Back to ComplyAlways

Privacy Policy

Last updated: April 11, 2026

Fix Your Cloud LLC, a Texas limited liability company doing business as "ComplyAlways" ("ComplyAlways," "we," "us," or "our"), is committed to protecting the privacy and security of your personal information and business data. This Privacy Policy describes how we collect, use, disclose, and protect information when you use the ComplyAlways platform at https://complyalways.com (the "Service").

This Privacy Policy applies to all users of the Service, including visitors to our website, registered users, and team members invited to an Organization account.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

Table of Contents

  1. Data Controller Information
  2. Information We Collect
  3. How We Use Your Information
  4. Legal Basis for Processing (GDPR)
  5. How We Share Your Information
  6. Subprocessors
  7. AI Data Processing
  8. Data Storage and Security
  9. International Data Transfers
  10. Data Retention
  11. Your Rights
  12. GDPR-Specific Rights (EEA/UK Users)
  13. CCPA/CPRA Rights (California Residents)
  14. Cookies and Tracking Technologies
  15. Children's Privacy
  16. Third-Party Links
  17. Changes to This Privacy Policy
  18. Contact Information

1. Data Controller Information

The data controller responsible for your personal data is:

Fix Your Cloud LLC Doing business as: ComplyAlways Email: privacy@complyalways.com Website: https://complyalways.com

For GDPR purposes, Fix Your Cloud LLC acts as the data controller for account and usage data, and as a data processor for Customer Data uploaded by organizations to the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Company/organization name
  • Password (stored as a cryptographic hash by Supabase Auth; we never store or have access to plaintext passwords)
  • Google account information (if you sign in via Google OAuth): name, email address, and profile picture URL

2.2 Billing Information

When you subscribe to a paid plan, our payment processor Stripe collects and processes:

  • Payment method details (credit/debit card information)
  • Billing address
  • Transaction history

We do not store credit card numbers or full payment details on our servers. We store only your Stripe customer ID and subscription ID to manage your account.

2.3 Customer Data (Business Content)

When you use the Service, you may upload and create:

  • Knowledge base documents: Security policies, SOC 2 reports, compliance documentation, penetration test summaries, and other files (PDF, DOCX, XLSX, TXT, CSV formats)
  • Questionnaires: Security questionnaire files (CSV, XLSX) containing questions from your customers or partners
  • Answers: AI-generated draft answers, manually edited answers, and approved answers stored in your answer library
  • Organization information: Company name, team member details, and organizational settings

2.4 Usage Data

We automatically collect information about how you interact with the Service:

  • Features used and actions taken (e.g., documents uploaded, questionnaires created, answers generated)
  • Number of AI drafts generated per billing cycle
  • Timestamps of actions
  • Subscription plan and usage against plan limits

2.5 Technical Data

We automatically collect certain technical information:

  • IP address
  • Browser type and version
  • Operating system
  • Device information
  • Referring URL
  • Pages visited and time spent on each page
  • Error logs and performance data

2.6 Communication Data

When you contact us, we collect:

  • Email address and content of support requests
  • Feedback and feature requests you submit

2.7 Team Invite Data

When an Organization owner invites a team member, we collect:

  • Invitee's email address
  • Invite token (temporary, expires in 7 days)
  • Inviter's name and organization

3. How We Use Your Information

We use the information we collect for the following purposes:

| Purpose | Data Used | |---------|-----------| | Provide and operate the Service | Account info, Customer Data, usage data | | Generate AI-drafted answers via RAG | Document content, questionnaire questions, answer library | | Create and store document embeddings | Document text chunks (sent to OpenAI for embedding) | | Process payments and manage subscriptions | Billing info, Stripe customer/subscription IDs | | Send transactional emails (trial warnings, payment notifications, team invites) | Email addresses, organization name | | Enforce usage limits and rate limiting | Organization ID, usage counts, request metadata | | Maintain security and prevent abuse | IP addresses, request patterns, authentication data | | Respond to support requests | Communication data, account info | | Improve the Service | Aggregated and anonymized usage data | | Comply with legal obligations | As required by applicable law |

We do not sell your personal information or Customer Data to third parties. We do not use your Customer Data for advertising purposes. We do not use your Customer Data to train general-purpose AI models.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and the United Kingdom, we process personal data under the following legal bases:

| Processing Activity | Legal Basis | |---------------------|-------------| | Account creation and service delivery | Performance of a contract (Article 6(1)(b)) | | Payment processing | Performance of a contract (Article 6(1)(b)) | | AI-powered answer generation | Performance of a contract (Article 6(1)(b)) | | Security, fraud prevention, and abuse detection | Legitimate interests (Article 6(1)(f)) | | Service improvement using anonymized data | Legitimate interests (Article 6(1)(f)) | | Transactional emails (billing, security) | Performance of a contract (Article 6(1)(b)) | | Marketing communications | Consent (Article 6(1)(a)) -- opt-in only | | Compliance with legal obligations | Legal obligation (Article 6(1)(c)) |

Where processing is based on consent, you may withdraw your consent at any time by contacting privacy@complyalways.com or using the unsubscribe mechanism in marketing emails.

