Privacy Policy
Last Updated: April 18, 2026
Your Privacy Matters
We collect only the minimum data necessary to provide our scanning services. We never sell your personal data to third parties. This policy explains what we collect, how we use it, and your rights.
1. Information We Collect
Information You Provide
- Email address — Used to send scan results and reports. Optional for free scans.
- Website URLs — The URLs you submit for accessibility scanning.
- Payment information — Processed securely through Stripe. We never store your full card details.
- Marketing preferences — Whether you opt in to receive tips and updates (you can opt out at any time).
Information We Collect Automatically
- Scan data — Accessibility issues detected on scanned websites, stored to generate reports.
- Usage data — Pages visited, features used, scan frequency (via anonymized analytics).
- Technical data — Browser type, device type, IP address (used only for rate limiting and security).
2. How We Use Your Information
| Purpose |
Data Used |
Legal Basis |
| Provide scanning services |
Email, URLs, scan data |
Contract performance |
| Send scan reports |
Email, scan results |
Contract performance |
| Process payments |
Email, Stripe token |
Contract performance |
| Send marketing updates |
Email |
Consent (opt-in only) |
| Improve our service |
Anonymized usage data |
Legitimate interest |
| Prevent abuse |
IP address, scan patterns |
Legitimate interest |
3. Data Sharing
We do not sell, rent, or share your personal data with third parties for marketing purposes. We share data only with:
- Stripe — To securely process payments. Stripe is PCI DSS compliant and handles your card details directly. We never see or store your full card number.
- Supabase — Our database provider, hosting scan results and account data on secure, encrypted infrastructure within the EU.
- Resend — Our email delivery provider, used to send scan reports to your inbox.
- Law enforcement — Only when required by law, such as a valid court order or subpoena.
4. Data Retention
| Data Type |
Retention Period |
Reason |
| Scan results |
12 months from scan date |
So you can access your reports |
| Account data |
Until account deletion |
Service delivery |
| Marketing consent |
Until withdrawal |
GDPR requirement |
| Payment records |
7 years (tax requirement) |
Legal obligation |
| Server logs |
30 days |
Security monitoring |
5. Your Rights (GDPR & EAA)
Under GDPR and applicable data protection laws, you have the right to:
- Access — Request a copy of your personal data
- Rectification — Correct inaccurate or incomplete data
- Erasure — Request deletion of your personal data
- Portability — Receive your data in a structured, machine-readable format
- Objection — Object to processing of your data for specific purposes
- Withdraw consent — Opt out of marketing communications at any time
To exercise any of these rights, email us at privacy@complykeep.com. We will respond within 30 days.
6. Cookies & Tracking
ComplyKeep uses minimal, privacy-respecting tracking:
- Essential cookies — Required for the service to function (session management, CSRF protection)
- Analytics — We use Google Analytics with IP anonymization enabled. No personally identifiable information is collected.
- No advertising cookies — We do not use advertising or marketing tracking cookies
Google Analytics Settings
We have configured Google Analytics to:
- Anonymize IP addresses (last octet set to 0)
- Not share data with Google for advertising purposes
- Retain data for 14 months only
- Not track across devices or link to Google accounts
7. Security
We take reasonable measures to protect your data:
- All data in transit is encrypted using TLS 1.3
- All data at rest is encrypted using AES-256
- Payment data is handled by Stripe (PCI DSS Level 1 compliant)
- Access to production systems is restricted and logged
- Regular security reviews of our infrastructure
No System Is Perfect
While we implement strong security practices, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.
8. Data Transfers
Our primary infrastructure (Supabase) is hosted within the EU. Stripe processes payments in accordance with EU data protection requirements. Google Analytics data is processed in the US under Standard Contractual Clauses approved by the European Commission.
9. Children's Privacy
ComplyKeep is not directed at children under 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.
10. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes by:
- Posting a prominent notice on our website
- Sending an email to registered users
- Updating the "Last Updated" date above
Continued use of our services after changes constitutes acceptance of the updated policy.
11. Contact Us
For any privacy-related questions or to exercise your data rights:
Data Protection Summary
We collect minimal data, process it only for stated purposes, store it securely in the EU, and never sell it. You can request deletion at any time. For full details, see the sections above.