such third parties. The inclusion of a link or integration does not constitute an endorsement or assumption of responsibility.
Article III — Categories and Sources of Personal Data
§ 3.1 Account and Identity Data
The Company collects the email address used to establish or administer an Account; the name and email address returned by a federated sign-in provider where that method is selected; the authentication method associated with the Account; internal Account identifiers; Account status; access entitlements; and records evidencing acceptance of the Terms of Service, including the version accepted and the date and time of acceptance.
The Company does not receive the password used for a third-party sign-in account. Authentication credentials are Processed through managed authentication infrastructure, and the Company does not intentionally store user passwords in plaintext.
§ 3.2 Study, Performance, and Derived Data
The Company collects practice-question responses, selected answers, study history, study progress, feature usage, performance statistics, and derived readiness indicators. Readiness indicators and related metrics are computational estimates provided for study purposes only and do not constitute authoritative predictions, professional advice, or guarantees of examination performance.
§ 3.3 Purchase, Transaction, and Entitlement Data
The Company collects transaction references, purchase status, product or access pass purchased, access period, renewal status, refund and chargeback information, and the entitlements assigned to an Account. Complete payment-card numbers and card-security codes are submitted directly to the applicable payment merchant or merchant of record and are not intentionally received or stored by the Company.
§ 3.4 Usage, Technical, Device, and Security Data
The Company may collect Internet Protocol addresses; browser type and version; device type; operating system; language and comparable technical characteristics; dates, times, frequency, and duration of access; pages, screens, features, links, and interface elements accessed or used; referral sources; campaign, conversion, and attribution information; approximate location derived from an Internet Protocol address; diagnostic, security, error, and session information; and the volume, sequence, timing, and pattern of questions, Content, or features requested by or delivered to an Account.
The Company may associate technical and usage information with an Account, transaction, browser, device, session, or network where reasonably necessary to provide the Services, enforce usage limits, protect proprietary Content, prevent fraud or abuse, maintain security, investigate suspected violations, or exercise legal rights.
§ 3.5 Communications and Support Data
Where a person communicates with the Company, the Company collects the content of the communication and its associated metadata. Support Chat Data may include messages, Account email address, Internet Protocol address, timestamps, attachments, conversation history, routing information, and records of support action.
Support chat may use artificial intelligence to generate or assist with responses. For that purpose, chat content may be transmitted to an artificial-intelligence Service Provider contractually restricted from using such content to train its general-purpose artificial-intelligence models. Authorized human personnel may review, join, take over, audit, or otherwise Process a conversation for support, escalation, quality assurance, security, fraud and abuse prevention, dispute resolution, and legal compliance.
§ 3.6 Analytics, Advertising, Attribution, and Marketing Data
The Company may collect or derive online identifiers, cookie identifiers, device identifiers, advertising identifiers, page and feature activity, navigation patterns, engagement information, campaign attribution, advertising interactions, audience membership, inferred preferences, likely interests, and other marketing or measurement information. The Company may combine such information with Account Data, Usage Data, or information lawfully received from analytics, advertising, social-media, referral, affiliate, or marketing partners for campaign measurement, audience creation, attribution, personalization, lead generation, and Targeted Advertising.
§ 3.7 Sensitive Personal Data
The Services are not designed or intended to collect government identification numbers, precise geolocation, financial-account credentials, medical records, biometric identifiers, information revealing racial or ethnic origin, religious or philosophical beliefs, trade-union membership, sexual life or orientation, or other legally protected sensitive information. Users shall not submit such information through support chat or free-text fields unless the Company specifically requests it for a lawful and disclosed purpose.
Where sensitive information is provided without request, the Company may delete it, restrict access to it, or Process it solely to the extent reasonably necessary to respond to the communication, protect a person or the Services, comply with law, or establish, exercise, or defend legal claims.
