Privacy Policy.

We collect the URLs you scan, the public output of those scans, and the email you give us at checkout. We don’t sell data. We don’t run advertising trackers. We use Cloudflare’s cookieless analytics. You can delete your data by emailing privacy@complycode.app.

1. Who we are

Comply Code is operated by EVOQ Sp. z o.o., a Polish limited liability company. References to “we”, “us”, or “Comply Code” in this policy refer to EVOQ Sp. z o.o.

Contact: privacy@complycode.app

2. What we collect

When you use Comply Code, we collect the following categories of data:

• URLs you submit for scanning (the public address of an app or website you ask us to audit).
• Public output of those scans: HTML structure, page content, network requests, response headers, and JSON response bodies — all data that any browser visiting the same URL would observe.
• Email address (only when you provide one at checkout for a paid unlock, or via a contact form).
• Payment information — processed by Stripe; we never see or store your card number, CVC, or full bank details.
• Anonymous usage analytics via Cloudflare Web Analytics (no cookies, no fingerprinting, no per-user tracking).
• Server access logs (IP address, request path, timestamp, user-agent) retained for 30 days for security and abuse prevention.

We do not collect or process special categories of personal data (health, biometric, genetic, political opinions, religious beliefs, sexual orientation) unless you voluntarily submit them to us via support correspondence.

3. How we use it

• To run the scan you requested and return the findings to you.
• To improve the scanner — aggregated statistics on what findings appear most frequently. No personally identifying information is used for this.
• To deliver paid unlocks to the customer who purchased them.
• To respond to support requests.
• To prevent abuse (rate limiting, fraud detection).
• To send transactional emails (Stripe receipts; we do not send marketing email unless you explicitly opt in).

4. Legal basis for processing (GDPR)

If you are in the European Economic Area or the UK, our lawful bases for processing under GDPR Article 6 are:

• Contract (Art. 6(1)(b)) — for processing your scan and delivering paid features.
• Legitimate interest (Art. 6(1)(f)) — for security logs, abuse prevention, and aggregate analytics.
• Consent (Art. 6(1)(a)) — for any marketing email (you must opt in).
• Legal obligation (Art. 6(1)(c)) — for tax, accounting, and regulatory records.

5. Who we share data with

We share data only with the following sub-processors, each of which has its own privacy obligations:

• Stripe, Inc. — payment processing.
• Fly.io (Hashicorp) — hosting infrastructure.
• Cloudflare, Inc. — DNS, CDN, web analytics.
• Anthropic, PBC — AI inference for the business-classification component of the scanner (we send page text only; no email or payment information).

We do not sell, rent, or trade personal data to third parties for advertising or any other purpose.

6. Where data is stored

Application data (scan records, unlock state, contact email) is stored in a SQLite database on Fly.io infrastructure, in the region closest to our primary user base (currently EU/AMS). Payment data is stored by Stripe in their PCI-DSS-compliant environment. AI inference requests are processed by Anthropic in the United States with Standard Contractual Clauses in place for EU transfers.

7. How long we keep it

• Scan records and findings: indefinitely, until you request deletion. Public report URLs use a non-guessable token; only people with the link can view.
• Payment records: 7 years (tax/accounting law).
• Server access logs: 30 days.
• Support correspondence: 2 years.

8. Your rights (GDPR + CCPA)

You have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate data.
• Erasure — request deletion of your data (subject to legal retention requirements).
• Restriction — request that we stop processing your data for specific purposes.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — at any time, for any processing based on consent.
• Complain to your local data protection authority.

California residents have additional rights under the CCPA/CPRA, including the right to opt out of the sale of personal information. We do not sell personal information — but you can still submit an opt-out request to confirm this preference.

To exercise any of these rights, email privacy@complycode.app with your request. We respond within 30 days (GDPR) or 45 days (CCPA).

9. International transfers

Comply Code is operated from Poland. Data may be transferred to the United States (for AI inference and analytics) and other countries where our sub-processors operate. We rely on Standard Contractual Clauses (EU Commission 2021/914) and adequacy decisions where applicable.

10. Cookies and tracking

Comply Code does not set first-party tracking cookies. We use Cloudflare Web Analytics, which is cookieless and does not fingerprint visitors. We do not load third-party advertising pixels (Meta, TikTok, LinkedIn, Google Ads). Stripe Checkout may set its own cookies during the payment flow on Stripe’s domain; these are necessary for processing your payment.

11. Children

Comply Code is a B2B-style developer tool and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced via a notice on the home page for at least 30 days, and where you have an account or have submitted an email, by direct email. The current version is always available at /privacy with the “Last updated” date at the top of this page.