Privacy Policy

Last updated: January 9, 2026

1. Data Controller

The data controller responsible for your personal data is:

Davide Scognamiglio

Operating as: Complai

Country: Italy

Email: getcomplai@gmail.com

For any questions regarding this Privacy Policy or to exercise your data protection rights, please contact us at the email address above.

Data Protection Officer: We have assessed whether a Data Protection Officer is required under Article 37 GDPR and concluded that it is not, for the following reasons:

  • We are not a public authority or body
  • Our core activity is providing compliance analysis tools, not large-scale systematic monitoring of individuals
  • We do not process special categories of data as a core activity — any such data that may appear in user-uploaded documents is processed transiently by AI for analysis purposes only and is not stored, profiled, or used for decisions about individuals
  • Our AI-powered analysis produces compliance reports about documents, not decisions with legal effects on data subjects

For all data protection inquiries, please contact us directly at the email address above. We will reassess this determination as our business grows.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address — Required for account creation and authentication
  • Name — Provided during onboarding
  • Company name — Provided during onboarding
  • Role — Your job function (e.g., DPO, Founder, Legal)
  • Company size — Number of employees

2.2 Documents for Analysis

When you use our GDPR Auditor, you may upload documents or provide URLs for analysis. The content of these documents is processed to generate compliance reports.

2.3 Scan History

For each compliance scan, we store:

  • File name or URL analyzed
  • Compliance score and issues identified
  • Date and duration of analysis
  • Generated report data

2.4 Feedback

When you provide feedback through our feedback widget, we collect your ratings, comments, and associate them with your account (if logged in) and the relevant scan (if applicable).

2.5 Usage Analytics

We collect analytics data to improve our service, including:

  • Pages visited and features used
  • Device type and browser information
  • IP address (anonymized)
  • Referral source

3. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we must have a valid legal basis for processing your personal data. The table below shows each type of data we collect, why we process it, and our legal basis:

Data TypePurposeLegal Basis
Email addressAccount creation, authentication, service communicationsContract performance (Art. 6(1)(b))
Name, company, roleAccount personalization, service deliveryContract performance (Art. 6(1)(b))
Documents for analysisCompliance auditing serviceContract performance (Art. 6(1)(b))
Scan history & reportsProvide access to historical reportsContract performance (Art. 6(1)(b))
Feedback & ratingsService improvementLegitimate interests (Art. 6(1)(f))
Usage analyticsService improvement, securityLegitimate interests (Art. 6(1)(f))
Marketing communicationsProduct updates, newslettersConsent (Art. 6(1)(a))

Legitimate Interests Assessment

Where we rely on legitimate interests as our legal basis, we have conducted a balancing test to ensure our interests do not override your rights and freedoms:

Analytics Data

Our interest: Understanding how users interact with our service to improve functionality and user experience.
Impact on you: Minimal — we use privacy-friendly analytics (PostHog) with IP anonymization and EU data storage. No profiling or automated decisions are made.
Your rights: You can object to analytics processing at any time by contacting us or using browser Do Not Track settings.

Feedback Data

Our interest: Collecting user feedback to identify issues and improve our compliance analysis quality.
Impact on you: Minimal — feedback is voluntary, and you control what information you share.
Your rights: You can request deletion of your feedback at any time.

Security Monitoring

Our interest: Detecting and preventing unauthorized access, abuse, and security threats.
Impact on you: Minimal — security logs contain only technical data necessary for protection.
Your rights: Security processing is essential to protect all users and cannot be objected to while using the service.

4. How We Use Your Information

We use your personal data for the following purposes:

  • Service Delivery: To provide, maintain, and improve our compliance auditing platform
  • Authentication: To verify your identity and manage your account access via magic link emails
  • Document Analysis: To process documents you submit and generate compliance reports
  • Communication: To respond to your inquiries and provide customer support
  • Product Improvement: To analyze usage patterns and feedback to enhance our service
  • Security: To detect, prevent, and address technical issues and abuse

5. Data Recipients and Third-Party Services

We share your personal data with the following categories of recipients, solely for the purposes described in this policy:

Anthropic (AI Processing)

Document content is sent to Anthropic's Claude API for compliance analysis. Anthropic acts as a data processor under a Data Processing Agreement.

Transfer safeguards: Standard Contractual Clauses (EU Commission Decision 2021/914), supplemented by Anthropic's technical and organizational security measures including encryption in transit and at rest.

Location: United States

Supabase (Database)

Your account data, scan history, and feedback are stored in our Supabase database.

Location: European Union (Ireland)

Resend (Email Delivery)

Your email address is shared with Resend to deliver authentication emails and notifications.

Location: United States (with appropriate safeguards)

PostHog (Analytics)

Usage analytics data is collected through PostHog to help us understand how our service is used.

Location: European Union

Vercel (Hosting)

Our website is hosted on Vercel's infrastructure.

Location: European Union (with global CDN)

We do not sell your personal data to third parties. We only share data as described above and when required by law.

