Privacy Policy

1. About This Policy

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the ComplianceForge AI platform. This policy applies to all users of our website and services.

2. Information We Collect

We collect the following categories of personal data:

• Registration data: name, email address (via Google OAuth), Google ID
• Questionnaire data: your answers to the compliance questionnaire (organization profile, AI systems, governance practices)
• Generated documents: compliance documents generated based on your answers
• Technical data: IP address, browser type, operating system (collected automatically)
• Cookies: functional and analytics cookies (with consent)

3. Purposes and Legal Bases

We process your personal data for the following purposes under the GDPR:

4. AI Data Processing

Your questionnaire answers are processed by the Claude API (Anthropic) to provide AI-powered risk classification, compliance scoring, gap analysis, and document generation. Important details:

• Your questionnaire answers (not personal data) are sent to Anthropic's API solely for generating the requested analysis and documents.
• Anthropic does not use API data to train or improve their AI models.
• Data is processed in real-time. For document generation, asynchronous processing via Inngest is used.
• All data transmitted to Anthropic is encrypted via TLS.

Anthropic Privacy Policy

5. Automated Decision-Making

AI-based risk classification and compliance scoring are recommendations, not automated decisions with legal effect. You make the final decision on all compliance matters. The Legal Review Mode enables human verification of all AI outputs. Article 22 of the GDPR does not apply as there is no automated decision-making with legal or similarly significant effect.

6. Payment Data

Paddle.com Market Ltd is a separate data controller for payment data. DevLogic does not receive, store, or process payment card information. Paddle processes: name, email, address, payment details, and transaction data. For details, see Paddle's Privacy Policy.

Paddle Privacy Policy

7. No Data Selling

We do not sell, rent, or trade your personal data to third parties for advertising, profiling, or any other commercial purpose. Your data is never shared with data brokers or marketing companies. We only share data with the sub-processors listed in this policy, solely for the purpose of operating the service.

8. Recipients and Sub-processors

We use the following third-party services. Each processes data in accordance with their own privacy policies:

9. International Data Transfers

Some of our sub-processors process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place: the EU-US Data Privacy Framework (DPF) for certified services, and Standard Contractual Clauses (SCCs) approved by the European Commission where DPF does not apply. All data transfers are protected by TLS encryption.

10. Data Storage and Security

Your data is stored securely on Supabase servers in the EU (Frankfurt region). Security measures include:

• Row-Level Security (RLS): database-level access controls ensure each user can only access their own data
• Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS
• Encryption at rest: data is encrypted at rest using AES-256 encryption
• Rate limiting: API endpoints are protected against abuse
• Access restricted to authorized administrators

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure.

11. Data Retention

We retain your data for the following periods:

12. Cookies

We use essential cookies (authentication, language preference, consent storage) and analytics cookies (Google Analytics, with your consent). We do not use advertising or tracking cookies. For a complete list of cookies and how to manage them, see our Cookie Policy. Cookie Policy

13. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of access (Art. 15): request a copy of all your personal data
• Right to rectification (Art. 16): correct inaccurate or incomplete data
• Right to erasure (Art. 17): request deletion of your data ("right to be forgotten")
• Right to restriction (Art. 18): request restriction of processing
• Right to data portability (Art. 20): receive your data in a machine-readable format
• Right to object (Art. 21): object to processing based on legitimate interests

To exercise these rights, contact us at info@complianceforge.eu. We will respond within 30 days.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the CCPA/CPRA:

• Right to know: request details about collected personal information
• Right to delete: request deletion of personal information
• Right to non-discrimination: we will not discriminate for exercising CCPA rights
• No sale of personal information: we do not sell your data as defined under CCPA

To exercise your California privacy rights, contact info@complianceforge.eu. We will respond within 45 days.

15. Supervisory Authority

If you believe our processing violates data protection laws, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Croatian Personal Data Protection Agency (AZOP).

Croatian Personal Data Protection Agency (AZOP): azop.hr

If you are an EU consumer, you may also use the European Commission's Online Dispute Resolution platform.: ec.europa.eu/consumers/odr

16. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable laws. We will notify you of material changes by posting a notice on our website or sending an email. Your continued use of the service after changes take effect constitutes acceptance of the updated policy.

Data Controller & Contact

The data controller responsible for your personal data is listed below. For questions about this Privacy Policy or your personal data, contact us at info@complianceforge.eu.