Privacy Policy

ComplyDev ("we", "our") is committed to protecting the privacy of its users. This Privacy Policy describes how we collect, use, and protect your personal data when you use our cybersecurity assessment platform.

ComplyDev

Website: https://complydev.com — Email: privacy@complydev.com

We use your data for:

• Service delivery: Generate your personalized compliance report
• Communication: Future communications (if you provide your email)
• Marketing (consent only): Send newsletters and regulatory updates
• Security: Prevent abuse and cyberattacks

Data processing is based on:

• Contract execution (Art. 6.1.b GDPR): To provide the requested service
• Consent (Art. 6.1.a GDPR): For marketing communications (optional)
• Legitimate interest (Art. 6.1.f GDPR): For security and fraud prevention

• Questionnaire responses: Automatically deleted 7 days after completion
• Generated report: Available for 7 days via signed link, then deleted
• Company data: Retained until consent is revoked or deletion is requested
• Technical data (IP, logs): Retained for 30 days for security

Your data may be shared with:

• AI Provider (DeepSeek): To process responses (DPA agreement in place)
• Storage (Cloudflare R2): To temporarily store PDFs (DPA agreement in place)
• Database (Supabase): For data management (DPA agreement in place)
• Analytics (Plausible Analytics): Cookieless, privacy-friendly web analytics (EU-hosted, no personal data collected)
• Performance Monitoring (Vercel Analytics): Cookieless performance metrics (no personal data collected)
• Error Monitoring (Sentry): Error tracking for service reliability (DPA agreement in place, may capture technical context of errors)

We do not sell or share your data with third parties for commercial purposes.

Some of our providers are located outside the EU. In particular, DeepSeek (our AI provider) is based in China, which does not have an EU adequacy decision. For such transfers, we rely on Standard Contractual Clauses (SCC) approved by the European Commission, supplemented by additional technical measures (encryption in transit, data minimization, no persistent storage by the provider) in accordance with the Schrems II decision. Other providers (Supabase, Sentry) process data within the EU or in countries with adequacy decisions.

You have the right to:

• Access (Art. 15): Obtain a copy of your data
• Rectification (Art. 16): Correct inaccurate data
• Erasure (Art. 17): Request deletion of your data
• Restriction (Art. 18): Restrict processing
• Portability (Art. 20): Receive your data in a structured format
• Objection (Art. 21): Object to processing on legitimate grounds
• Withdraw consent (Art. 7.3): Withdraw marketing consent at any time

To exercise your rights, email us at privacy@complydev.com. We will respond within 30 days as required by the GDPR.

We implement appropriate technical and organizational measures to protect your data:

• TLS/SSL encryption for transmissions
• At-rest encryption for storage
• Role-based access controls
• Audit logs and monitoring
• Regular backups and disaster recovery

We use only strictly necessary technical cookies: an authentication session cookie (Supabase), a CSRF protection token, and a locale preference cookie (NEXT_LOCALE). We do not use any tracking, analytics, or advertising cookies. Our web analytics are provided by Plausible Analytics, which is cookieless and GDPR-compliant by design.

Our service is intended for businesses and is not aimed at minors under 16 years of age. We do not knowingly collect data from minors.

We may update this Privacy Policy periodically. Continued use of the service after changes constitutes acceptance of the new policy.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent Data Protection Authority within 72 hours as required by Art. 33 GDPR. If the breach is likely to result in a high risk, we will also notify affected users without undue delay (Art. 34 GDPR).

Given the nature and scale of our data processing activities, ComplyDev is not required to appoint a Data Protection Officer under Art. 37 GDPR. For any privacy-related inquiries, you can contact us directly at privacy@complydev.com.

You have the right to file a complaint with your national Data Protection Authority. For users in Italy, the competent authority is the Garante per la Protezione dei Dati Personali (https://www.garanteprivacy.it).

Our service uses artificial intelligence (DeepSeek) to analyze your company profile and identify applicable cybersecurity regulations. The AI evaluates your company's sector, size, country, and description to determine which regulations apply and to generate a gap analysis report.

This processing is based on automated logic but does not produce legally binding decisions. The output is informational and advisory in nature. You have the right to request human review of any AI-generated assessment by contacting us at privacy@complydev.com.

For any questions about this Privacy Policy or the processing of your data, email us at privacy@complydev.com.