Privacy Policy

1. Introduction

ComplyEur ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Schengen compliance management service.

By using ComplyEur, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this policy, please do not access or use our service.

2. Information We Collect

We collect information that you provide directly to us when using our service:

Account Information

• Email addresses
• Company names
• User names and contact details

Employee Data

• Employee names
• Employee email addresses (when provided)
• Nationality information
• Travel dates and destinations

Technical Information

• Browser type and version
• Device information
• IP address
• Usage patterns and analytics data

3. How We Use Your Information

We use the information we collect solely to provide and improve our Schengen compliance tracking service. Specifically, we use your information to:

• Calculate and track Schengen 90/180-day visa compliance for your employees
• Send compliance alerts and notifications
• Process payments for subscription services
• Provide customer support
• Improve our service through analytics
• Communicate important updates about our service

We do not sell, rent, or share your personal data with third parties for marketing purposes.

Legal Bases for Processing (Article 6 GDPR / UK GDPR)

• Contract (Article 6(1)(b)): to provide account access, compliance calculations, alerts, and paid subscription services.
• Legitimate Interests (Article 6(1)(f)): to secure our platform, prevent abuse, and improve product performance and reliability.
• Legal Obligation (Article 6(1)(c)): to retain records where required for tax, accounting, legal, or regulatory purposes.
• Consent (Article 6(1)(a)): for non-essential cookies and analytics, which you can withdraw at any time through cookie settings.

4. Data Sharing and Third Parties

We work with trusted third-party service providers who assist us in operating our service. These providers have access to your data only to perform specific tasks on our behalf and are obligated to protect your information.

Our Service Providers

• Supabase - Database hosting and authentication services. Your data is stored in Supabase infrastructure with at-rest encryption controls.
• Stripe - Payment processing. Stripe handles all payment card data and is PCI DSS compliant. We do not store your full credit card details.
• Resend - Email delivery service for compliance alerts and notifications. Only email addresses and notification content are shared with Resend.
• Vercel - Application hosting, deployment, and edge delivery for the ComplyEur web app. Request metadata and operational logs may be processed for reliability and security.
• Google Analytics - Website analytics to understand how users interact with our service. This data is anonymized and used only for service improvement.

Data Residency

Our primary production database is hosted in London (UK). Supporting services may process limited personal data in the UK, EEA, or other countries where our processors operate. Where data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses and equivalent contractual protections.

5. Data Retention

We retain your data for as long as necessary to provide our services and comply with legal obligations:

• Active accounts: Your data is retained for as long as your account remains active.
• Account deletion: When you delete your account, your data enters a 30-day soft deletion period during which you can recover your account. After this period, data is permanently deleted.
• Backups: Encrypted backups are retained for 90 days for disaster recovery purposes before being permanently deleted.
• Legal requirements: Some data may be retained longer if required by law or for legitimate business purposes (e.g., fraud prevention, tax records).

6. Your Rights (GDPR/UK GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have certain rights under the General Data Protection Regulation (GDPR) and UK GDPR:

• Right to Access: You can request a copy of all personal data we hold about you. Use the "Download My Data" feature in your account settings.
• Right to Rectification: You can correct any inaccurate personal data through your account settings.
• Right to Erasure: You can delete your account and all associated data through the account settings. This initiates our 30-day soft deletion process.
• Right to Data Portability: You can export your data in CSV format using the "Export Data" feature.
• Right to Object: You can opt out of non-essential communications at any time via email preferences or the unsubscribe link in our emails.
• Right to Restrict Processing: You can request that we limit how we use your data in certain circumstances.

To exercise any of these rights, please contact us at privacy@complyeur.com.

7. Cookies

We use cookies and similar tracking technologies to operate our service and improve your experience. You can manage your cookie preferences at any time.

Types of Cookies We Use

• Necessary Cookies: Essential for the operation of our service, including authentication and session management. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our service. You can opt out of these cookies.

For more information about the cookies we use, please see our Cookie Settings.

8. Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect your personal information:

• All data is encrypted in transit using TLS 1.3
• Waitlist email addresses are encrypted at rest using AES-256-GCM
• Database at-rest protections are enforced through infrastructure controls
• Access to production systems is restricted and logged
• Regular security audits and vulnerability assessments
• Multi-factor authentication for administrative access

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

If we become aware of a personal data breach that is likely to result in risk to individuals, we follow our incident response process and notify the relevant supervisory authority (including the ICO for UK data subjects) within 72 hours where required by law, and notify affected individuals without undue delay when legally required.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date at the top of this page
• Sending an email notification for significant changes

We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the service after changes are posted constitutes acceptance of those changes.

10. Contact Us

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your data protection rights, please contact us:

• Email: privacy@complyeur.com
• Data Protection Officer: dpo@complyeur.com

We aim to respond to all legitimate requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.