Privacy Policy

Last updated: March 2026 · Jurisdiction: United Arab Emirates

1. Introduction

This Privacy Policy describes how Complifile collects, uses, stores and protects personal data. It complies with the EU GDPR and applicable UAE data protection legislation.

2. Data We Collect

  • Account data: name, email, company name, registration date
  • Authentication data: encrypted password or OAuth identifier (Google)
  • Uploaded documents: files submitted for analysis
  • Usage data: reports, selected standards, timestamps
  • Technical data: IP address, browser type, OS (logs only)
  • Payment data: processed exclusively by the payment operator; we do not store card details
  • Consent data: date and time of acceptance

3. Legal Bases for Processing

  • Contract performanceto provide platform services
  • Legitimate interestssecurity, fraud prevention, service improvement
  • Consentanonymous benchmarking data use (separate, revocable)
  • Legal obligationwhere required by applicable law

4. How We Use Your Data

  • Providing analysis and report generation services
  • Managing your account and subscription
  • Sending service-related notifications
  • Providing technical support
  • Improving platform quality based on aggregated statistics
  • Generating industry benchmarks (only with explicit consent)
  • Complying with legal requirements

We do not sell your data to third parties and do not use it for targeted advertising.

5. Data Storage

Data is stored on ISO 27001-certified Supabase servers in EU (Frankfurt). Documents are encrypted at rest (AES-256). Data in transit is protected by TLS 1.2+.

  • Account data — until account deletion
  • Uploaded documents — until account deletion or upon request
  • Technical logs — 90 days
  • Payment records — up to 7 years (tax law requirements)

6. Sharing with Third Parties

We share data only with the following recipients, with whom data protection agreements are in place:

  • Supabase Inc.data storage and authentication (EU (Frankfurt))
  • Anthropic PBCAI document analysis and report generation. Data is not retained after processing. (United States)
  • OpenAI, LLCAI document analysis and report generation. Data is not retained after processing. (United States)
  • Google LLC (Vertex AI)AI document analysis and report generation. Data is not retained after processing. (United States / EU)
  • Mistral AI SASAI document analysis and report generation. Data is not retained after processing. (European Union)
  • Payment operatorspayment processing (card data is not transmitted to us)
  • Public authoritiesexclusively upon lawful request

We do not share data with advertising networks, data brokers or other third parties.

7. Your Rights

  • Accessobtain a copy of your personal data
  • Rectificationcorrect inaccurate data
  • Erasurerequest deletion of all your data (right to be forgotten)
  • Restrictionrestrict the use of your data
  • Portabilityreceive your data in machine-readable format
  • Objectionobject to processing based on legitimate interests
  • Withdrawal of consentrevoke benchmarking consent at any time

To exercise your rights: support@complifile.ai. Requests fulfilled within 30 days.

8. Data Security

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access control (Row Level Security)
  • Regular security audits
  • Password hashing (bcrypt)
  • Automatic termination of inactive sessions

In the event of a data breach, you will be notified within 72 hours in accordance with GDPR.

9. Cookies

We use only technically necessary cookies to maintain the authentication session. No analytical, advertising or tracking cookies are used.

10. Data of Minors

The platform is intended exclusively for persons over 18 years of age. We do not knowingly collect data from minors.

11. International Data Transfers

Data is stored in the EU (EU (Frankfurt)). AI processing services may temporarily process data outside the EU. All providers comply with data protection standards and do not retain processed documents.

12. Changes to This Policy

You will be notified by email no less than 14 days before changes take effect. The current version is always available on the Platform.

13. Contact and Complaints

Data protection enquiries: support@complifile.ai

You have the right to lodge a complaint with the supervisory authority in your country (for EU: national GDPR regulator).