Privacy Policy

Complyy ("we", "us", or "our") operates a compliance monitoring platform that tests websites for adherence to privacy laws and other regulations. This Privacy Policy explains how we collect, use, disclose, and protect information when you visit our website at complyy.io (the "Site") or purchase a compliance report.

By using the Site, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Site.

Information you provide directly:

• Email address and account credentials when you sign up via Clerk authentication.
• Payment information (processed by our payment provider / Merchant of Record — we never store card or financial details).
• Domain names you submit for scanning.
• Any correspondence you send us.

Information collected automatically:

• Log data including IP address, browser type, pages visited, and timestamps.
• Cookies and similar tracking technologies (see Section 7).
• Usage analytics to understand how the Site is used.

• To provide, operate, and improve the Site and our services.
• To process payments and deliver purchased compliance reports.
• To authenticate your identity and protect against fraud.
• To send transactional emails (report delivery, receipts).
• To communicate service updates and, where permitted, marketing communications.
• To comply with legal obligations.

We do not sell your personal data to third parties. We do not use your data for automated profiling that produces legal or similarly significant effects.

Our platform creates and uses synthetic (fictitious) user identities to perform automated compliance tests on third-party websites. These identities are not real persons and are used solely to evaluate whether a website complies with applicable privacy regulations.

Data generated during testing — such as registration confirmations, opt-out responses, and email interactions received by synthetic identities, together with scan results, compliance scores, regulatory mappings, and evidence artefacts — is collected and stored as evidence. This data ("Platform Data") belongs to Complyy and is used to generate the compliance reports and access products we sell.

Subscribers receive a licence to access Platform Data through our interface for the duration of their subscription and within the limits of their plan. Cancellation, downgrade, non-payment, or termination ends that access licence. We are not obligated to export, deliver, or otherwise transfer Platform Data to a customer upon cancellation or termination, and Platform Data may continue to be retained, processed, used by us, and exposed through our public Compliance Directory or other products. See Section 8 of our Terms of Service for further detail. This treatment does not apply to your own personal account data (e.g., email address, payment details) — your rights regarding that data are set out in Section 9 below.

If you represent a website being tested and wish to enquire about testing data held about your website, contact us at [email protected].

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

• Contract: Processing necessary to fulfill a purchase or service agreement.
• Legitimate interests: Fraud prevention, security, and improving our services.
• Legal obligation: Compliance with applicable laws.
• Consent: For optional marketing communications, which you may withdraw at any time.

We may share your information with:

• Service providers: Clerk (authentication), our payment provider(s) / Merchant of Record (billing and payment processing), Neon (database hosting), AWS S3 (file storage), and Upstash (queue/cache). Each provider is bound by data processing agreements.
• AI processors: OpenAI (OpenAI, L.L.C.) and Google (Google LLC, via the Gemini API) are used to classify compliance test results and analyse inbound email responses to compliance requests. These providers may process personal data incidentally included in page content or email bodies. Both providers operate under standard contractual clauses and applicable data processing agreements.
• Web crawling and browser automation: Firecrawl (Mendable Inc.) is used to fetch and extract the text content of publicly accessible web pages (such as privacy policies and legal notices) for automated compliance analysis. Browserbase, Inc. provides cloud-hosted browser infrastructure that we use to simulate human browsing of third-party websites for the same compliance testing purposes. Both services access only publicly available web pages and operate under data processing agreements. Personal data appearing incidentally in crawled page content may be transmitted to and processed by these providers.
• Law enforcement: When required by law, court order, or governmental authority.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

We do not share personal data with advertisers or data brokers.

We use strictly necessary cookies for authentication sessions and security. We may use analytics cookies to understand Site usage. You can control non-essential cookies through your browser settings or the cookie banner on first visit.

We do not use third-party advertising cookies or fingerprinting technologies.

We retain personal account data for as long as your account is active. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it by law (e.g., financial records for 7 years).

Compliance report data and testing evidence is retained for a minimum of 3 years to preserve its evidentiary value.

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of personal data we hold about you.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Portability: Receive your data in a structured, machine-readable format.
• Objection / Restriction: Object to or restrict certain types of processing.
• Withdraw consent: At any time, for processing based on consent.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. EEA residents have the right to lodge a complaint with their local supervisory authority.

California residents have the right to know what personal information we collect, to request deletion, and to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at [email protected].

The Site is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

Your data may be processed in countries outside your own, including the United States. Where we transfer EEA personal data internationally, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Continued use of the Site after changes constitutes your acceptance of the revised policy.

For privacy-related questions, requests, or complaints, contact our Data Protection contact at: