Privacy Policy
How Complycheck processes personal data, under the EU General Data Protection Regulation (GDPR) and Cyprus data protection law.
Last updated: TODO: publication date.
1. Who we are
Complycheck is operated by TODO: legal entity name and registration number, a company incorporated in the Republic of Cyprus with registered office at TODO: registered office address (the “Controller” or “we”).
For any privacy-related questions, contact our Data Protection Officer at [email protected].
2. Scope of this policy
This policy describes personal data that Complycheck processes as a Controller — visitors to our marketing site, prospects who contact us, and tenant administrators with whom we have a direct relationship.
For data that customers (“tenants”) upload to or generate in the platform — including their own users, business records, and compliance evidence — Complycheck acts as a Processor on behalf of the tenant. Our processor obligations are set out in the Data Processing Agreement.
3. Categories of personal data we process
| Category | Source | Purpose | Legal basis |
|---|---|---|---|
| Contact details (name, business email, role) | You, when you sign up or contact us | Account administration, support, billing | Contract performance (Art. 6(1)(b) GDPR) |
| Authentication metadata (device fingerprint hash, IP subnet, login timestamps) | Your browser at sign-in | Account security, fraud prevention | Legitimate interests (Art. 6(1)(f) GDPR) |
| Audit + auth event logs | Your actions on the platform | Security, dispute resolution, regulatory compliance | Legal obligation and legitimate interests (Art. 6(1)(c), (f)) |
| Cookies and analytics | Your browser | Essential session cookies; product analytics where consented | Consent for non-essential; necessity for essential (ePrivacy + Art. 6(1)(a), (f)) |
| Billing data | Your payment provider and you | Invoicing, financial records | Contract performance and legal obligation |
4. How we use personal data
- To provide, operate, and secure the Complycheck platform.
- To authenticate users and detect suspicious activity.
- To communicate with you about your account, security incidents, and material changes to the service.
- To invoice and collect payment.
- To comply with applicable legal obligations.
We do not sell personal data, and we do not use tenant content to train machine-learning models without explicit tenant authorisation.
5. Sub-processors
We use a limited set of vetted sub-processors for hosting, email delivery, error tracking, and analytics. The current list is maintained at TODO: link to sub-processor list page. Customers can subscribe to notifications when a new sub-processor is added.
6. International transfers
Complycheck's primary production region is the European Union (Cyprus and adjacent EU regions). Where personal data is transferred outside the European Economic Area — for example, to a sub-processor located in the United States or the United Kingdom — we rely on either an adequacy decision, the European Commission's Standard Contractual Clauses (2021/914) with supplementary measures, or another lawful transfer mechanism.
7. Retention
- Account data is retained while your account is active and for up to TODO: e.g. 30 days after closure to allow recovery, then deleted.
- Authentication and audit logs are retained for TODO: e.g. 12 months for security investigation, then minimised or deleted.
- Billing records are retained for the period required by applicable tax and accounting law (Cyprus: typically 6 years).
- Tenant content is retained as instructed by the tenant under the Data Processing Agreement.
8. Your rights
Under GDPR, you have the right to access, rectify, erase, restrict processing of, and port your personal data, and to object to certain processing. You may exercise these rights at any time by contacting [email protected].
If you are a tenant user, requests that concern data your employer controls in the platform are routed via your tenant administrator — we will assist your administrator with the technical steps required to fulfill your request.
9. Supervisory authority
The lead supervisory authority for Complycheck is the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (dataprotection.gov.cy). You may also lodge a complaint with the supervisory authority in your EU country of residence.
10. Changes to this policy
We will publish updated versions of this policy here and notify tenant administrators by email of material changes.
11. Contact
- Data Protection Officer
- [email protected]
- Postal address
- TODO: registered office address
- Security disclosures
- [email protected]