Privacy Policy

Complai Ltd (“Complai”, “we”, “us”) operates the compliance automation platform available at https://app.mycomplai.com. We are the data controller for personal data collected through our service. For GDPR purposes, our lawful basis for processing is contract performance (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).

Account data: Name, work email address, company name, and password (hashed — we never see it in plain text).

Assessment data: Company size, industry, compliance framework target, and your yes/no/partial answers to security control questions.

Integration data: OAuth tokens and API credentials you voluntarily provide to connect GitHub, AWS, Okta, Google Workspace, and Slack. We use these only to pull security evidence on your behalf.

Usage data: Pages visited, features used, and session duration — collected via privacy-first analytics. We do not use Google Analytics.

Payment data: Handled entirely by Stripe. We store only your Stripe customer ID and subscription status — never card numbers.

• To provide and improve the Complai platform
• To generate your compliance gap report, policies, and evidence
• To send transactional emails (report delivery, team invitations, onboarding)
• To send optional product update and tip emails (you can unsubscribe at any time)
• To process payments via Stripe
• To detect and prevent fraud and abuse

We do not sell your data, share it with advertisers, or use it to train AI models without your explicit consent.

We share personal data only with the following sub-processors, each bound by GDPR-compliant Data Processing Agreements:

We retain your account data for as long as your account is active. If you delete your account, we will erase your personal data within 30 days, except where we are required to retain it for legal or tax purposes (typically 7 years for financial records). Assessment data and generated documents are deleted with your account. Integration credentials are deleted immediately upon disconnection.

If you are in the UK or EEA, you have the right to:

• Access — request a copy of all personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — “right to be forgotten” — delete your account and all data
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — request we limit how we process your data

To exercise any right, email privacy@mycomplai.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (UK: ICO at ico.org.uk).

We use only strictly necessary cookies for authentication (set by Clerk). We do not use advertising or tracking cookies. Our analytics are cookieless and privacy-first. You can block all cookies in your browser without affecting core functionality.

We protect your data with TLS 1.3 in transit and AES-256 at rest. Access to production systems is restricted, MFA-enforced, and audited. We run regular vulnerability scans and penetration tests. Despite these measures, no system is 100% secure — please use a strong, unique password and enable MFA on your account.

Complai is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have done so, contact us at privacy@mycomplai.com and we will delete the data immediately.

We may update this Privacy Policy from time to time. We will notify you by email at least 14 days before material changes take effect. The current version is always available at https://app.mycomplai.com/privacy.

Data controller: Complai Ltd
Privacy enquiries: privacy@mycomplai.com
We aim to respond to all privacy requests within 5 business days.