ComplyGuard

Privacy Policy

Last Updated: March 29, 2026  |  Company: ComplyGuard

1. Introduction

ComplyGuard (“we,” “us,” or “our”) is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use and store it, who we share it with, and what rights you have.

This Policy applies to all users of the ComplyGuard website and service (“Service”). By using the Service, you consent to the practices described herein. If you are located in the European Economic Area (EEA), United Kingdom, or California, additional rights described in Sections 10 and 11 apply to you.

This Privacy Policy should be read together with our Terms of Service and Refund Policy.

2. Information We Collect

We collect the following categories of information:

Account Information

  • Email address (required to create an account)
  • Name (optional, provided by you)
  • Hashed password (we never store your password in plain text)
  • Google OAuth token (if you sign in with Google)
  • Email marketing opt-in preference

Compliance Scan Data

  • Website URL(s) you submit for scanning
  • Operating states / jurisdictions you select
  • Questionnaire responses you submit about your business practices
  • Raw HTML and extracted text from pages crawled on your website
  • Uploaded documents and screenshots you provide manually

Billing Information

  • Payment card details are processed and stored by Stripe — ComplyGuard does not store full card numbers. We retain a Stripe customer ID and subscription metadata.

Usage and Technical Data

  • Log data (IP address, browser type, pages visited, timestamps)
  • Session cookies issued by NextAuth for authentication

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and improve the compliance scanning service
  • Generate compliance reports, scores, and remediation recommendations
  • Send crawled website content and questionnaire responses to AI providers for analysis (see Section 6)
  • Authenticate your identity and maintain your account session
  • Process payments and manage your subscription
  • Send transactional emails (scan completion notifications, password reset links)
  • Send marketing or educational emails, if you have opted in
  • Detect and prevent fraud, abuse, or security incidents
  • Comply with legal obligations

We do not sell your personal data to third parties. We do not use your compliance scan data or questionnaire responses to train AI models that will be shared with third parties.

4. How We Store Your Data

Your data is stored in a PostgreSQL database hosted on cloud infrastructure. Data is encrypted at rest and in transit using industry-standard TLS encryption. Database backups are encrypted and stored securely. Access to production data is restricted to authorized personnel only.

Generated compliance reports (PDF files) are stored in cloud object storage with access controls that restrict download to authenticated account owners.

5. Third-Party Service Providers

We share data with the following third-party processors solely to provide the Service:

ProviderPurposeData Shared
StripePayment processing & billingEmail, payment card info
Anthropic (Claude AI)AI-powered compliance analysis (see Section 6)Crawled page text, questionnaire answers, business metadata
BrowserlessHeadless browser crawling of your websiteWebsite URL for crawling
ResendTransactional email deliveryEmail address, email content
Google (OAuth)Optional sign-in with GoogleEmail, name, profile image

Each provider processes your data only as necessary to fulfill the stated purpose and is bound by data processing agreements and their own privacy policies.

6. AI Data Processing

The Service uses artificial intelligence systems provided by Anthropic (“Claude”) to analyze crawled website content and generate compliance findings. This section explains how your data is handled during AI processing.

What data is sent to AI systems

  • Extracted text from crawled pages on your website (not raw HTML)
  • Your questionnaire responses about business practices
  • Jurisdiction and business category metadata
  • Relevant compliance rules and statutory references from our legal knowledge base

We do not send your account credentials, email address, payment information, or any personal data unrelated to the compliance analysis to AI providers.

How AI providers handle your data

  • No model training:Under our commercial API agreement with Anthropic, data submitted through the API is not used to train, improve, or fine-tune Anthropic’s models.
  • Transient processing: Data is processed in real time to generate analysis results and is not persistently stored by Anthropic beyond the retention period specified in their data processing agreement (typically 30 days for trust and safety purposes).
  • No third-party access: Anthropic does not share your data with other customers or third parties, except as required by law.

AI output limitations

AI-generated compliance findings may contain errors, omissions, or inaccuracies. All AI output from the Service is for informational purposes only and does not constitute legal advice. For details on the limitations of AI-generated analysis, please see Section 3 (“Not Legal Advice”) of our Terms of Service.

7. Data Retention

We retain different categories of data for different periods:

  • Raw crawled HTML: Deleted automatically 90 days after a scan completes. Extracted text and structured metadata may be retained longer.
  • Uploaded files (PDFs, screenshots): Deleted automatically 1 year after upload.
  • Compliance reports (PDF, certificates): Retained for as long as your account is active. You may download your reports at any time.
  • Scan results, findings, and scores: Retained for as long as your account is active to support report history and trend tracking.
  • Account data: Retained while your account is active. If you delete your account, all data — including reports, scan results, and personal information — is retained for 30 days, then permanently deleted. To cancel a pending deletion, contact support@complyguard.us within the 30-day window.
  • Billing records: Retained for 7 years as required by applicable financial regulations, even after account deletion.
  • Log data: Retained for up to 90 days for security and debugging purposes.
  • AI processing logs: We do not retain copies of AI prompts or responses beyond the scan session. Anthropic may retain data for up to 30 days per their data processing agreement.

