Privacy Policy

1. Introduction

ComplianceKit.ie (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal data transparently. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our website at compliancekit.ie and our GDPR compliance platform (together, the “Service”).

We are the data controller for your personal data processed through this Service. We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Data Protection Acts 1988–2018 (as amended), and all other applicable Irish and EU data protection law.

2. Data Controller Details

• Controller: ComplianceKit.ie
• Location: Ireland
• Email: privacy@compliancekit.ie

3. Personal Data We Collect

3.1 Data you provide directly

• Account information: Name, email address, and password when you register for an account.
• Business information: Business name, type, size, county, and sector — provided during onboarding or the GDPR assessment quiz.
• Payment information: Processed securely via Stripe. We do not store card numbers on our servers.
• Communications: Any messages, feedback, or support requests you send us.

3.2 Data collected automatically

• Usage data: Pages visited, features used, time spent, and interactions within the platform.
• Device and browser data: IP address, browser type, operating system, device type, and screen resolution.
• Cookies and similar technologies: See our Cookie Policy for full details.

3.3 Data from third parties

• Authentication providers: If you sign in via Google or another OAuth provider, we receive your name, email, and profile picture.

4. How We Use Your Data

We process your personal data for the following purposes and legal bases:

5. Data Sharing

We do not sell your personal data. We share data only with:

• Service providers: Third parties that help us operate the Service, including:
  • Supabase (EU region) — database hosting and authentication
  • Vercel — website hosting and edge functions
  • Stripe — payment processing
• Legal requirements: When required by law, regulation, legal process, or enforceable government request.
• Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

All service providers are bound by data processing agreements and process data only on our documented instructions.

6. International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). Where we transfer data outside the EEA (e.g., to US-based service providers), we ensure appropriate safeguards are in place, such as:

• EU Standard Contractual Clauses (SCCs)
• EU–US Data Privacy Framework certification
• Adequacy decisions by the European Commission

7. Data Retention

• Account data: Retained while your account is active, plus 30 days after deletion to allow recovery.
• Generated documents: Retained while your account is active. Deleted within 30 days of account closure.
• Payment records: Retained for 7 years as required under Irish tax and accounting law (Taxes Consolidation Act 1997).
• Usage analytics: Aggregated and anonymised within 26 months.
• Marketing consent records: Retained for as long as consent is valid, plus 3 years for compliance evidence.

8. Your Rights Under GDPR

You have the following rights in relation to your personal data:

• Right of access (Art. 15) — Request a copy of your personal data.
• Right to rectification (Art. 16) — Correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — Request deletion of your data (“right to be forgotten”).
• Right to restrict processing (Art. 18) — Limit how we use your data.
• Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format.
• Right to object (Art. 21) — Object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time, without affecting prior processing.
• Right to lodge a complaint — With the Irish Data Protection Commission (see below).

To exercise any right, email us at privacy@compliancekit.ie. We will respond within one month, as required by GDPR Article 12(3).

9. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security (RLS) on all database tables
• Secure authentication with bcrypt password hashing
• Regular security audits and vulnerability assessments
• Access controls limiting data access to authorised personnel
• Automated backups with point-in-time recovery

10. Children’s Privacy

Our Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.

11. Automated Decision-Making

Our GDPR assessment quiz generates a compliance score based on your answers. This is provided as guidance only and does not constitute a legally binding decision. No solely automated decisions with legal or significant effects are made about you.

12. Supervisory Authority

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Irish Data Protection Commission:

• Data Protection Commission
• 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
• Phone: +353 (0)1 765 0100 / 1800 437 737
• Website: www.dataprotection.ie

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on the Service. The “Last updated” date at the top of this page indicates when the policy was last revised.

14. Contact Us

For questions about this Privacy Policy or to exercise your data rights, contact us at:

• Email: privacy@compliancekit.ie
• Post: ComplianceKit.ie, Ireland