Legal

Privacy Policy

Effective date: March 2026 Company: Complai

Contents

Information We Collect
How We Use Your Information
Data Storage and Security
Third-Party Services
Data Retention
Your Rights (GDPR)
Cookies and Tracking
International Data Transfers
Children's Privacy
Changes to this Policy
Contact and Data Controller

Your privacy matters to us. This policy explains what data we collect, why we collect it, and how we protect it. We are committed to being transparent about our data practices and honouring your rights under applicable privacy laws, including the UK GDPR and EU GDPR.

01 Information We Collect

We collect information in three ways: directly from you when you use our Service, automatically as you interact with our platform, and from third-party services you connect to your account.

Information you provide directly:

Identity and contact information: Your name and business email address, collected when you begin an assessment or create an account;
Company information: Your company or organisation name, approximate team size, and the industry or sector you operate in;
Assessment responses: Your answers to compliance control questions covering topics such as access management, data handling, incident response, vendor management, and security policies;
Technology stack information: Details of the software tools, cloud services, and platforms your organisation uses (e.g., AWS, Google Workspace, GitHub, Slack);
Payment information: Billing details collected and processed by Stripe on our behalf. We do not store your full card number or CVV on our servers.

Information collected automatically:

Usage data: Pages visited, features accessed, assessment progress, report downloads, timestamps, and session duration;
Technical data: IP address, browser type and version, operating system, device type, and referring URL;
Log data: Server-side logs including API requests, error events, and system diagnostics necessary for operating and securing the platform.

We do not collect sensitive personal data as defined under GDPR (such as health data, racial or ethnic origin, political opinions, or biometric data) and request that you do not submit such data through the Service.

02 How We Use Your Information

We use the information we collect only for the purposes described below. We rely on different legal bases under GDPR depending on the nature of the processing:

Service delivery (Contract): To process your assessment responses, generate AI-powered compliance gap reports and policy documents, and deliver them to you via our dashboard and by email;
Communications (Contract / Legitimate Interests): To send you your completed reports, account confirmation emails, subscription receipts, and important service notifications via our email delivery provider, Resend;
Payment processing (Contract): To manage your subscription, process payments, and handle billing-related communications through Stripe;
Service improvement (Legitimate Interests): To analyse usage patterns, identify errors, and improve the accuracy, quality, and breadth of our AI-generated outputs. Where used for this purpose, data is aggregated or anonymised where practicable;
Security and fraud prevention (Legitimate Interests / Legal Obligation): To monitor for and prevent fraudulent activity, abuse, and security incidents;
Legal compliance (Legal Obligation): To comply with applicable laws, respond to lawful requests from public authorities, and enforce our Terms of Service.

We will never sell your personal data to third parties, use it for behavioural advertising, or share it with third parties for their own independent marketing purposes.

03 Data Storage and Security

Your data is stored in Supabase, a managed database platform. Supabase stores data in data centres located in the European Union (EU) and/or the United States, depending on the region selected for your project. We have configured our Supabase instance to prioritise EU-based storage where possible to support GDPR compliance.

We implement appropriate technical and organisational security measures to protect your personal data, including:

Encryption of data in transit using TLS 1.2 or higher;
Encryption of data at rest using AES-256;
Access controls restricting database access to authorised personnel only;
Regular review of security configurations and third-party sub-processor agreements;
Logical separation of customer data within our database architecture.

While we take reasonable steps to protect your data, no system is completely secure. You should use a strong, unique password for your account and contact us immediately at hello@mycomplai.com if you suspect any unauthorised access.

04 Third-Party Services

We use a small number of carefully selected third-party services to operate the Complai platform. Each sub-processor is engaged under a data processing agreement where required by GDPR.