You may request early deletion of your account and associated data at any time by contacting us at privacy@complyguard.us.

8. Cookies

We use a minimal number of cookies:

  • NextAuth session cookie: A secure, HTTP-only cookie used to maintain your authenticated session. This cookie is strictly necessary for the Service to function and cannot be disabled while you are signed in.

We do not use advertising trackers, cross-site tracking cookies, or third-party analytics cookies (such as Google Analytics) on the platform.

9. Security

We implement industry-standard security measures including: TLS encryption for all data in transit; bcrypt hashing (cost factor 13) for passwords; role-based access controls; regular security reviews; and database encryption at rest. Despite these measures, no system is perfectly secure. We encourage you to use a strong, unique password and to contact us immediately if you suspect unauthorized access to your account.

10. Your Rights (GDPR / UK GDPR)

If you are located in the EEA or United Kingdom, you have the following rights under the GDPR or UK GDPR:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate data.
  • Right to erasure: Request deletion of your data (subject to legal retention requirements).
  • Right to restriction: Request that we restrict processing of your data in certain circumstances.
  • Right to portability: Receive your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent: Withdraw consent for marketing emails at any time.
  • Right related to automated decision-making: Our compliance analysis is AI-assisted but does not make legally binding decisions about you. Reports are informational tools, not automated decisions with legal effect.

Our legal bases for processing are: (a) performance of a contract (providing the Service); (b) legitimate interests (security, fraud prevention, AI-powered analysis); and (c) consent (marketing emails, where opted in).

To exercise any of these rights, contact us at privacy@complyguard.us. We will respond within 30 days.

11. Your Rights (California — CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Categories of Personal Information Collected

  • Identifiers (name, email address, IP address) — collected for account creation, communication, and fraud prevention.
  • Commercial information (purchase history, subscription tier, scan history) — collected to provide the Service and process billing.
  • Internet activity (pages visited, scan URLs submitted, browser type) — collected for analytics and service improvement.
  • Professional information (business type, operating states submitted in questionnaires) — collected to provide compliance analysis.

Your Rights

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom it is shared.
  • Right to delete: Request deletion of your personal information, subject to certain legal exceptions.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: We do not sell personal information. We do not share personal information for cross-context behavioral advertising. If this changes, we will provide a “Do Not Sell or Share My Personal Information” link on our homepage.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.
  • Right to limit use of sensitive personal information: We collect sensitive personal information (e.g., account credentials) only as necessary to provide the Service and do not use it for purposes beyond what is needed to perform the Service.

Do Not Sell or Share My Personal Information

ComplyGuard does not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising. Because we do not sell or share personal information, no opt-out mechanism is required at this time. If our practices change, we will add a “Do Not Sell or Share My Personal Information” link to our homepage footer and update this policy accordingly.

How to Submit a Request

To submit a California privacy request (access, deletion, or correction), contact us at privacy@complyguard.us. We will verify your identity and respond within 45 days as required by law. You may also designate an authorized agent to submit a request on your behalf.

12. International Data Transfers

ComplyGuard is based in the United States, and your data is processed and stored on servers located in the United States. If you are accessing the Service from outside the United States, including from the European Economic Area (EEA), United Kingdom, or other jurisdictions with data protection laws, please be aware that your personal data will be transferred to, stored, and processed in the United States.

Where required by applicable law, we rely on appropriate transfer mechanisms to ensure an adequate level of protection for your data, including:

  • The EU-U.S. Data Privacy Framework, where applicable
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with our third-party service providers that include appropriate safeguards

Our third-party processors (Stripe, Anthropic, Browserless, Resend, Google) primarily process data in the United States. Each provider maintains their own data transfer compliance mechanisms as described in their respective privacy policies.

For more information about our data transfer practices, or to request a copy of applicable Standard Contractual Clauses, contact us at privacy@complyguard.us.

13. Children’s Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting an updated version with a new effective date and, where appropriate, by sending an email notification. Your continued use of the Service after such notice constitutes acceptance of the revised Policy.

15. Data Protection Officer

ComplyGuard has designated a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and ensuring compliance with applicable privacy laws. If you have questions or concerns about how we handle your personal data, or if you wish to exercise any of your rights under GDPR, UK GDPR, or other applicable data protection laws, you may contact our DPO directly:

Data Protection Officer — ComplyGuard
privacy@complyguard.us

16. Contact Us

For general privacy questions, requests, or concerns, please contact:

ComplyGuard — Privacy Team
1312 N. Monroe St. #97, Spokane, WA 99201
privacy@complyguard.us
(509) 795-4863