ComplyEncrypt logoComplyEncryptGet Started

Privacy Policy

Last updated: 12 May 2026

1. Who we are

ComplyEncrypt ("we", "us", "our") provides an AI-automated compliance workflow for ISO 27001, GDPR, NIS2 and adjacent frameworks. This policy explains how we handle personal data on our website (complyencrypt.com) and platform.

2. Data we collect

Account data: name, work email, organisation, role.
Platform data: evidence, policies, control answers and risk records you upload to your workspace.
Usage data: device, browser, IP, pages viewed, basic analytics.
Communications: messages you send via contact, support or email.

3. How we use your data

To provide and improve the service, authenticate users, generate compliance artefacts on your behalf, send transactional and (with consent) product emails, prevent abuse, meet legal obligations and respond to your requests.

4. Legal bases (GDPR Art. 6)

Contract (delivering the service you signed up for), legitimate interests (security, fraud prevention, product analytics), consent (marketing emails, optional cookies) and legal obligation (tax, accounting, lawful requests).

5. Sharing and processors

We share data only with vetted sub-processors that help us run the service — cloud hosting, email delivery, analytics, payments and support tooling. We sign Data Processing Agreements and apply Standard Contractual Clauses for transfers outside the EEA where required. We never sell personal data.

6. Retention

Account data is kept while your workspace is active and for a reasonable period afterwards for legal and audit purposes. Workspace content is deleted on request or within 90 days of account closure unless retention is legally required.

7. Your rights

You can access, rectify, erase, port or restrict processing of your personal data, and object to processing based on legitimate interests. Where we rely on consent, you can withdraw it at any time. To exercise rights, email privacy@complyencrypt.com.

8. Security

Encryption in transit and at rest, role-based access control, audit logging, least- privilege access for engineers and an internal ISMS aligned with ISO/IEC 27001. Incident response and breach notification follow GDPR Art. 33–34.

9. Cookies

We use strictly necessary cookies for authentication and session integrity. Optional analytics cookies are loaded only with consent.

10. Children

The service is not directed at children under 16 and we do not knowingly collect their data.

11. Changes

We may update this policy. Material changes will be communicated via the platform or email.

12. Contact

Data Controller: ComplyEncrypt — privacy@complyencrypt.com. EU residents may also lodge a complaint with their local supervisory authority.