§ 3.8 Sources
The Company obtains Personal Data: (a) directly from the person concerned, including through registration, study activity, purchases, support communications, and privacy requests; (b) automatically through cookies, local storage, pixels, tags, software development kits, application interfaces, server logs, and comparable technologies; and (c) from third parties, including authentication providers, payment merchants, analytics providers, advertising and marketing partners, referral sources, fraud-prevention services, and parties lawfully authorized to provide the information.
Article IV — Purposes and Legal Bases of Processing
§ 4.1 Provision and Administration of the Services
The Company Processes Account, Identity, Study, Performance, Purchase, Entitlement, Usage, Technical, and Communications Data to establish and authenticate Accounts; furnish the Services; provide Educational Materials; maintain progress and readiness metrics; apply purchased entitlements; administer subscriptions and passes; process transactions, refunds, renewals, and chargebacks; provide support; and communicate concerning service, security, billing, renewal, and administrative matters. Such Processing is undertaken as necessary to perform or take steps toward a contract and, where applicable, in furtherance of the Company’s legitimate interests in administering the Services.
§ 4.2 Analytics, Development, and Improvement
The Company Processes Usage, Technical, Device, Analytics, Study, and Performance Data to measure engagement; understand how the Services are used; identify errors; test features; improve functionality, Content, and user experience; develop products and services; allocate resources; and generate aggregated statistics. The applicable legal basis may be consent, legitimate interests, contractual necessity, or another basis permitted by Applicable Data Protection Law.
§ 4.3 Security, Fraud Prevention, and Proprietary-Content Protection
The Company Processes Account, Usage, Technical, Device, Transaction, and Communications Data to authenticate access; enforce fair-use restrictions; detect Account sharing, credential resale, automated extraction, scraping, bulk downloading, circumvention, payment fraud, abusive chargebacks, unauthorized access, and other prohibited activity; investigate security events; preserve evidence; protect users and systems; and establish, exercise, or defend contractual, intellectual-property, and other legal rights.
Such Processing is undertaken in furtherance of the Company’s legitimate interests in securing the Services, preventing fraud and abuse, protecting its proprietary Content and commercial operations, and enforcing the Terms of Service, except where those interests are overridden by rights and freedoms that require protection under Applicable Data Protection Law.
§ 4.4 Communications and Direct Marketing
The Company Processes Account, Purchase, Communications, and Marketing Data to send transactional, security, billing, renewal, policy, and support communications and, where permitted, promotional messages. Promotional Processing is based upon consent where consent is required and otherwise upon legitimate interests or another lawful basis, in each case subject to applicable rights to object, withdraw consent, or unsubscribe.
§ 4.5 Advertising, Attribution, Sale, and Sharing
The Company Processes and may disclose identifiers, Usage Data, Technical Data, Device Data, Analytics Data, Advertising Data, Marketing Data, approximate location, commercial information, audience classifications, and inferences to conduct campaign measurement, attribution, audience creation, lead generation, personalization, cross-context behavioral advertising, and Targeted Advertising. Depending upon the applicable statutory definition, such disclosure may constitute a Sale or Sharing of Personal Data.
The Company relies upon consent where legally required and otherwise upon legitimate interests or another lawful ground, subject to applicable opt-out rights. Nothing in this Policy shall be construed as consent where Applicable Data Protection Law requires a separate affirmative act.
§ 4.6 Legal Compliance and Protection of Rights
The Company may Process any category of Personal Data reasonably necessary to comply with law, legal process, court orders, regulatory requests, tax and accounting obligations, recordkeeping duties, sanctions or fraud requirements, and breach-notification obligations; to protect the rights, property, safety, systems, users, or public interests of the Company or another person; and to establish, exercise, preserve, or defend legal claims. The applicable legal basis may include legal obligation, legitimate interests, substantial public interest, consent, or another basis permitted by law.