Provider	Purpose	Data Shared	Privacy Policy
Anthropic (Claude API)	AI report and policy generation. Your assessment responses and company context are sent to the Claude API to generate compliance gap reports and policy documents.	Assessment responses, company name, tool descriptions, team size	anthropic.com/legal/privacy
Supabase	Database hosting and authentication. All structured data (user records, assessments, generated reports) is stored in Supabase.	All user and assessment data	supabase.com/privacy
Stripe	Payment processing and subscription management. Stripe handles all card data and billing. We receive only non-sensitive billing metadata.	Name, email, billing address, payment metadata	stripe.com/privacy
Resend	Transactional email delivery. Used to send you your completed reports, account confirmation, and subscription-related communications.	Name, email address, report content	resend.com/legal/privacy-policy
Vercel	Web application hosting and edge delivery. Our platform frontend and serverless API routes are hosted on Vercel's infrastructure.	IP address, request headers, usage logs	vercel.com/legal/privacy-policy

We do not permit these third-party providers to use your personal data for their own independent purposes beyond what is necessary to deliver the services they provide to us.

05 Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, and in accordance with our legal obligations. Our default retention periods are:

Assessment data and generated reports: Retained for 3 years from the date of the assessment. This allows you to access historical reports and enables us to provide continuity of service across reassessments. After this period, assessment data is securely deleted or anonymised.
Account information: Retained for the duration of your active account, plus up to 12 months following account closure, unless a longer period is required by law.
Payment records: Retained for 7 years to comply with financial and tax record-keeping obligations.
Server and audit logs: Retained for up to 90 days for security and debugging purposes, then automatically purged.
Marketing communications preferences: Retained until you unsubscribe or withdraw consent.

Where you exercise your right to erasure (see Section 6), we will delete your data within 30 days of a verified request, except where retention is required by law.

06 Your Rights (GDPR)

If you are located in the United Kingdom or European Economic Area, you have the following rights under UK GDPR and EU GDPR in relation to your personal data:

Right of Access

Request a copy of the personal data we hold about you and information about how we process it.

Right to Rectification

Request correction of any inaccurate or incomplete personal data we hold about you.

Right to Erasure

Request deletion of your personal data where we no longer have a lawful basis for processing it.

Right to Portability

Receive your personal data in a structured, machine-readable format and transfer it to another controller.

Right to Restriction

Request that we restrict the processing of your data in certain circumstances.

Right to Object

Object to processing based on legitimate interests, including objecting to direct marketing at any time.

To exercise any of these rights, please contact us at hello@mycomplai.com with a clear description of your request. We will respond within 30 days of receiving a verified request. We may ask you to verify your identity before processing your request.

If you are unsatisfied with our response, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In the EU, you may contact your local data protection authority.

07 Cookies and Tracking

We use a minimal number of cookies and similar technologies to operate the Service. We do not use tracking cookies, advertising cookies, or third-party behavioural analytics tools.

The cookies we set include:

Session cookies (strictly necessary): Used to maintain your authenticated session and keep you logged in to your account. These are deleted when you close your browser;
Preference cookies (functional): Used to remember your in-app preferences (such as dismissed notifications) to improve usability. These expire after 30 days.

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking or advertising scripts. We do not build profiles about your browsing behaviour across other websites.

You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent the Service from functioning correctly. For more information about managing cookies, visit allaboutcookies.org.

08 International Data Transfers

Some of our third-party service providers (including Anthropic and Stripe) are based in or process data in the United States. Where personal data is transferred outside of the UK or EEA to a country that does not benefit from an adequacy decision, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO, as applicable;
Transfers covered by the EU-US Data Privacy Framework where the recipient is a certified participant.

You may request details of the specific transfer mechanisms we rely on by contacting us at hello@mycomplai.com.

09 Children's Privacy

The Service is designed for use by businesses and professional users. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has submitted personal data through our Service, please contact us at hello@mycomplai.com and we will take prompt steps to delete such information.

10 Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we use, or applicable legal requirements. When we make material changes, we will:

Update the effective date at the top of this page;
Notify registered users by email at the address associated with their account.

We encourage you to review this policy periodically. Your continued use of the Service following notification of any changes constitutes your acceptance of the updated policy. If you do not agree with changes to this policy, you should stop using the Service and may request deletion of your data.

11 Contact and Data Controller

Complai is the data controller responsible for your personal data processed through this Service. If you have any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

Email: hello@mycomplai.com
Website: mycomplai.com

We aim to respond to all data-related enquiries and rights requests within 30 days. For complex requests, we may extend this period by a further two months, in which case we will notify you of the extension and the reasons for it.

For unresolved complaints, you may escalate to the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint.