1. Data Controller
The data controller for all personal data processed through the ComplianceGuard platform (complianceguardhq.com) is ComplianceGuard ("we", "us", "our"). For privacy enquiries or to exercise your rights, contact us at admin@complianceguardhq.com.
2. Data We Collect
We collect only what is necessary to provide the Service. We do not sell personal data. We do not use personal data for advertising.
2.1 Account Data
When you create an account, we collect your email address and a hashed password (we never see your plaintext password — authentication is handled by our managed authentication provider). If you provide it, we may also hold your business name.
2.2 Scan Data
When you submit a URL for scanning, we collect and store:
- The URL(s) submitted by you
- The HTML source, visible text, and full-page screenshots of publicly accessible pages at those URLs, captured at the time of scanning
- Network request metadata observed during the scan (e.g., third-party tracker domains detected firing before cookie consent)
- The structured output of our algorithmic analysis: violation findings, risk scores, remediation suggestions, and compliance certificates
Important: We scan publicly accessible pages only. We do not access, store, or process the personal data of your customers or website visitors. We do not crawl authenticated or gated pages. Any incidental visitor data that appears in a public page screenshot is not processed as personal data and is deleted on schedule with the scan record (see Section 6).
Anonymous scan submissions: If you submit a scan without creating an account, we also collect the email address you provide so we can send you the scan result and an optional magic-link sign-in. This email is retained for 30 days and then automatically deleted unless you create an account, in which case any anonymous scans you ran with that email are attached to your account.
2.3 Payment Data
Payment and billing data (card numbers, billing address) is processed directly by our payment processor (a PCI-DSS Level 1 certified provider). We do not receive or store full card details. We hold only your subscription tier, subscription status, and a customer reference ID for billing management purposes.
2.4 Usage & Technical Data
We collect standard server logs including IP addresses, browser type, referring URL, and pages visited on our platform, for security monitoring, rate limiting, and abuse prevention. This data is not linked to your account for advertising purposes.
2.5 Communications
If you contact us via our contact form or email, we retain that correspondence to respond to your enquiry and for internal record-keeping. If you subscribe to scan notifications, we store your email address for that purpose.
3. How We Use Your Data
| Purpose | Data Used |
|---|---|
| Providing the scan and analysis service | Scan URLs, page content, screenshots |
| Account authentication and session management | Email, hashed password, session token |
| Delivering scan reports and compliance certificates | Scan results, email address |
| Sending automated rescan alerts (Pro/Growth/Agency) | Email address, scan results |
| Processing subscription payments | Customer reference ID, subscription status |
| Fraud prevention and rate limiting | IP address, usage logs |
| Responding to support enquiries | Email address, correspondence content |
| Improving our detection algorithms (aggregated, non-identifiable) | Anonymised scan patterns |
4. Legal Basis for Processing (GDPR Art. 6)
For users in the European Economic Area, our legal bases for processing are:
- Art. 6(1)(b) — Performance of a contract: Processing account data, scan data, and payment references is necessary to deliver the Service you have contracted for.
- Art. 6(1)(f) — Legitimate interests: Processing technical/usage data for security monitoring, fraud prevention, and service stability, where these interests are not overridden by your rights.
- Art. 6(1)(a) — Consent: Where we send optional marketing communications (which we currently do not), we will rely on freely given, specific, informed consent that you can withdraw at any time.
- Art. 6(1)(c) — Legal obligation: Where we are required to retain records for tax, accounting, or legal compliance purposes.
5. Service Providers (Sub-Processors) Engaged Under Article 28 GDPR
We engage a small number of carefully vetted service providers to deliver the Service. Each is bound by a written data processing agreement that meets the requirements of Article 28 GDPR, including obligations of confidentiality, security, restrictions on engaging further sub-processors, audit rights, and assistance with your rights as a data subject.
Our current list is grouped below by function rather than by brand. This is to give you a clear picture of how each function we rely on processes your data while keeping the operational details of our technical stack from being aggregated for security purposes, and without limiting your ability to exercise your rights under Articles 15 to 22 GDPR.
