Privacy Policy for ComplianceKit

ComplianceKit is a software product that helps users scan public websites, review launch-readiness signals, generate document drafts, and publish selected legal pages. This Privacy Policy explains how we collect, use, store, share, and protect information when you use the service.

It applies to the ComplianceKit website, app, and related services operated by the ComplianceKit team. It is meant to be clear enough for launch review and later legal review, but it is not a substitute for counsel.

We collect information that users provide directly, information generated by product use, and technical information needed to run the service.

We do not intentionally collect the following unless a user includes it in workspace content or support communications:

• Raw full website HTML by default.
• Payment card numbers.
• Government ID numbers.
• Sensitive personal information.
• Children's data knowingly.

If a user enters sensitive data into a document, support message, or published page, that content may be processed as part of the service.

We use information to provide the product and keep it safe and reliable.

• Run audits, previews, reports, and crawl summaries.
• Generate document drafts and save workspace state.
• Publish the legal pages users choose to make public.
• Authenticate users and manage workspace access.
• Process payments and entitlement unlocks through Stripe.
• Prevent fraud, abuse, and security issues.
• Improve the product using analytics and usage signals.
• Respond to support requests and fulfill legal obligations.

Depending on where you and we are located, we may rely on one or more of the following bases or purposes:

• Contract and service delivery, because the product has to process data to provide the requested features.
• Legitimate interests and product security, such as protecting the service, preventing abuse, and improving reliability.
• Consent where required, such as for optional analytics or marketing in jurisdictions that require it.
• Legal obligations, such as tax, accounting, recordkeeping, or lawful requests.

We do not claim that one legal basis applies in every situation or jurisdiction.

We share information only when needed to operate the service or when a user chooses to publish content publicly.

• Service providers and processors, such as Supabase, Stripe, PostHog if configured, hosting providers, and email or support providers.
• Public legal center pages, but only for documents a user publishes.
• Legal, safety, or compliance disclosures when required by law or to protect rights and security.
• Business transfers, such as a merger, acquisition, financing, or asset sale.

We do not sell personal information, and we do not share private audit or document content publicly unless the user publishes it.

Private audit data stays private. Only selected and published documents are exposed on public legal pages. Those pages may be visible to anyone with the URL, so users should review content carefully before publishing it.

Public legal center pages are separate from workspace data and should not be treated as a dump of the full private audit or document history.

We keep information for as long as needed to provide the service, satisfy legal requirements, and support security and operations.

• Account and workspace data are retained while the account is active or as needed for service delivery.
• Audit, report, and document data are retained while needed for the product and workspace history.
• Billing records are retained as required for tax, accounting, fraud prevention, or dispute handling.
• Logs may be retained for a limited time for security, debugging, and reliability.
• Some data may remain in backups or system logs for a limited period after deletion requests are processed.

Where exact retention periods are not yet finalized, this policy uses general language that can be updated later.

We use access controls, server-side authorization, workspace boundaries, and encryption in transit to protect the service. Private audit data and public legal pages are handled through separate boundaries so that published content does not expose workspace-only details.

For more detail about operational security practices, see our Security page.

No system is perfectly secure, and we cannot guarantee absolute security.

Because our providers and infrastructure may operate in different countries, your information may be processed in countries other than the one where you live.

Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to some processing.

• You can contact us to ask about the information we hold.
• You can ask us to correct or delete information, subject to legal and operational limits.
• You can ask questions about cookies or analytics if those features are enabled.
• If marketing features are added later, you can opt out of marketing messages.

We may need to verify requests before taking action, and some data may still be kept when the law allows or requires it.

The service is not intended for children under 13, or under 16 where local law uses a higher age threshold for online services.

We may update this Privacy Policy from time to time. When we do, we will post the updated version on this page and change the "Last updated" date above.