6. International Data Transfers

Some of our third-party service providers are located outside the European Economic Area (EEA). When we transfer your data outside the EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use Standard Contractual Clauses approved by the European Commission under Decision 2021/914 with service providers in the United States (Anthropic, Resend). These clauses provide contractual guarantees that your data will be protected to EU standards.
  • EU-based processing: Our primary database (Supabase) is hosted in the European Union (Ireland), ensuring your core data remains within the EEA.
  • Data minimization: We only transfer the minimum data necessary for each service to function.
  • Vendor assessment: We evaluate our third-party providers' data protection practices before engaging their services.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

  • Account Data: Retained for as long as your account is active, plus 2 years after account deletion for legal compliance
  • Scan History: Retained for 3 years from the date of the scan to allow you to access historical reports
  • Feedback: Retained for 3 years to help us improve our service
  • Analytics Data: Retained for 2 years in anonymized form
  • Authentication Logs: Retained for 1 year for security purposes

You can request deletion of your data at any time by contacting us. We will delete or anonymize your data within 30 days of your request, except where we are legally required to retain it.

8. Your Data Protection Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of Access (Article 15): You can request a copy of the personal data we hold about you.
  • Right to Rectification (Article 16): You can request correction of inaccurate or incomplete data. You can also update your profile information directly in your account settings.
  • Right to Erasure (Article 17): You can request deletion of your personal data when it is no longer necessary for the purposes for which it was collected.
  • Right to Restriction (Article 18): You can request that we limit the processing of your data in certain circumstances.
  • Right to Data Portability (Article 20): You can request your data in a structured, machine-readable format (JSON) to transfer to another service.
  • Right to Object (Article 21): You can object to processing based on legitimate interests, including analytics and profiling.
  • Right to Withdraw Consent (Article 7): Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at getcomplai@gmail.com. We will respond to your request within 30 days.

9. Right to Lodge a Complaint

If you believe that we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority.

As we are based in Italy, you can contact the Italian Data Protection Authority:

Garante per la protezione dei dati personali

Piazza Venezia, 11 - 00187 Roma

Website: www.garanteprivacy.it

Email: garante@gpdp.it

You may also contact the supervisory authority in your country of residence if different from Italy.

10. Cookies and Similar Technologies

We use cookies and similar technologies on our website:

Strictly Necessary Cookies

These cookies are essential for the website to function. They include:

  • Session cookie: Maintains your logged-in state (expires after 30 days)
  • Theme preference: Remembers your light/dark mode preference

Analytics Cookies

We use PostHog for privacy-friendly analytics. These cookies help us understand how visitors interact with our website. PostHog is configured to:

  • Anonymize IP addresses
  • Respect Do Not Track browser settings
  • Store data in the European Union

You can control cookies through your browser settings. Note that disabling cookies may affect some functionality of our service.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption in transit: All data is transmitted using TLS/SSL encryption (HTTPS)
  • Encryption at rest: Database data is encrypted at rest
  • Secure authentication: We use passwordless magic link authentication to eliminate password-related vulnerabilities
  • Access controls: Access to personal data is strictly limited on a need-to-know basis
  • Regular updates: We keep our systems and dependencies updated to address security vulnerabilities

12. AI and Automated Processing

Our compliance auditing service uses artificial intelligence (AI) to analyze documents. We want to be transparent about how this works:

How AI Analysis Works

  • Technology: We use Anthropic's Claude AI to analyze documents for GDPR compliance
  • Process: Your document text is sent to the AI, which identifies potential compliance issues based on GDPR requirements
  • Output: The AI generates a compliance report with a score, identified issues, and recommendations

Not Automated Decision-Making Under Article 22

Our AI analysis does not constitute automated decision-making under GDPR Article 22 because:

  • The analysis evaluates documents, not individuals
  • Reports are informational tools to assist your compliance efforts
  • No decisions with legal or similarly significant effects are made about you based on the analysis
  • You decide how to act on the recommendations — the AI does not make binding determinations

Human Oversight

If you have questions about your compliance report or believe the AI analysis is incorrect:

  • You can contact us for clarification or to discuss the findings
  • We can provide human review of specific concerns upon request
  • Remember that AI analysis is a tool to assist, not replace, professional legal advice

13. Children's Privacy

Our Service is intended for business professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at getcomplai@gmail.com, and we will take steps to delete such information.

14. Requirement to Provide Data

The provision of certain personal data is necessary to use our Service:

  • Email address: Required to create an account and receive authentication emails. Without this, you cannot use our service.
  • Profile information (name, company, role): Required during onboarding to personalize your experience. You may provide minimal information if preferred.
  • Documents for analysis: Required only when you choose to use our compliance auditing feature.

All other data collection (feedback, analytics) is optional and you may use the service without providing it.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify registered users by email for material changes
  • Provide a summary of changes where appropriate

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

16. Contact Us

If you have any questions about this Privacy Policy, want to exercise your data protection rights, or have concerns about how we handle your data, please contact us:

Davide Scognamiglio (Complai)

Email: getcomplai@gmail.com

Website: getcomplai.io

We aim to respond to all inquiries within 30 days.