Article V — Automated Processing and Profiling
§ 5.1 Automated Functions
The Company uses automated systems to calculate study statistics and readiness indicators; recommend study activity; detect suspected fraud, abuse, scraping, Account sharing, or circumvention; enforce usage restrictions; measure engagement; create or match advertising audiences; and personalize or evaluate marketing. Such activity may constitute profiling under certain Applicable Data Protection Laws.
§ 5.2 Decisions Producing Significant Effects
The Company does not intend for automated systems to make decisions producing legal or similarly significant effects concerning a person without the safeguards required by law. Where Applicable Data Protection Law affords a right in relation to a qualifying automated decision, the affected person may request information, human review, an opportunity to express a position, or an appeal by using the procedure set forth in Article XII.
Article VI — Recipients and Disclosures
§ 6.1 Service Providers and Operational Recipients
The Company may disclose Personal Data to recipients providing cloud hosting, databases, authentication, backups, infrastructure, payment processing, merchant-of-record services, analytics, product measurement, testing, performance monitoring, artificial-intelligence services, customer support, email and communications, customer-relationship management, cybersecurity, fraud prevention, abuse detection, accounting, audit, banking, insurance, legal services, corporate administration, compliance, and records management.
Each recipient receives only the categories of Personal Data reasonably necessary for the applicable purpose, subject to contractual, statutory, professional, or other legally enforceable restrictions where required.
§ 6.2 Advertising and Marketing Recipients
The Company may disclose, Sell, or Share online, cookie, device, and advertising identifiers; Internet or electronic-network activity; approximate location derived from an Internet Protocol address; referral, attribution, conversion, and advertising-interaction data; commercial information concerning a product, subscription, or pass; and audience classifications, preferences, and inferences to advertising networks, analytics providers, social-media platforms, affiliate and referral partners, audience services, campaign-measurement services, and other marketing partners.
The purposes of such disclosures may include conversion attribution, frequency control, campaign measurement, audience creation, personalization, lead generation, cross-context behavioral advertising, and Targeted Advertising. The Company does not knowingly Sell or Share complete payment-card information, Account passwords, the contents of private support communications, or sensitive Personal Data for Targeted Advertising. The Company does not knowingly Sell or Share Personal Data concerning a person under 18 years of age.
§ 6.3 Legal, Protective, and Enforcement Disclosures
The Company may disclose Personal Data where it reasonably determines that disclosure is necessary or appropriate to comply with a law, regulation, subpoena, court order, legal process, governmental request, or preservation obligation; investigate or enforce the Terms of Service; detect, prevent, investigate, or remedy fraud, scraping, security incidents, abuse, or technical interference; establish, exercise, or defend legal or equitable rights; or protect the rights, property, safety, systems, Content, users, or public interests of the Company or another person.
§ 6.4 Corporate and Financing Transactions
The Company may disclose Personal Data to actual or prospective investors, lenders, insurers, advisers, counterparties, purchasers, and successors in connection with financing, due diligence, restructuring, reorganization, merger, acquisition, sale of assets, insolvency, or another transaction involving ownership or control of all or part of the Company or Services. The recipient shall remain subject to applicable confidentiality and data-protection obligations.
§ 6.5 Disclosures at the Direction of the Individual
The Company may disclose Personal Data to a person designated, authorized, or intentionally engaged by the individual concerned, or otherwise with that individual’s direction or consent.
Article VII — Cookies and Comparable Technologies
§ 7.1 Technologies Employed
The Services use cookies, browser or device storage, pixels, tags, software development kits, application interfaces, and server-side technologies capable of storing information upon, accessing information from, or recognizing a browser, device, session, or Account.
Strictly necessary technologies support authentication, session management, security, fraud prevention, network transmission, load balancing, and functionality required to provide a feature requested by the user. Functional technologies retain preferences and support study or interface functions. Analytics and performance technologies measure traffic, navigation, errors, engagement, and feature usage. Advertising and targeting technologies measure campaigns and conversions, create or match audiences, recognize browsers or devices, personalize marketing, and deliver or facilitate Targeted Advertising.
