Privacy Policy

Compliance Platform is operated by the legal entity responsible for the service. The final company name and registered address must be published here before production launch.

For the current test-access phase, privacy requests can be sent through the Contact page or to privacy@compliance-mcp.com once that mailbox is enabled.

If a customer organization uses the platform for its own business data, that organization may act as an independent controller for the data it decides to enter into the platform. Compliance Platform may act as a processor for that customer data under the applicable customer agreement or data processing terms.

We process account and profile data such as name, email address, authentication identifiers, organization membership, role, and workspace settings.

We process operational data entered into the platform, including TARIC/CN check inputs, countries, additional codes, entity screening subjects, saved case parameters, generated report metadata, support messages, invitations, API keys metadata, usage events, and audit-style logs needed to operate the service.

We also process technical data such as IP address, device/browser information, security events, request metadata, and error logs where needed for security, abuse prevention, troubleshooting, and service reliability.

We use personal data to provide the service, authenticate users, route users to the correct workspace, maintain organizations and access rights, generate reports, answer support requests, secure the platform, and meet legal or contractual obligations.

For B2B customers, some data may be processed on behalf of the customer organization. The customer remains responsible for deciding what business data is entered into the platform.

We process account, authentication, workspace, support, and service-use data where processing is necessary to provide the service or take steps before entering into a service relationship (GDPR Article 6(1)(b)).

We process security logs, abuse-prevention data, error logs, product reliability data, and limited operational analytics where necessary for our legitimate interests in securing, maintaining, improving, and protecting the platform (GDPR Article 6(1)(f)).

We process billing, tax, accounting, legal, and compliance records where necessary to comply with legal obligations (GDPR Article 6(1)(c)).

If we later introduce optional non-essential cookies, marketing communications, or similar optional processing, we will rely on consent where required (GDPR Article 6(1)(a)) and provide a way to withdraw it.

We use infrastructure and service providers to host the application, store data, authenticate users, deliver emails, provide security checks, and operate support workflows. These providers may include Vercel, Supabase, Cloudflare, Resend, and similar operational subprocessors.

We do not sell personal data. We do not intentionally use advertising profiles or marketing pixels on the public site at launch.

Some service providers may process personal data outside the European Economic Area, including in the United States. Where this happens, we rely on appropriate safeguards required by GDPR Chapter V, such as European Commission Standard Contractual Clauses, an applicable adequacy mechanism, or equivalent contractual and technical safeguards offered by the provider.

Information about the European Commission Standard Contractual Clauses is available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

We keep personal data only for as long as needed for the service, account administration, security, auditability, support, legal obligations, or the applicable customer agreement.

We apply access controls, authentication, tenant separation, security checks, HTTPS, and operational logging to protect the platform. No system can be guaranteed perfectly secure, but we design the service with privacy and security as default operating assumptions.

Depending on your location and relationship with the service, you may have rights to access, correct, delete, restrict, object to, or receive a copy of your personal data.

To exercise privacy rights, contact us through the Contact page and include the email address used for the platform. If your account belongs to an organization, we may coordinate the request with that organization where required.

If you are in Latvia or believe Latvian data protection law applies, you may lodge a complaint with Datu valsts inspekcija, the Latvian Data State Inspectorate. Website: https://www.dvi.gov.lv/en. Email listed by the authority: pasts@dvi.gov.lv.