Privacy Policy | ComplianceKit

1. Introduction

Welcome to ComplianceKit. We are committed to protecting your personal data and respecting your privacy rights in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy explains how ComplianceKit ("we", "us", or "our") collects, uses, shares, and protects your personal information when you use our GDPR compliance platform and services.

Controller: ComplianceKit is the data controller responsible for your personal data.

2. Data We Collect

2.1 Information You Provide

Account Information: Name, email address, password (encrypted), company name
Website Information: Website URLs, company details for policy generation (company address, DPO contact information)
Payment Information: Billing details processed through Paddle (we do not store credit card numbers)
Communication: Messages you send us through support or contact forms

2.2 Information We Collect Automatically

Usage Data: Pages visited, features used, time spent, interaction data
Device Information: IP address, browser type, device type, operating system
Cookies: Authentication cookies, preference cookies (see Cookie Policy)
Log Data: Access times, error logs, security events

2.3 Information from Third Parties

OAuth Providers: If you sign in with Google, we receive your name, email, and profile picture
Payment Processor: Paddle provides transaction confirmation and payment status

3. How We Use Your Data

We process your personal data for the following purposes:

3.1 Service Provision (Legal Basis: Contract)

Create and manage your account
Provide access to our GDPR compliance tools
Scan websites for cookies and tracking scripts
Generate privacy policies and cookie policies
Process and manage DSAR (Data Subject Access Requests)
Display compliance analytics and reports

3.2 Billing & Payments (Legal Basis: Contract)

Process subscription payments
Generate invoices
Manage billing inquiries and refunds

3.3 Communication (Legal Basis: Contract & Legitimate Interest)

Send service-related notifications (downtime, updates, security alerts)
Respond to support requests
Send important account information

3.4 Improvement & Analytics (Legal Basis: Legitimate Interest)

Analyze platform usage to improve features
Monitor system performance and errors
Conduct internal research and development

3.5 Security (Legal Basis: Legitimate Interest & Legal Obligation)

Prevent fraud and unauthorized access
Detect and respond to security incidents
Enforce our Terms of Service
Comply with legal requirements

3.6 Marketing (Legal Basis: Consent)

Send promotional emails about new features (only with your consent)
You can opt-out at any time

4. Data Sharing & Disclosure

We do not sell your personal data. We only share your data in these circumstances:

4.1 Service Providers

Hosting: Railway - Application hosting
Database: Supabase/PostgreSQL - Data storage
Payment Processing: Paddle (South Africa) - Payment transactions
Authentication: Google OAuth (if you use Google sign-in)
Email: Resend - Transactional emails

All service providers are contractually required to protect your data and only use it for specified purposes.

4.2 Legal Requirements

We may disclose your data if required by law, court order, or government request.

4.3 Business Transfers

If ComplianceKit is involved in a merger, acquisition, or sale, your data may be transferred. You will be notified of any such change.

5. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

Account Data: Retained while your account is active, plus 30 days after deletion
Website Scan Data: Retained for 12 months or until you delete it
DSAR Records: Retained for 3 years (legal requirement)
Billing Records: Retained for 7 years (tax/legal requirement)
Security Logs: Retained for 90 days
Backup Data: Permanently deleted within 90 days after account deletion

6. Your Rights Under GDPR

You have the following rights regarding your personal data:

6.1 Right of Access

You can request a copy of all personal data we hold about you.

6.2 Right to Rectification

You can update or correct your personal data at any time through your account settings.

6.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and all associated data. Use the account deletion feature in your settings.

6.4 Right to Data Portability

You can export all your data in a machine-readable format (JSON) at any time.

6.5 Right to Restriction of Processing

You can request that we stop processing your data in certain circumstances.

6.6 Right to Object

You can object to processing based on legitimate interests or direct marketing.

6.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time.

6.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority.

How to Exercise Your Rights:

Data Export: Dashboard → Settings → Export My Data
Account Deletion: Dashboard → Settings → Delete Account
Other Requests: Contact us at privacy@compliancekit.tech

We will respond to all requests within 30 days as required by GDPR.

7. Data Security

We implement industry-standard security measures to protect your data:

Encryption: All data is encrypted in transit (TLS/SSL) and at rest
Password Security: Passwords are hashed using bcrypt with salt
Access Control: Strict authentication and authorization mechanisms
Security Monitoring: Continuous monitoring for suspicious activity
Regular Audits: Periodic security assessments and updates
Account Lockout: Protection against brute force attacks
Rate Limiting: Protection against DDoS and abuse

See our Security Documentation for more details.

8. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (Railway hosting).

We ensure adequate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Service providers certified under the EU-US Data Privacy Framework (where applicable)
Additional security measures beyond legal requirements

9. Cookies

We use cookies to provide and improve our services. For detailed information about the cookies we use, please see our Cookie Policy.

Essential Cookies: Required for authentication and security (cannot be disabled)

Optional Cookies: Analytics and preferences (you can manage these in cookie settings)

10. Children's Privacy

ComplianceKit is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by:

Updating the "Last Updated" date at the top of this policy
Sending an email notification for material changes
Displaying a prominent notice on our platform

Your continued use of ComplianceKit after changes become effective constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: privacy@compliancekit.tech

Data Protection Officer: dpo@compliancekit.tech

Address: [Your Company Address]

We will respond to all inquiries within 30 days.

13. Data Processing Agreement

If you are a ComplianceKit customer and we process personal data on your behalf (as a data processor), a Data Processing Agreement (DPA) is available. Please contact us to execute a DPA.

This Privacy Policy is compliant with GDPR (Regulation (EU) 2016/679) and other applicable data protection laws.