Back to Home

Privacy Policy

Last updated: April 1, 2026

1. Introduction

CMO Group ("CMO ALTO", "we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect information when you use the CMO ALTO platform ("Service").

CMO ALTO is an enterprise business management platform operated by CMO Group, registered in Mauritius. By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Data We Collect

2.1 Information You Provide

  • Account information: name, email address, job title, phone number
  • Organization details: company name, industry, size, address
  • Employee data: as entered by your organization's administrators
  • Financial records: invoices, expenses, payroll data as entered by authorized users
  • Communications: messages sent through the platform chat system

2.2 Automatically Collected Data

  • Device information: browser type, operating system, screen resolution
  • Usage data: pages visited, features used, session duration
  • IP address and approximate location (for security and audit purposes)
  • Authentication logs: login times, session tokens (hashed)

3. How We Use Your Data

  • Provide, operate, and maintain the CMO ALTO platform
  • Authenticate users and enforce access controls
  • Process payroll, leave, attendance, and HR workflows
  • Generate financial reports and business analytics
  • Send system notifications and security alerts
  • Improve platform performance and user experience
  • Comply with legal obligations and regulatory requirements

4. Data Isolation & Multi-Tenancy

CMO ALTO employs strict multi-tenant data isolation. Each organization's data is separated at the database level using Row-Level Security (RLS) with unique organization identifiers. This ensures:

  • No organization can access another organization's data
  • Branch-level isolation prevents unauthorized cross-branch data access
  • Department-level access controls limit visibility to authorized personnel only
  • All database queries are automatically filtered by organization context

5. Security Measures

We implement bank-grade security measures to protect your data:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Password Security: Passwords are hashed using PBKDF2 with 310,000 iterations and unique salts
  • Authentication: JWT-based authentication with automatic token rotation
  • Rate Limiting: API rate limiting to prevent abuse and brute-force attacks
  • Security Headers: OWASP-recommended HTTP security headers on all responses
  • Audit Logging: Comprehensive audit trails for all data access and modifications
  • Infrastructure: Hosted on AWS with SOC 2 and ISO 27001 certified data centers

6. Data Retention

We retain your data for as long as your organization maintains an active subscription. Upon account termination:

  • Active data is retained for 30 days to allow for re-activation
  • After 30 days, data is archived for an additional 90 days
  • After the archive period, all data is permanently and irreversibly deleted
  • Audit logs may be retained for up to 7 years for compliance purposes

7. Your Rights

Depending on your jurisdiction (GDPR, PDPA, or other applicable laws), you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data
  • Portability: Receive your data in a machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to certain types of data processing

To exercise any of these rights, contact us at privacy@cmogroup-alto.io.

8. International Compliance

CMO ALTO is designed to comply with major data protection regulations:

  • GDPR (EU General Data Protection Regulation)
  • PDPA (Thailand Personal Data Protection Act)
  • Data Protection Act 2017 (Mauritius)
  • ISO 27001 (Information Security Management)

9. Third-Party Services

CMO ALTO uses the following third-party services to operate:

  • Amazon Web Services (AWS): Cloud hosting and database services
  • Stripe: Payment processing (we never store your credit card details)

Each third-party provider is contractually obligated to protect your data in accordance with applicable laws.

10. Cookies

CMO ALTO uses essential cookies only for authentication and session management. We do not use advertising or tracking cookies. Essential cookies include:

  • Session tokens for authentication
  • Language preference
  • UI preferences (e.g., sidebar state)

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify all registered users via email and in-app notification at least 30 days before any material changes take effect.

12. Contact Us

For privacy-related inquiries or to exercise your data rights:

CMO Group - Data Protection Office

Email: privacy@cmogroup-alto.io

Address: Port Louis, Mauritius

We will respond to all legitimate requests within 30 days.