| Category | Purpose | Location & Transfer Mechanism |
|---|---|---|
| Managed cloud database and authentication infrastructure | Storing your account, your scan history, and authenticating your sessions | Jurisdiction covered by an EU adequacy decision (Commission Implementing Decision (EU) 2019/419) |
| Application hosting and edge content delivery | Serving the public website and the customer dashboard | EU and US infrastructure; transfers to the US covered by the European Commission's Standard Contractual Clauses (Decision 2021/914/EU) |
| Cloud headless-browser rendering | Loading the public websites you ask us to audit and capturing their content | United States; Standard Contractual Clauses |
| Background job orchestration | Coordinating each scan from submission to result | United States; Standard Contractual Clauses |
| Large language model content analysis | Supplementing our deterministic detectors with content interpretation; the provider is contractually prohibited from using your data to train its models | United States; Standard Contractual Clauses |
| Transactional email delivery | Sending you scan-complete notifications, account emails, and certificate notices | United States; Standard Contractual Clauses |
| Error and performance monitoring | Diagnosing platform issues and ensuring service availability | European Union (Frankfurt, Germany) |
| Payment processing | Handling subscription billing under your chosen plan | European Union |
You can obtain the current, identified list of our sub-processors at any time, free of charge, by writing to admin@complianceguardhq.com. We will respond within 30 days.
Before we add or replace a sub-processor in a way that materially affects how we process your data, we will give you no fewer than 30 days' advance notice so that you have a reasonable opportunity to object to the change before it takes effect.
6. Data Retention
We retain data for the minimum period necessary for each purpose:
| Data Type | Retention Period |
|---|---|
| Account data (email, auth) | Duration of account + 30 days after deletion request |
| Scan results and reports | Duration of active subscription + 90 days after cancellation |
| Full-page screenshots | 90 days from scan date |
| Raw HTML / page text captured during scan | 30 days from scan date |
| Compliance certificates (issued) | 7 years (legal record-keeping) |
| Payment transaction records | 7 years (tax/accounting obligations) |
| Server/security logs | 90 days |
| Support correspondence | 3 years from last interaction |
When you delete your account, we initiate deletion within 30 days. Certain records (certificates, payment records) are retained longer solely to meet legal obligations and are not accessible to you or used for any other purpose.
7. International Data Transfers
Some of the service providers we engage (described by function in Section 5) operate outside the European Economic Area. Personal data we hold may therefore be transferred to:
- A jurisdiction covered by an EU adequacy decision under Article 45 GDPR (specifically, the country recognised in Commission Implementing Decision (EU) 2019/419), where the decision provides the lawful transfer mechanism without additional safeguards;
- The United States, where we rely on the Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914 (the “SCCs”) as the transfer mechanism; and
- The European Union, where no further transfer mechanism is required.
Where we rely on the SCCs, we have completed a transfer impact assessment supporting their continued use. Supplementary measures we rely on alongside the SCCs include encryption of personal data in transit (TLS) and at rest, role-based access controls on internal systems, and the contractual prohibition on the large-language-model provider using your data to train its models.
Copies of the SCCs we rely on, together with a summary of the transfer impact assessment we have carried out, are available on request at admin@complianceguardhq.com.
8. Your Rights Under GDPR
If you are located in the EEA, you have the following rights regarding your personal data. To exercise any of them, email admin@complianceguardhq.com. We will respond within 30 days.
- Right of access (Art. 15): Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): Request deletion of your data ('right to be forgotten'), subject to legal retention obligations.
- Right to restriction (Art. 18): Request that we restrict processing of your data while a dispute is resolved.
- Right to data portability (Art. 20): Receive your account and scan data in a structured, machine-readable format (JSON/CSV).
- Right to object (Art. 21): Object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)): Where processing is consent-based, withdraw consent at any time without affecting prior lawfulness.
- Right to lodge a complaint: You have the right to lodge a complaint with your national supervisory authority. A list of EU DPAs is available at edpb.europa.eu.
We may ask you to verify your identity before fulfilling a request. We will never charge a fee for standard requests.
10. Children's Data
The Service is intended for business users (merchants, developers, agencies) and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently done so, contact us at admin@complianceguardhq.com and we will delete it promptly.
11. Security
We implement appropriate technical and organisational security measures including:
- Encryption in transit (TLS 1.2+) for all data
- Encryption at rest (AES-256) for database records
- Row-Level Security (RLS) policies ensuring users can only access their own scan data
- Service-role key separation — admin operations use a server-side service role key never exposed to the browser
- Rate limiting on all scan and authentication endpoints
- API keys stored as server-side environment variables, never in client bundles
No system is completely secure. If you discover a security vulnerability, please disclose it responsibly to admin@complianceguardhq.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where the changes significantly affect your rights, notify you by email at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact & Data Protection Enquiries
For any privacy-related question, data subject request, or complaint, contact us at:
If you are unsatisfied with our response, you have the right to lodge a complaint with your national data protection authority. Find your local DPA at edpb.europa.eu.