§ 7.2 Current Operation
Certain analytics, attribution, advertising, or targeting technologies may operate automatically upon loading the Services, and the Services may not provide an in-product control capable of disabling every such technology. Users may restrict technologies through browser settings, privacy extensions, device controls, or legally recognized privacy signals, although doing so may impair functionality or measurement.
The Company’s operational need for analytics does not, by itself, render a technology “strictly necessary” under Applicable Data Protection Law. A privacy policy or continued use does not constitute consent where prior affirmative consent is legally required.
§ 7.3 Opt-Out Preference Signals and Do Not Track
Where Applicable Data Protection Law requires recognition of a legally valid browser-based opt-out preference signal, the signal shall be treated as an opt-out request for the browser or device transmitting it. Because no universally accepted standard exists for browser “Do Not Track” signals, the Services do not respond to such signals unless legally required. This does not affect the treatment of a separately recognized statutory opt-out preference signal.
Article VIII — International Processing and Transfers
The Company and its Service Providers may Process Personal Data in countries other than the country in which the person concerned resides. Laws in those countries may differ from those applicable in the person’s place of residence.
Where Applicable Data Protection Law restricts an international transfer, the Company shall rely upon an applicable adequacy mechanism, contractual safeguards, data-processing agreement, supplemental technical or organizational measures, consent, necessity, or another transfer basis recognized by law. Information concerning applicable safeguards may be requested using the contact details in Article XVII, subject to redaction of confidential or commercially sensitive provisions.
Article IX — Retention, Preservation, and Deletion
§ 9.1 General Retention Standard
The Company retains Personal Data for no longer than reasonably necessary to accomplish the purposes described in this Policy, comply with legal and contractual obligations, maintain appropriate business and security records, resolve disputes, prevent fraud and abuse, enforce the Terms of Service, and establish, exercise, or defend legal claims.
Where a fixed period has not been established, the Company determines retention by reference to the nature, volume, sensitivity, and context of the Personal Data; the purposes of Processing; the risk of harm arising from unauthorized use or disclosure; whether the purpose may be achieved by less intrusive means; applicable statutory or contractual limitation periods; security requirements; and legal, regulatory, tax, accounting, and evidentiary obligations. Retention schedules are subject to periodic review and lawful modification.
§ 9.2 Category-Specific Criteria
Account, entitlement, study, performance, and usage data are ordinarily retained while the Account remains active and for a limited period thereafter to administer closure, allow ordinary backup expiration, resolve disputes, investigate fraud or abuse, administer chargebacks, and preserve legal claims. Terms-acceptance and material-notice records may be retained for the duration of the contractual relationship and the period during which acceptance or notice may reasonably be relevant to a claim or defense.
Purchase references and tax, accounting, refund, and chargeback records are retained for the period required by financial, tax, accounting, anti-fraud, and recordkeeping requirements. Security, rate-limit, and abuse-prevention records are retained for the period reasonably necessary to protect the Services, investigate incidents, enforce restrictions, and prevent repeat misconduct.
Support Chat Data and support-history information are retained for a minimum of twelve (12) months. Following that minimum period, the Company may continue to retain such data for so long as reasonably necessary for support continuity, quality assurance, security, fraud and abuse prevention, dispute resolution, or legal claims, subject to periodic review and applicable deletion rights.
Analytics, attribution, and advertising data are retained in accordance with the applicable technology configuration and for no longer than reasonably necessary for trend analysis, attribution, campaign measurement, audience administration, security, and legal compliance. Marketing-contact data may be retained while marketing remains active. Following an opt-out, the Company may retain a limited suppression record for so long as reasonably necessary to honor and demonstrate compliance with the preference.
