Legal

Privacy Policy

We are committed to protecting your data and being transparent about how we handle it. This policy explains exactly what we collect, why, and your rights under GDPR.

Last updated: March 2026·Effective date: March 2026·Jurisdiction: European Union

Overview

ComplianceOS ("we", "us", "our") operates the ComplianceOS platform, an EU AI Act compliance automation service. This Privacy Policy applies to all users of our website, application, and APIs. We act as a data controller under the General Data Protection Regulation (GDPR) for data you provide to us, and as a data processor when handling data about your AI systems on your behalf.

We collect the minimum data necessary to provide our services. We do not sell your personal data to third parties. All data is stored on EU-based infrastructure.

Data We Collect

Account Data

·Full name and email address
·Organisation name and size
·Password (stored as a bcrypt hash — never in plaintext)
·Billing address and VAT number (if applicable)

AI System Data

·Names, descriptions, and use-case details of your AI systems
·Risk classification inputs and results
·Compliance assessment responses and compliance scores
·Documents and files you upload or generate

Usage & Technical Data

·IP address, browser type, and device identifiers
·Pages visited, features used, and session duration
·API request logs (retained for 30 days)
·Error reports and crash diagnostics

Payment Data

·Payment data is handled exclusively by Stripe. We store only your subscription status, plan tier, and last-4 card digits. We never store full card numbers or CVVs.

Legal Basis for Processing (GDPR Art. 6)

Processing purpose	Legal basis
Providing the compliance platform	Contract (Art. 6(1)(b))
Billing and invoicing	Contract (Art. 6(1)(b))
Sending transactional emails (password reset, receipts)	Contract (Art. 6(1)(b))
Fraud prevention and security monitoring	Legitimate interest (Art. 6(1)(f))
Product analytics and improvement	Legitimate interest (Art. 6(1)(f))
Marketing communications (opt-in only)	Consent (Art. 6(1)(a))
Compliance with legal obligations (e.g. tax records)	Legal obligation (Art. 6(1)(c))

How We Use Your Data

⚡

To provide, operate, and improve the ComplianceOS platform

📄

To generate compliance documents and compliance assessment reports on your behalf

💳

To process payments and manage your subscription

📧

To send account-related notifications (security alerts, invoices, product updates)

🔒

To detect, prevent, and respond to fraud, abuse, or security incidents

📊

To analyse aggregate usage patterns and improve our product (anonymised where possible)

⚖️

To comply with legal obligations, including tax and regulatory requirements

We never use your data to train AI models. Your AI system data and generated documents are yours.

Data Storage & Security

All data is hosted on EU-based infrastructure via Supabase (AWS eu-central-1, Frankfurt). We implement the following security controls:

Encryption at rest

AES-256 encryption for all stored data

Encryption in transit

TLS 1.2+ for all API and web traffic

Row-level security

Database policies ensuring users can only access their own data

Authentication tokens

Short-lived JWTs with secure refresh token rotation

Access controls

Principle of least privilege for all internal systems

Security audits

Regular penetration testing and vulnerability assessments

In the event of a personal data breach, we will notify affected users and the relevant supervisory authority within 72 hours as required by GDPR Art. 33–34.

Third-Party Services & Sub-processors

We engage the following sub-processors. All are bound by data processing agreements and, where applicable, Standard Contractual Clauses (SCCs) for international transfers.

Processor	Purpose	Location
Supabase (AWS eu-central-1)	Database, authentication, file storage	EU (Frankfurt)
Anthropic	AI assistant & document generation	USA (SCCs applied)
OpenAI	AI-powered risk classification & analysis	USA (SCCs applied)
Stripe	Payment processing & invoicing	USA (SCCs applied)
Resend	Transactional email delivery	USA (SCCs applied)
Vercel	Web hosting & edge delivery	USA/EU (SCCs applied)

None of these providers use your data to train their AI models. We have data processing agreements in place with each sub-processor.

Cookies & Tracking

We use a minimal set of cookies strictly necessary to operate the platform. We do not use advertising or third-party tracking cookies.

sessionEssential

Maintains your authenticated session. Required for the platform to function.

sb-auth-tokenEssential

Supabase authentication token. Required for secure login.

_vercel_analyticsAnalytics

Privacy-first, anonymised analytics to understand page performance. No personal data.

International Data Transfers

Some of our sub-processors are based outside the European Economic Area (EEA), primarily in the United States. Wherever data is transferred outside the EEA, we ensure an adequate level of protection through one or more of the following safeguards:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions by the European Commission
Supplementary technical measures (encryption, pseudonymisation)

Your core account and AI system data is stored on Supabase's EU Frankfurt (eu-central-1) region and does not leave the EEA. AI processing via Anthropic and OpenAI involves data transfer to the USA, covered by SCCs.

Your Rights Under GDPR

As a data subject in the EEA, you have the following rights. To exercise any of them, contact us at founder@aiactsolutions.com. We will respond within 30 days.

Right of access (Art. 15)

Request a copy of all personal data we hold about you.

Right to rectification (Art. 16)

Correct inaccurate or incomplete personal data.

Right to erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten").

Right to restriction (Art. 18)

Restrict processing of your data in certain circumstances.

Right to portability (Art. 20)

Receive your data in a structured, machine-readable format.

Right to object (Art. 21)

Object to processing based on legitimate interest or for direct marketing.

Right to withdraw consent

Withdraw consent at any time without affecting prior processing.

Right to lodge a complaint

File a complaint with your local supervisory authority (e.g. your national DPA).

Data Retention

Account & AI system data

Permanently deleted within 30 days of account deletion

Duration of active account

Billing records

Required by EU tax and financial regulations

7 years

API access logs

Retained for security monitoring and debugging

30 days

Anonymised analytics

Cannot be attributed to individuals; used for product improvement

Indefinite

Support correspondence

Retained to resolve recurring issues and improve support quality

3 years

Children's Privacy

ComplianceOS is a B2B service intended for organisations and professionals aged 18 and over. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us immediately at founder@aiactsolutions.com and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on your account) and/or display a prominent notice in the application at least 14 days before the change takes effect. Continued use of the platform after that date constitutes acceptance of the revised policy.

Minor updates (e.g. fixing typos, clarifying existing practices) will be reflected in the "Last updated" date at the top of this page without individual notification.

Contact & Data Protection Officer

For any privacy-related questions, requests, or complaints, please contact our Data Protection Officer (DPO):

Email: founder@aiactsolutions.com

Company: ComplianceOS

You also have the right to lodge a complaint with your local data protection supervisory authority. In the EU, you can find your national DPA at edpb.europa.eu/about-edpb/board/members_en.