1. Who We Are (Controller Identity)
Data Controller: ComplianceCore
Email: privacy@compliancecore.io
Address: [Registered address — TBD. Must be completed before launch.]
ComplianceCore operates an EU AI Act compliance assessment platform (“the Platform”) for EU-based organisations.
2. What Data We Collect and Why
2.1 Account and Identity Data
- Data: Name, email address, company name, job title
- Purpose: Creating and managing your account; providing access to the Platform
- Legal Basis: Art. 6(1)(b) GDPR — performance of a contract
2.2 Assessment Data
- Data: AI system descriptions, assessment questionnaire responses, uploaded documentation
- Purpose: Delivering EU AI Act compliance assessments, generating reports, and providing remediation guidance
- Legal Basis: Art. 6(1)(b) GDPR — performance of a contract
2.3 Payment Data
- Data: Billing name, email address; payment method (card details handled exclusively by Stripe — see §5)
- Purpose: Processing subscription payments and issuing receipts
- Legal Basis: Art. 6(1)(b) GDPR — performance of a contract
- Card numbers, expiry dates, and CVVs are entered directly into Stripe's secure form and are never stored or transmitted through ComplianceCore servers.
2.4 Authentication and Session Data
- Data: Session tokens, login timestamps, authentication identifiers (managed by Clerk — see §5)
- Purpose: Authenticating users and maintaining secure, persistent sessions
- Legal Basis: Art. 6(1)(f) GDPR — legitimate interest (platform security and fraud prevention)
2.5 Transactional Communications Data
- Data: Email address, content of account notifications, billing receipts, assessment reports
- Purpose: Delivering service notifications and responding to support queries
- Legal Basis: Art. 6(1)(b) GDPR — contract performance; Art. 6(1)(f) for support communications
2.6 Technical and Usage Data
- Data: IP address, browser type, operating system, pages visited, feature usage
- Purpose: Operating and improving the Platform; diagnosing technical issues
- Legal Basis: Art. 6(1)(f) GDPR — legitimate interest (service reliability and security)
3. Data Retention
| Data Category | Retention Period |
|---|---|
| Account and identity data | Duration of subscription + 3 years after account closure |
| Assessment data and reports | Duration of subscription + 3 years after account closure |
| Payment records and invoices | 7 years from transaction date (statutory accounting obligation) |
| Authentication session tokens | 30 days of inactivity, or on explicit logout |
| Transactional email logs | 3 years from date sent |
| Technical/usage logs | 90 days rolling |
4. How We Share Your Data
We do not sell, rent, or trade personal data. We share data only with the sub-processors listed in §5 and as required by law (e.g., in response to a lawful court order or regulatory request).
5. Sub-processors
| Sub-processor | Role | Data Processed | Location |
|---|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, DDoS protection, edge security | IP addresses, request metadata, cookies | USA (EU infrastructure available) |
| Stripe, Inc. | Payment processing | Billing name, email, payment method | USA (EU data processing via SCCs) |
| Clerk, Inc. | User authentication and identity management | Name, email, session tokens | USA (EU data processing via SCCs) |
| Resend, Inc. | Transactional email delivery | Name, email address, email content | USA |
6. International Data Transfers
Our sub-processors are primarily based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we rely on:
- Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914) as the primary transfer mechanism
- Adequacy decisions where applicable
We will not transfer personal data to a third country without an appropriate safeguard in place.
7. Your Rights
Under GDPR Chapter III, you have the following rights regarding your personal data:
| Right | Article | Description |
|---|---|---|
| Access | Art. 15 | Request a copy of your personal data and information about how it is processed |
| Rectification | Art. 16 | Request correction of inaccurate or incomplete data |
| Erasure | Art. 17 | Request deletion of your data, subject to legal retention obligations |
| Restriction of processing | Art. 18 | Request that we restrict processing of your data in certain circumstances |
| Data portability | Art. 20 | Receive your data in a structured, machine-readable format (JSON/CSV) |
| Object to processing | Art. 21 | Object to processing based on legitimate interests |
| Withdraw consent | Art. 7(3) | Where processing is based on consent, withdraw at any time without affecting prior processing |
To exercise your rights: Email privacy@compliancecore.io with your request. We will respond within 30 days of receipt (extendable to 60 days for complex requests, with notice).
Right to complain: You have the right to lodge a complaint with your national data protection supervisory authority.
8. Security
We implement appropriate technical and organisational security measures (Art. 32 GDPR), including:
- Encryption of data in transit (TLS 1.2+) and at rest
- Authentication enforced via Clerk with multi-factor authentication available
- Role-based access controls
- Regular security assessments
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with Art. 33–34 GDPR.
9. Cookies
We use only strictly necessary cookies. For full details, please see our Cookie Notice.
10. Changes to This Policy
We will post any changes to this policy on this page and update the “Last updated” date. For material changes, we will provide notice by email or a prominent notice on the Platform at least 30 days before the change takes effect.
11. Contact
For any privacy-related questions or to exercise your rights:
Email: privacy@compliancecore.io
Address: [ComplianceCore registered address — to be completed before launch]