§ 9.3 Backups
Backup copies expire, are overwritten, or are rendered inaccessible in accordance with ordinary backup and disaster-recovery cycles. Personal Data may remain in access-restricted backups for a limited period after deletion from active systems. Such data will not be restored except where reasonably necessary for disaster recovery, security, legal preservation, or continuity, and any restored data shall remain subject to the applicable deletion requirement.
§ 9.4 Litigation Holds and Legal Preservation
Notwithstanding an ordinary retention period or deletion request, the Company may preserve Personal Data where reasonably necessary to comply with a legal obligation, court order, regulatory request, preservation duty, investigation, chargeback, fraud inquiry, actual or reasonably anticipated dispute, or the establishment, exercise, or defense of legal claims. Access shall be restricted to the purpose justifying preservation, and the data shall be deleted or anonymized when that purpose expires unless another lawful basis applies.
§ 9.5 Deletion, De-Identification, and Anonymization
Upon expiration of the applicable retention period, Personal Data shall be deleted, de-identified, aggregated, or irreversibly anonymized unless continued retention is lawful and necessary. Information that has been irreversibly anonymized so that it can no longer reasonably identify a person may be retained and used without further notice.
Article X — Security and Incident Response
§ 10.1 Safeguards
The Company maintains administrative, technical, and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access. Depending upon the nature and risk of the Processing, such measures may include encryption in transit; encryption at rest through managed cloud infrastructure; managed authentication and password-protection controls; access restrictions; logging, monitoring, rate limiting, and abuse detection; backup and recovery procedures; patching and vulnerability-management practices; and periodic review of access and security controls.
§ 10.2 No Absolute Security
No method of transmission, authentication, storage, or security is infallible. Accordingly, the Company does not warrant or guarantee absolute security. Nothing in this Section excludes a duty or liability that cannot lawfully be excluded.
§ 10.3 Personal Data Breaches
The Company shall investigate a suspected Personal Data breach and, where required, notify affected persons, regulators, or competent authorities within the period and in the manner prescribed by Applicable Data Protection Law. The Company may delay or restrict information where disclosure is prohibited, would impede a lawful investigation, or would create a material security risk.
Article XI — Persons Under 18
The Services are intended exclusively for persons who are at least eighteen (18) years of age and legally capable of entering into a binding contract. A person under 18 may not establish an Account, purchase access, or use the Services.
The Company does not knowingly collect Personal Data from a person under 18. If the Company learns that such a person has provided Personal Data or established an Account, the Company may suspend or terminate the Account and delete the Personal Data, subject to lawful preservation requirements. A parent, guardian, or other person who believes that a minor has used the Services should contact the Company promptly.
Article XII — Rights and Requests
§ 12.1 Rights That May Apply
Subject to Applicable Data Protection Law and any lawful exception, an individual may have the right to obtain confirmation of Processing; access Personal Data; obtain a copy; correct inaccurate or incomplete data; request deletion; restrict or object to Processing; receive qualifying data in a structured, commonly used, machine-readable format; request a technically feasible transfer; withdraw consent without affecting prior lawful Processing; opt out of direct marketing, Targeted Advertising, qualifying profiling, and the Sale or Sharing of Personal Data; obtain information concerning categories, sources, purposes, and recipients; request human review of a qualifying automated decision; appeal a refusal to act; and lodge a complaint with a competent privacy or data-protection authority.
§ 12.2 Submission and Verification
A request shall be submitted to support@boardmentor.study with the subject line “Privacy Request.” The requester should identify the Account concerned, describe the right invoked, and provide information reasonably sufficient to locate the relevant records.
The Company may require information reasonably necessary to verify identity, authority, Account control, and entitlement to the requested right. The Company is not required to disclose Personal Data to an unverified person or to take action that would adversely affect another person’s rights, compromise security, reveal privileged or confidential information, interfere with legal obligations, or prejudice an investigation or legal claim.
