Complyance
Get Started Free

Privacy Policy

Last Updated: April 24, 2026 Β· Version 2.1

Introduction

Complyance ('we', 'us', 'our'), operated by Pavel Buyeu (Individual Entrepreneur, registered in Georgia), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our AI compliance management platform.

By using Complyance, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.

Data Residency and EU Hosting

All customer data collected, stored, and processed by Complyance is located within the European Union.

Infrastructure Locations

  • Application & Database: Railway EU West region (Amsterdam, Netherlands)
  • File Storage: AWS S3 EU Central region (Frankfurt, Germany) β€” bucket 'complyance-docs'
  • Error Monitoring: Sentry EU data plane (Germany) β€” via ingest.de.sentry.io endpoints
  • Email Delivery: Resend EU infrastructure
  • Payment Processing: Paddle (United Kingdom Merchant of Record)
  • CDN & DNS: Cloudflare (global edge network with EU data centers)
  • Authentication: Google OAuth (sign-in identity only; no ongoing data processing)

What This Means for You

  • Your AI system descriptions, compliance documentation, evidence files, and gap analyses never leave EU infrastructure at rest.
  • International data transfers occur only for: (a) Google OAuth sign-in (covered by Google's EU Standard Contractual Clauses); (b) AI model inference via OpenRouter (see 'AI Processing and Sub-Processors' below); (c) payment processing through Paddle (UK, subject to UK GDPR adequacy decision).
  • We do not transfer customer data to the United States or other non-adequate jurisdictions for the purpose of storage, analytics, or operational processing.

Migration Note

The Complyance platform completed migration from US-based database hosting to EU West (Amsterdam) on April 24, 2026. Any customer data stored prior to this date has been fully migrated and the US-based database has been decommissioned.

What Data We Collect

Account Information

  • Email address
  • Name (optional)
  • Company or organization name
  • Target markets for compliance tracking

AI System Data

  • AI system descriptions and technical details you provide
  • Documents you upload for classification assistance (PDFs, DOCX, etc.)
  • Risk classification results and compliance gap analysis

Technical Data

  • IP address and geolocation data
  • Browser type, version, and device information
  • Usage analytics (pages visited, features used, session duration)
  • Error logs and diagnostic data (via Sentry)

How We Use Your Data

  • Provide and maintain the Complyance platform
  • Perform AI risk classification and gap analysis using Claude API
  • Generate compliance reports and technical documentation
  • Respond to support requests and customer inquiries
  • Improve platform features and user experience via analytics
  • Process payments and manage subscriptions via Paddle
  • Comply with legal obligations and enforce our Terms of Service

Sub-Processors and Third-Party Services

We engage the following sub-processors to operate the platform. Each entry lists the purpose of processing, data shared, processing location, and legal basis under GDPR.

OpenRouter

AI gateway that routes classification and document-analysis requests to underlying LLM providers.

Data Shared: AI system descriptions, uploaded document content, and classification prompts. Account email and billing details are NOT shared.

Processing Location: United States (Delaware)

Legal Basis: Standard Contractual Clauses (SCCs)

Anthropic (Claude)

Upstream large language model provider accessed via OpenRouter; performs the actual AI inference for classification and drafting.

Data Shared: The same content sent to OpenRouter. Anthropic's Commercial Terms prohibit training on customer data.

Processing Location: United States

Legal Basis: Covered by OpenRouter's Standard Contractual Clauses

Railway

Application hosting, PostgreSQL database, Redis cache, and background worker runtime.

Data Shared: All application data including user accounts, AI systems, compliance documentation, evidence records, and audit logs.

Processing Location: EU West (Amsterdam, Netherlands) β€” europe-west4

Legal Basis: GDPR β€” EU processing; Standard Contractual Clauses where applicable

AWS S3

Encrypted object storage for user-uploaded documents and evidence files.

Data Shared: User-uploaded PDFs, DOCX, and evidence attachments encrypted with AES-256 at rest.

Processing Location: EU Central (Frankfurt, Germany) β€” eu-central-1, bucket 'complyance-docs'

Legal Basis: GDPR β€” EU processing

Paddle

Merchant of Record for billing, tax calculation, and invoicing.

Data Shared: Email address, billing address, payment method, and transaction metadata (processed by Paddle, not stored by Complyance).

Processing Location: United Kingdom (Paddle.com Market Limited)

Legal Basis: Standard Contractual Clauses; UK GDPR adequacy decision

Resend

Transactional email delivery (password resets, notifications, compliance alerts).

Data Shared: Recipient email address and message content.

