ComplyEdge ComplyEdge
Home Terms Get Started

Legal · v0.1

Privacy Policy

Effective date: 11 July 2026 · Last updated: 11 July 2026

Draft for counsel review. This Policy describes current ComplyEdge data practices. Controller/operator entity details may be updated after formal legal review (M1.6 review gate).

1. Who we are

ComplyEdge (“we”, “us”) operates the Service at complyedge.io, api.complyedge.io, dashboard.complyedge.io, trust.complyedge.io, and related properties. For privacy requests contact privacy@complyedge.io (or support@complyedge.io).

Depending on the processing activity, we act as an independent controller (account administration, website analytics, billing) or as a processor (evaluating content you submit through the API on your instructions). Processor terms may be set out in a Data Processing Agreement for enterprise customers.

2. What we collect

Account and authentication

  • Email address
  • One-time passcodes and related auth metadata (delivery status, timestamps)
  • Tenant / organization identifiers and plan tier
  • API keys (stored hashed/secret-managed; shown in full only at creation where applicable)

Service usage

  • API request metadata: timestamps, endpoint, jurisdiction/rules selection, latency, decision outcome, rule IDs, citations
  • Evaluated text as SHA-256 text_hash only in standard production audit logs — we do not persist raw prompts/outputs in those logs unless a separate written agreement says otherwise
  • Dashboard activity needed to operate the product

Website and communications

  • Lead-form fields you submit (e.g. email, company, message)
  • First-party analytics events (page views / funnel steps) without intentional PII in event payloads
  • Support emails you send us

Billing (paid plans)

  • Payment and invoicing data processed by our payment provider (we do not store full card numbers)

3. Why we process data

  • Provide, secure, and improve the Service
  • Authenticate users and prevent abuse
  • Produce tamper-evident compliance audit trails you request
  • Communicate service notices and respond to support
  • Meet legal obligations and enforce our Terms

Where GDPR applies, legal bases include contract performance, legitimate interests (security, product improvement, B2B communications with opt-out), consent where required, and legal obligation.

4. Retention

  • Audit events: default 180 days (aligned with deployer log-keeping expectations under the EU AI Act Art 26(6) “at least six months” floor, unless you configure otherwise under an eligible plan).
  • Account data: for the life of the account plus a short wind-down period after deletion/closure.
  • Auth OTP codes: short-lived; expired codes are discarded.
  • Backups: limited rolling windows, then overwritten.

5. Sharing and subprocessors

We do not sell personal data. We use infrastructure and vendors to run the Service, including:

  • Amazon Web Services (AWS) — hosting, storage, compute (primary region: us-west-2)
  • Brevo — transactional email (OTP / notices)
  • Stripe — payment processing for paid plans (when enabled)
  • GitHub — if you connect repositories or consume public OSS distribution

Vendors process data under contract and only on our instructions (or as independent controllers for their own console accounts, e.g. if you pay Stripe directly).

6. International transfers

Infrastructure may process data in the United States and other countries where our vendors operate. Where required, we use appropriate safeguards (e.g. Standard Contractual Clauses) for transfers from the EEA/UK.

7. Security

We use industry-standard controls appropriate to a cloud API product (TLS in transit, access controls, secret management, auditability). No method of transmission or storage is perfectly secure; please protect your API keys.

8. Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, or port personal data, and to object to certain processing or withdraw consent. Contact privacy@complyedge.io. You may also lodge a complaint with your local supervisory authority.

If we process data as your processor, we will assist you in responding to data-subject requests as required by your DPA and applicable law.

9. Cookies and similar technologies

We use cookies or local storage as needed for authentication/session continuity on the dashboard, and limited first-party analytics on marketing pages. We do not use advertising trackers for cross-site ad retargeting on the core product pages covered by this Policy.

10. Children

The Service is built for professional / organizational use and is not directed to children under 16. We do not knowingly collect their personal data.

11. Changes

We may update this Policy. Material changes will be posted with a new “Last updated” date. Continued use after the effective date constitutes acceptance where permitted by law.

12. Related terms

Use of the Service is also subject to our Terms of Service. Where we act as your processor, see the Data Processing Agreement.

ComplyEdge ComplyEdge
GitHub Blog Terms Privacy DPA SaaS Contact

Disclaimer: ComplyEdge provides compliance tooling, not legal advice. Always consult legal counsel for specific regulatory requirements.