§ 12.3 Response; Denial; Appeal
The Company shall respond within the period required by Applicable Data Protection Law. Where permitted, that period may be extended based upon complexity, volume, verification, or the number of requests. If a request is denied in whole or in part, the Company shall provide the reason and any available appeal procedure where required. Manifestly unfounded, excessive, repetitive, fraudulent, or abusive requests may be refused or subject to a lawful reasonable charge.
§ 12.4 Authorized Agents
Where permitted by law, an authorized agent may submit a request on behalf of another person. The Company may require evidence of the agent’s authority and may verify the identity and instructions of the person concerned directly.
§ 12.5 Account Deletion
Where account-deletion functionality is available, deletion may be initiated through Account settings. A request may also be submitted by email. Account closure does not require deletion of Personal Data that the Company is entitled or required to preserve under Article IX.
§ 12.6 Opt-Out of Sale, Sharing, and Targeted Advertising
A request to opt out of the Sale or Sharing of Personal Data or its use for Targeted Advertising may be submitted to support@boardmentor.study with the subject line “Privacy Opt-Out.” The requester should identify the Account email and, where relevant, the browsers or devices concerned.
A browser-level opt-out may apply only to the browser or device from which it is transmitted. Clearing browser storage, changing browsers, or using another device may require the preference to be submitted again unless it has been associated with an authenticated Account.
§ 12.7 Direct-Marketing Preferences
A recipient may opt out of promotional email by using the unsubscribe mechanism included in the message or by contacting the Company. The Company may continue to send non-promotional communications concerning Accounts, purchases, renewals, security, legal notices, support, or administration of the Services.
§ 12.8 Non-Discrimination
The Company shall not unlawfully discriminate or retaliate against a person for exercising a privacy right. Where permitted by law, the Company may offer a different price, rate, level, or benefit if reasonably related to the value of the relevant data or furnished under a lawfully disclosed financial-incentive, loyalty, or rewards program.
Article XIII — Communications
The Company may send transactional, administrative, security, billing, renewal, support, policy, and legal communications necessary to operate the Services or administer the contractual relationship. Promotional communications may be sent where permitted by law. Consent to promotional communications is not a condition of purchase unless the communication is itself the requested service.
The Company shall honor a valid direct-marketing objection, withdrawal, or unsubscribe request. A limited suppression record may be retained to ensure continuing compliance with the preference.
Article XIV — Changes to this Policy
The Company may amend this Policy to reflect changes in the Services, technology, Processing, business operations, or legal requirements. Each revised edition shall state an effective date or version identifier.
Where a change is material, the Company may provide notice through the Services, by email, or by another reasonably prominent method. Continued use after the effective date constitutes acknowledgment of the revised notice but does not constitute consent where Applicable Data Protection Law requires an affirmative act. Where a change requires renewed contractual acceptance or consent, the Company may obtain it through the applicable Account, sign-in, purchase, or consent mechanism.
Article XV — Preservation of Mandatory Rights
If a provision of this Policy is held invalid, unlawful, or unenforceable, it shall be interpreted or modified only to the minimum extent necessary to make it lawful and enforceable, and the remaining provisions shall continue in effect.
No provision of this Policy limits, excludes, or waives a right, remedy, obligation, or protection that cannot lawfully be limited, excluded, or waived. A failure or delay in addressing a matter does not constitute a waiver of any right or obligation.
Article XVI — Language
This Policy is drafted in English. A translation is provided for convenience unless Applicable Data Protection Law requires otherwise. To the extent permitted by law, the English version controls in the event of inconsistency.
Article XVII — Contact Information
Questions, complaints, objections, requests, and other communications concerning this Policy or the Company’s Processing practices may be directed to:
Boardmentor LTD
Attn: Privacy Compliance
Email: support@boardmentor.study
Website: https://cismexam.com
* * *
© 2026 Boardmentor LTD, d/b/a CISM Prep (cismexam.com). All Rights Reserved.
Return to CISM Exam Prep