Privacy Policy

1. Who we are

ComplianceIQ is an AI compliance guidance platform for small and medium businesses. We help you understand which AI regulations apply to your business, generate required compliance documents, and track deadlines. We do not provide legal advice — we provide compliance guidance. For legal advice, consult a qualified attorney.

Contact: In-app feedback (sign in required)

2. What data we collect and why

Account data

When you create an account: your email address and a password (hashed by Supabase — we never see your plaintext password). We use this to authenticate you and send compliance alerts.

Organization profile

Your business name, industry, country, state, and whether you operate in the EU/UK. We use this to determine which AI regulations apply to you. Without this, we can't give you accurate compliance guidance.

AI tool inventory

The AI tools you tell us you use (ChatGPT, Midjourney, etc.). Used to calculate your compliance risk score and generate accurate compliance documents.

Compliance documents

Documents you generate (AI acceptable use policies, risk assessments, disclosures). Stored encrypted in Supabase. We never read them. We never train AI models on them. They exist solely for you to access and download.

Audit log

A timestamped record of compliance actions (assessment completed, document generated, settings updated). Required to give you proof of compliance effort — regulators value this. Stored securely and only you can see it.

Payment data

Payments are processed exclusively by our payment provider, which acts as Merchant of Record. We store only your customer ID and subscription status. We never see your credit card number. Our payment provider is PCI DSS certified and handles all tax collection and VAT globally.

What we do NOT collect

✗ Browsing history or behavior on other websites
✗ Device fingerprints
✗ Social media data
✗ Location data beyond country/state for compliance purposes
✗ Any data via third-party trackers (there are none)

3. How we use your data

✓Provide the service: Show you applicable laws, generate documents, track deadlines.
✓Send compliance alerts: Email you when a law changes or a deadline is approaching (you control this in Settings).
✓Process payments: Manage your subscription through our payment provider.
✓Improve accuracy: When we add a new jurisdiction, we identify which users are affected so we can notify them. We use aggregated (never individual) data to understand which laws are most commonly applicable.

4. Who we share data with

We share data with exactly three companies, and only the minimum necessary to provide the service:

SupabasePrivacy policy ↗

Role: Database and authentication

Data shared: All stored data (encrypted at rest, AES-256)

LemonSqueezyPrivacy policy ↗

Role: Payment processing (Merchant of Record)

Data shared: Billing information (LemonSqueezy handles card data and all tax collection; we never see card numbers)

ResendPrivacy policy ↗

Role: Transactional email

Data shared: Email address and compliance alert content

That's it. No analytics companies. No advertising platforms. No data brokers. No AI training companies. No one else ever receives your data.

5. Extension Data

Some Aegis browser extensions (such as ComplianceIQ-related tools) can optionally sync certain data to your ComplianceIQ dashboard. This section describes how that data is handled.

What extension data may be synced

When you explicitly enable sync in a browser extension, the extension may send: compliance task completions, document generation events, and activity timestamps to your ComplianceIQ account. No browsing history, page content, or data from other websites is ever collected or synced.

How it is used

Extension-synced data is used solely to update your compliance dashboard (e.g., marking a task as complete). It is stored in your account and subject to the same privacy protections as all other data. It is never shared with third parties.

Extension local storage

Browser extensions may also store settings and data locally in your browser using chrome.storage. This data never leaves your browser unless you explicitly enable sync. You can clear extension local data by uninstalling the extension.

Disabling extension sync

You can disable sync at any time in the extension settings. Extension data in your dashboard can be deleted via Settings → Your Data → Delete Account.

6. Cookies

We use exactly one cookie: a session cookie from Supabase Auth to keep you logged in. It contains a session token — no personal data, no tracking identifiers. When you log out, it is deleted. There are no analytics cookies, no advertising cookies, no third-party cookies.

Because we use only essential cookies, we do not need a cookie consent banner under GDPR or the EU ePrivacy Directive.

6. Your rights

You have these rights under GDPR and most global privacy laws:

Access

Download all your data as a JSON file from Settings → Your Data → Export JSON.

Deletion

Delete your account permanently from Settings → Your Data → Delete Account. All data is wiped immediately.

Correction

Update your organization profile in Settings at any time.

Portability

The JSON export (above) is machine-readable and includes everything.

Object to processing

Turn off specific email alert types in Settings → Email Alert Preferences.

Withdraw consent

Delete your account. There's nothing else to withdraw.

To exercise any right, use the self-service tools in Settings. For anything not available there, use in-app feedback (sign in required). We respond within 48 hours and complete requests within 30 days.

7. Data retention

We retain your data for as long as your account is active. If you delete your account, all data is permanently deleted within 24 hours (usually immediately). Our payment provider retains billing records as required by financial regulations — contact them to exercise rights against their records.

Backup copies may persist for up to 7 days in Supabase automated backups. After 7 days, no trace of your data remains in any system we control.

8. Security

See our Security Practices page for details on how we protect your data. Summary: all data encrypted at rest (AES-256) and in transit (TLS 1.3), Row-Level Security in the database (users can only access their own data), all inputs validated, rate limiting on APIs, security headers on all pages.

9. International data transfers

Supabase stores data in AWS data centers. If you are in the EU, your data may be stored in EU data centers (Supabase offers EU regions). Our payment provider and Resend are US-based. Transfers from the EU to the US are covered by Standard Contractual Clauses (SCCs) in our agreements with these providers.

10. Children

ComplianceIQ is a B2B compliance tool for business operators. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us viain-app feedback and we will delete it immediately.

11. Changes to this policy

If we materially change how we handle data, we will notify you by email at least 30 days before the change takes effect, and we will update the "last updated" date at the top of this page. You can review the history of changes in our public changelog. If you disagree with a change, you can export your data and delete your account.

12. Legal disclaimer

ComplianceIQ provides compliance guidance, templates, and tools. It is not legal advice and does not replace consultation with a qualified attorney. We strive for accuracy but regulations change frequently. Always verify requirements with legal counsel for your specific situation.

13. Contact

Privacy questions, data subject requests, or concerns:Contact via in-app feedback (sign in required)

EU residents may also lodge a complaint with your local Data Protection Authority.

Our Privacy Promise