Legal

Privacy Policy

Last updated: June 1, 2026  ·  Effective: June 1, 2026

Summary: ComplyDesk collects only the data needed to provide the service. We do not sell your data, use it for advertising, or share it with third parties except the infrastructure providers that power the product. You can request deletion of your data at any time by contacting us at pavel@complydesk.app.

Contents

  1. 1. Who we are
  2. 2. What data we collect
  3. 3. How we use your data
  4. 4. Legal basis for processing (GDPR)
  5. 5. Data sharing and processors
  6. 6. International data transfers
  7. 7. Data retention
  8. 8. Security
  9. 9. Cookies and similar technologies
  10. 10. Your rights
  11. 11. California residents (CCPA)
  12. 12. Children's privacy
  13. 13. Changes to this policy
  14. 14. Contact us

1. Who we are

ComplyDesk (“ComplyDesk,” “we,” “us,” or “our”) is a software-as-a-service product that helps organizations track contractor compliance documents, expiration dates, and compliance status. The service is accessible at complydesk.app.

ComplyDesk is currently operated by an individual developer based in Finland, European Union. For all privacy-related inquiries, you can reach us at pavel@complydesk.app.

ComplyDesk acts as a data controller for account and usage data, and as a data processor for contractor data that your organization enters into the platform.

2. What data we collect

2.1 Account and organization data

When you register and set up your organization, we collect:

  • Your name and email address
  • Your organization's name and, optionally, industry category
  • Your password (stored as a secure hash — we never store passwords in plain text)

2.2 Contractor data you enter

To use the service, you enter information about the contractors your organization manages. This may include:

  • Contractor names and contact information (email, contact notes)
  • Document requirement names (e.g., "General Liability Insurance", "W-9")
  • Uploaded documents — PDFs, images, and Word files — along with expiration dates

This data belongs to your organization. You are responsible for having the appropriate legal basis to enter third-party contractor information into the platform.

2.3 Team member data

When you invite team members to your organization, we collect their email addresses and the role you assign them. Invited users who accept provide their name upon account creation.

2.4 Usage and technical data

We automatically collect limited technical data when you use the service:

  • Log data: IP address, browser type, pages visited, and timestamps of actions
  • Session data: authentication tokens stored in secure, HTTP-only cookies
  • Device information: browser version and operating system

We do not use third-party analytics trackers or advertising pixels.

3. How we use your data

PurposeData used
Providing and operating the serviceAccount data, contractor data, documents
Authentication and session managementEmail, password hash, session tokens
Sending invitation emails to team membersInvitee email address
Sending password reset and account-related emailsAccount email address
Calculating and displaying compliance statusDocument expiration dates, requirement definitions
Maintaining service security and preventing abuseIP address, log data
Improving the product (aggregated, non-identifiable)Usage patterns
Communicating about the beta program and product updatesAccount email address

We do not use your data for advertising, profiling, or automated decision-making that produces legal or similarly significant effects.

5. Data sharing and processors

We do not sell your data. We do not share your data with advertisers or data brokers. We share data only with the third-party service providers listed below, who act as data processors on our behalf and are contractually bound to process data only as instructed.

ProviderPurposeData sharedLocation
Supabase, Inc.Database, file storage, and authentication infrastructureAll application data including documents, account data, and uploaded filesUnited States (AWS infrastructure)

We may also disclose data if required by law, court order, or to protect the rights and safety of ComplyDesk, its users, or the public.

6. International data transfers

ComplyDesk is operated from Finland, EU. Our infrastructure provider, Supabase, stores and processes data on servers located in the United States.

Transfers of personal data from the EU/EEA to the United States are carried out under appropriate safeguards. Supabase participates in the EU-U.S. Data Privacy Framework and offers Standard Contractual Clauses (SCCs) as a transfer mechanism under GDPR Art. 46(2)(c).

By using ComplyDesk, you acknowledge that your data will be transferred to and processed in the United States.

7. Data retention

We retain your data for as long as your account is active. Specifically:

  • Account data is retained for the duration of your account and deleted within 30 days of account deletion.
  • Contractor data and uploaded documents are retained as long as your organization account exists. When a document or contractor is deleted within the application, the associated files are permanently removed from storage.
  • Log data is retained for up to 90 days for security and diagnostic purposes.
  • Incomplete uploads (pending uploads that were never finalized) are automatically deleted after 12 hours.

You can request deletion of your account and all associated data at any time by contacting pavel@complydesk.app.

8. Security

We take security seriously and implement appropriate technical and organizational measures, including:

  • All data is transmitted over HTTPS/TLS
  • Passwords are never stored in plain text — authentication is managed by Supabase Auth with secure hashing
  • Uploaded files are stored in private, access-controlled storage buckets with signed URLs for access
  • Row Level Security (RLS) is enabled on all database tables
  • Access to production systems is restricted to authorized personnel only

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to pavel@complydesk.app.

9. Cookies and similar technologies

ComplyDesk uses a minimal set of cookies strictly necessary to operate the service:

CookiePurposeType
sb-* (Supabase auth)Authentication session token. Required to keep you logged in.Strictly necessary
active-org-idRemembers which organization is active when you have access to multiple.Strictly necessary

We do not use advertising cookies, third-party tracking cookies, or analytics cookies. No consent banner is required for strictly necessary cookies under GDPR.

10. Your rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You can request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): You can correct inaccurate data. Most account data can be updated directly within the application.
  • Right to erasure (Art. 17): You can request deletion of your personal data ("right to be forgotten").
  • Right to restriction (Art. 18): You can request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20): You can request a machine-readable copy of your data.
  • Right to object (Art. 21): You can object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at pavel@complydesk.app. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) or the supervisory authority in your EU member state.

11. California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), may apply to you in addition to the rights described above.

Categories of personal information collected

In the past 12 months, we have collected the following categories of personal information: identifiers (name, email, IP address), professional or employment-related information (organization name, role), and internet or network activity (log data, usage patterns).

Your California rights

  • Right to know: You may request information about the personal data we have collected about you and how it is used.
  • Right to delete: You may request deletion of personal data we have collected, subject to certain exceptions.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is needed.
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To submit a California privacy request, contact us at pavel@complydesk.app.

12. Children's privacy

ComplyDesk is a business-to-business service intended for use by organizations and their employees. It is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us immediately at pavel@complydesk.app.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify registered users by email at least 14 days before the changes take effect.

Your continued use of ComplyDesk after the effective date of any changes constitutes your acknowledgment of the updated policy.

14. Contact us

For any questions, requests, or concerns about this Privacy Policy or our data practices, please contact:

ComplyDesk
Email: pavel@complydesk.app
Finland, European Union

We aim to respond to all privacy-related inquiries within 30 days.