ComplyScanBack to home

Privacy Policy

Last updated: March 30, 2026

1. Who We Are

ComplyScan ("we," "us," or "our") is an automated GDPR compliance scanning service. We are committed to protecting the privacy and personal data of our users and the visitors to websites our users scan.

Contact us at: compliance@complyscan.com

2. Data We Collect

When you use ComplyScan, we collect the following data:

Data you provide directly:

  • Email address — required to receive scan reports
  • Billing information — processed by Stripe; we do not store credit card numbers

Data collected during scanning:

  • URL scanned — the website address you submit for analysis
  • Scan results — the compliance findings generated by our analysis engine
  • Publicly accessible page content — the system crawls and analyses publicly accessible pages of the submitted URL (no private areas, login-protected pages, or behind-authentication content)
  • IP address and user agent — collected during the scan for security and rate-limiting purposes

Automatically collected:

  • Session and usage data — pages visited, features used, timestamps, and general interaction patterns
  • Cookies — strictly necessary session cookies to maintain your authenticated session; optional analytics cookies if you consent to them

3. How We Use Your Data

We use your data for the following purposes:

  • Deliver scan reports — to email you the compliance findings from your scan
  • Process payments — via Stripe; we never store payment card details
  • Service improvement — to understand how users interact with ComplyScan and improve the service
  • Security and fraud prevention — to detect and prevent abuse, unauthorized access, and fraudulent transactions
  • Legal compliance — to comply with applicable laws, respond to legal requests, and meet our regulatory obligations

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

4. Data Retention

We retain your data for different periods depending on the type and your subscription:

  • Free or one-time scans: Scan results (URL, findings, page content snapshots) are retained for 30 days after the scan date, then automatically deleted.
  • Monthly subscribers: Scan history is retained for 12 months from the date of each scan, then automatically deleted.
  • Email address: Retained for the duration of your active subscription plus 90 days after cancellation, for record-keeping purposes.
  • Billing records: Retained for a minimum of 7 years to comply with financial and tax record-keeping obligations.

Upon request, we will delete or anonymize your personal data sooner, except where retention is required by law.

5. Data Sharing

ComplyScan does not share your personal data with third parties except in the following limited circumstances:

  • Stripe — for payment processing. Stripe's privacy policy governs their data handling: stripe.com/privacy
  • Mailjet — for transactional email delivery (sending you scan reports). Mailjet's privacy policy is available at: mailjet.com/legal/privacy-policy
  • Law enforcement and regulators — when required by law, court order, or to protect our legal rights
  • Service providers — hosting and infrastructure providers who are contractually bound to protect your data and use it only for the services they provide to us

6. Data Processed on Behalf of Our Users

When you scan a website using ComplyScan, our system processes publicly accessible web pages of that website. This includes crawling and temporarily storing page content to perform compliance analysis. This data (the scanned page content and resulting findings) belongs to you the user and is subject to your control under our data retention policy above.

We act as a Data Processor with respect to scanned website data. The website owner (you, the user of ComplyScan) act as the Data Controller with respect to that data. You are responsible for ensuring you have the necessary rights and legal basis to submit a website for compliance scanning.

7. Cookies

ComplyScan uses only strictly necessary cookies for session management. We do not use advertising, analytics, or tracking cookies unless you explicitly opt in.

See our dedicated Cookie Policy for cookie categories, retention periods, and consent withdrawal instructions.

  • Session cookie — authenticates your account and maintains your logged-in session. Expires when you log out or after 24 hours of inactivity.
  • Consent cookie — remembers your cookie preference choice. Expires after 12 months.

8. Security

We implement appropriate technical and organizational measures to protect your data, including: encryption in transit (TLS), access controls and least-privilege principles, regular security reviews, and secure cloud infrastructure with SOC 2-compliant providers.

No security measure is 100% foolproof. In the event of a data breach that affects your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

9. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of all personal data we hold about you
  • Right to rectification — request correction of inaccurate personal data
  • Right to erasure — request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to restrict processing — request that we limit how we use your data
  • Right to object — object to processing based on legitimate interests
  • Right to lodge a complaint — file a complaint with your local supervisory authority (e.g., your national Data Protection Authority)

To exercise any of these rights, contact us at privacy@complyscan.com. We will respond within 30 days.

10. International Data Transfers

ComplyScan processes data on servers located within the European Economic Area (EEA). Where we use service providers outside the EEA (e.g., Mailjet for email delivery), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

11. Children's Data

ComplyScan is not designed for or directed at children under 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will delete it immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to active users at least 14 days before taking effect. The date of the most recent revision is always displayed at the top of this page.

13. Contact

For any privacy-related questions, data subject requests, or concerns:

privacy@complyscan.com

You also have the right to lodge a complaint with your local Data Protection Authority. For EU member states, a list of national DPAs is available at: edpb.europa.eu