Privacy Policy

ComplyScan ("we", "us", or "our") operates the ComplyScan web application and related services. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our service. By accessing or using ComplyScan, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the service.

The data controller responsible for your personal information is ComplyScan. Contact: privacy@exitcomply.com. We process your personal data under the following legal bases (GDPR Art. 6): - Performance of a contract (Art. 6(1)(b)): processing your scan requests and delivering reports you requested. - Legitimate interests (Art. 6(1)(f)): improving our service, preventing abuse, and analytics. - Consent (Art. 6(1)(a)): marketing communications, if you opt in. - Legal obligation (Art. 6(1)(c)): retaining records where required by tax or business law.

Account Data: Your email address (used as your account identifier via password-based authentication). Scan Data: The URLs you submit for scanning, the scan results (cookie findings, privacy-policy analysis, tracker inventory), and the generated report. Scan results are linked to your account if you are logged in. Payment Data: When you purchase a full report, payment is processed by our Merchant of Record (Creem). We do not store your full card details — only the transaction status and a reference ID. Usage Data: We collect anonymized analytics (pages visited, features used) via Vercel Analytics. This does not track you across other websites. Technical Data: Your IP address is processed transiently for server security and abuse prevention, then discarded.

- To perform GDPR compliance scans you request and deliver the resulting reports - To create and manage your account and scan history - To process payments and manage access to paid reports - To improve scan accuracy and develop new detection rules - To communicate with you about your account and support requests - To prevent abuse and protect the service We do not sell your personal information to third parties. We do not use your scan data to train AI models.

ComplyScan itself uses only essential cookies for authentication and session management. We do not set advertising or tracking cookies on our own site. Third-party processors with access to limited data: - Creem (payment processing, Merchant of Record — handles EU VAT) - Vercel (hosting and analytics) - Your email provider for transactional email When you scan a third-party website, ComplyScan's scanner (a headless browser) visits that site and collects publicly visible compliance signals (cookies set by that site, its privacy policy text, its third-party requests). This data is processed to generate your report and is not shared with the scanned site.

You have the following rights regarding your personal data: - Access (Art. 15): request a copy of your data - Rectification (Art. 16): correct inaccurate data - Erasure / Right to be Forgotten (Art. 17): request deletion of your account and scan history - Restriction (Art. 18): limit processing in certain circumstances - Portability (Art. 20): receive your data in a structured, machine-readable format - Objection (Art. 21): object to processing based on legitimate interests - Withdraw consent (Art. 7(3)): withdraw marketing consent at any time To exercise any right, email privacy@exitcomply.com. We respond within 30 days.

Scan results are retained for as long as your account is active, so you can access your scan history. If you delete your account, we erase your personal data and linked scans within 30 days, except where retention is required by law (e.g., tax records for paid transactions, retained by our payment processor).

Your data may be processed by our hosting provider (Vercel) and payment provider (Creem) in jurisdictions outside the EU/EEA. We rely on Standard Contractual Clauses and the provider's adequacy or safeguard measures to ensure a level of data protection essentially equivalent to the GDPR (Art. 44–49).

We use industry-standard measures to protect your data: HTTPS encryption in transit, hashed passwords (never stored in plaintext), and least-privilege access controls. No method of transmission or storage is 100% secure, but we work to protect your data using commercially acceptable means.

ComplyScan is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be notified via the email on your account or a prominent notice in the app. Continued use after changes constitutes acceptance.

For privacy questions or to exercise your data subject rights, contact: - Email: privacy@exitcomply.com We aim to respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.