Processing Location: European Union

Legal Basis: GDPR β€” EU processing

Sentry

Error monitoring and performance tracing.

Data Shared: Error logs, stack traces, and request metadata. Personally identifiable information is scrubbed before transmission.

Processing Location: European Union (Germany) β€” via *.ingest.de.sentry.io

Legal Basis: GDPR β€” EU processing

Google (OAuth)

Optional identity provider for 'Sign in with Google'.

Data Shared: Email address and display name are received during the sign-in flow. No ongoing data transfer occurs after account creation.

Processing Location: United States

Legal Basis: Identity verification β€” Google's Standard Contractual Clauses apply at sign-in

Cloudflare

DNS, CDN, DDoS protection, and inbound email routing for @complyance.app addresses.

Data Shared: IP addresses, request metadata, and forwarded email headers.

Processing Location: Global edge network with EU data centers

Legal Basis: Legitimate interest (security and performance) and Standard Contractual Clauses

BetterStack

Uptime monitoring of public endpoints.

Data Shared: URLs and response timing data. No customer account data is transmitted.

Processing Location: European Union and United States

Legal Basis: Standard Contractual Clauses

Calendly

Meeting-booking widget on the /managed page only, used when you voluntarily request a consultation.

Data Shared: Name, email address, and chosen meeting time β€” submitted directly by you to Calendly.

Processing Location: United States

Legal Basis: User-initiated booking with explicit consent; Standard Contractual Clauses

TraceHawk

Sister product for AI agent observability, operated by the same legal entity (Pavel Buyeu, Individual Entrepreneur, Georgia). Enabled only when you explicitly link an AI system to TraceHawk.

Data Shared: Agent monitoring metadata such as model usage, tool invocations, and runtime anomalies β€” only for systems you have explicitly linked.

Processing Location: Same infrastructure as Complyance: Railway EU West (Amsterdam) + AWS S3 EU Central (Frankfurt)

Legal Basis: Internal transfer within the same data controller β€” not a third-party sub-processor transfer

Cookies & Tracking

We use cookies and similar technologies to maintain your session and improve the platform. Types of cookies used:

  • Essential Cookies: Required for authentication, session management, and security (cannot be disabled)
  • Analytics Cookies: Optional cookies to track aggregate usage patterns and improve user experience. No third-party analytics provider is currently enabled.

Data Retention

We retain personal data only as long as necessary for the purposes described in this policy or as required by law. Specific retention periods are:

  • Account Data: Retained for as long as your account is active. After deletion, personal account data is permanently removed from production systems within 30 days.
  • Generated Documents & Evidence Files: Retained for 30 days after subscription cancellation to allow reactivation, then permanently deleted from production storage.
  • Aggregate Usage Data: Anonymized and aggregated usage metrics are retained for up to 12 months for product improvement purposes.
  • Backups: Encrypted backups are retained for 90 days for disaster-recovery purposes, after which they are permanently deleted.
  • Legal and Tax Records: Billing records, invoices, and other documents required by the Law of Georgia on Accounting, Reporting and Auditing are retained for 7 years, as mandated by Georgian tax law.

Your GDPR Rights (EU Users)

If you are located in the European Union, you have the following data protection rights under GDPR:

  • Right to Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data ('right to be forgotten')
  • Right to Data Portability: Request export of your data in machine-readable format (JSON)
  • Right to Object: Object to processing of your personal data for specific purposes

To exercise any of these rights, contact us at privacy@complyance.app

Security Measures

  • All data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • EU-based infrastructure β€” Railway EU West (Amsterdam, Netherlands) for application and database, AWS S3 EU Central (Frankfurt, Germany) for file storage β€” for GDPR compliance
  • Role-based access controls and audit logging for all data access
  • 24/7 security monitoring and automated threat detection

International Data Transfers

All customer data is stored and processed in the European Union. Railway (Amsterdam), AWS S3 (Frankfurt), Sentry (Germany), and Resend (EU) operate entirely within EU infrastructure. Limited international transfers occur only for: (a) AI inference through OpenRouter and Anthropic in the United States, governed by Standard Contractual Clauses; (b) Google OAuth sign-in identity verification, governed by Google's Standard Contractual Clauses; and (c) Paddle payment processing in the United Kingdom, covered by the UK's GDPR adequacy decision. See the sub-processor table above for details.

Children's Privacy

Complyance is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at privacy@complyance.app and we will delete it.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated 'Last Updated' date. If changes are material, we will notify you via email. Continued use of the platform after changes constitutes acceptance of the updated policy.

Contact Us

Email: privacy@complyance.app

Website: complyance.app