1. Overview
EUCompliance ("we", "us", or "our") is a compliance management platform. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform.
2. Data Controller
EUCompliance acts as a Data Controller for personal data collected directly from users (e.g., account information) and as a Data Processor for data that organizations upload to the platform for compliance management purposes.
3. Data We Collect
3.1 Account Data
- Full name, email address, phone number
- Organization name, EU member state, industry sector
- Role within the organization
3.2 Compliance Data
- Control assessment responses and status
- Uploaded evidence documents and metadata
- Policy documents created or uploaded
- Generated reports
3.3 Integration Data
- API credentials and configuration for connected integrations
- Evidence collected from third-party services (AWS, Azure, GCP, GitHub, Okta)
3.4 Usage Data
- Platform usage logs and audit trail
- IP address and browser information
- Session data and authentication tokens
4. Legal Basis for Processing
We process personal data under the following legal bases:
- Performance of a contract (Art. 6(1)(b) GDPR) — for providing the subscription service
- Legitimate interests (Art. 6(1)(f) GDPR) — for platform security, audit logging, and service improvement
- Consent (Art. 6(1)(a) GDPR) — for marketing communications and optional integrations
- Legal obligation (Art. 6(1)(c) GDPR) — for retaining records as required by law
5. How We Use Your Data
- Providing and maintaining the compliance management platform
- Processing subscription payments
- Generating compliance reports and assessments
- Collecting evidence via third-party integrations
- Providing customer support
- Improving and developing the platform
- Maintaining audit logs for security and compliance
6. Data Storage and Security
All data is stored on EU-based infrastructure (hosted in Frankfurt, Germany) to ensure compliance with EU data protection requirements. We do not transfer personal data outside the EU/EEA.
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Row-level security in our database
- Regular security assessments and penetration testing
- Strict access controls and audit logging
- Regular data backups
7. Data Retention
We retain personal data for as long as your account is active. After account termination:
- Account data is deleted within 30 days
- Compliance data (evidence, reports, policies) is deleted within 90 days
- Audit logs are retained for 2 years for legal protection
- Billing records are retained for 7 years as required by tax law
8. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15) — request a copy of your data
- Right to rectification (Art. 16) — correct inaccurate data
- Right to erasure (Art. 17) — request deletion of your data
- Right to restrict processing (Art. 18) — limit how we use your data
- Right to data portability (Art. 20) — receive your data in a portable format
- Right to object (Art. 21) — object to certain types of processing
- Right to withdraw consent (Art. 7(3)) — withdraw consent at any time
To exercise these rights, contact us at privacy@eucompliance.dev. We will respond within 30 days as required by GDPR.
9. Data Sharing
We do not sell your personal data. We share data only with:
- Cloud infrastructure providers — for hosting (EU-based)
- Payment processors — for processing subscription payments (Stripe)
- Third-party integrations — only when you explicitly connect them
- Legal authorities — only when required by law
10. Cookies
We use essential cookies for authentication and session management. We do not use tracking cookies for advertising. Analytics cookies, if used, require your explicit consent.
11. Children's Privacy
The Service is intended for business use only. We do not knowingly collect personal data from individuals under 18 years of age.
12. Data Protection Officer
For data protection inquiries, contact our Data Protection Officer at:
Data Protection Officer
EUCompliance
privacy@eucompliance.dev
You also have the right to lodge a complaint with your local Data Protection Authority if you believe we have not handled your data appropriately.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of material changes at least 30 days before they take effect.
14. Contact
EUCompliance
privacy@eucompliance.dev