5. How We Share Your Information

We share your information only in the following circumstances:

5.1 Subprocessors

We share data with the third-party service providers listed in Section 6 as necessary to operate the Service. Each Subprocessor processes data only for the specific purpose described and is bound by data processing agreements.

5.2 AI Providers

Document content (in chunk form) is sent to:

  • OpenAI for generating text embeddings (vector representations used for semantic search)
  • Anthropic for generating AI-drafted answers to questionnaire questions

See Section 7 for complete details on AI data processing.

5.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request. Where legally permitted, we will provide you with notice before such disclosure.

5.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

5.6 Aggregated Data

We may share anonymized, aggregated data that cannot reasonably be used to identify you (e.g., "X% of users use the SOC 2 framework") for business purposes, industry research, or marketing.

6. Subprocessors

The following third-party service providers process data on our behalf:

| Subprocessor | Purpose | Data Processed | Location | Privacy Policy | |---|---|---|---|---| | Supabase, Inc. | Database, authentication, file storage | All account data, Customer Data, authentication tokens | United States | https://supabase.com/privacy | | Anthropic, PBC | AI answer generation (Claude API) | Document text chunks, questionnaire questions, generated answers | United States | https://www.anthropic.com/privacy | | OpenAI, Inc. | Text embedding generation | Document text chunks | United States | https://openai.com/privacy | | Stripe, Inc. | Payment processing | Billing information, email, subscription details | United States | https://stripe.com/privacy | | Vercel, Inc. | Application hosting and CDN | HTTP request/response data, IP addresses | United States (primary) | https://vercel.com/legal/privacy-policy | | Resend, Inc. | Transactional email delivery | Email addresses, email content | United States | https://resend.com/legal/privacy-policy | | Upstash, Inc. | Rate limiting (Redis) | Organization IDs, request metadata | United States | https://upstash.com/trust/privacy.html |

Planned Subprocessors (not yet active):

| Subprocessor | Purpose | Status | |---|---|---| | PostHog, Inc. | Product analytics | Planned -- will be added before activation | | Sentry (Functional Software, Inc.) | Error tracking and monitoring | Planned -- will be added before activation |

We will update this list and notify paid subscribers at least thirty (30) days before activating a new Subprocessor. If you object to a new Subprocessor, you may terminate your subscription.

7. AI Data Processing

This section provides specific detail about how your data is processed by artificial intelligence systems.

7.1 What Data Is Sent to AI Providers

To OpenAI (Embeddings):

  • Text chunks extracted from your uploaded documents (typically 800 characters per chunk)
  • Text of questionnaire questions (for semantic matching)
  • Purpose: Generating numerical vector representations (embeddings) used for semantic search within your knowledge base

To Anthropic (Answer Generation):

  • Relevant document text chunks retrieved by semantic search (typically 3-10 chunks per question)
  • The questionnaire question being answered
  • Previously approved answers to similar questions (from your answer library)
  • Purpose: Generating draft answers to security questionnaire questions

7.2 What Data Is NOT Sent to AI Providers

  • Your full, original documents (only extracted text chunks are sent)
  • Your account credentials or passwords
  • Your billing or payment information
  • Data from other Organizations (multi-tenant isolation is enforced)

7.3 AI Provider Data Commitments

  • Anthropic: Per Anthropic's Commercial Terms, data submitted through the API is not used to train or improve their models. Data is processed in accordance with their data processing addendum.
  • OpenAI: Per OpenAI's API data usage policy, data submitted through the API is not used to train or improve their models. Data may be retained for up to 30 days for abuse monitoring, after which it is deleted.

7.4 No Cross-Organization Data Sharing

The Service enforces strict organizational isolation. Data from one Organization is never used to generate answers for another Organization. Row-level security policies in our database ensure that each Organization can only access its own data.

8. Data Storage and Security

8.1 Data Location

All Customer Data is stored in the United States via Supabase's hosted PostgreSQL infrastructure.

8.2 Encryption

  • At rest: All data is encrypted using AES-256 encryption
  • In transit: All data is encrypted using TLS 1.3 for all connections between your browser, our servers, and third-party services

8.3 Access Controls

  • Row-level security (RLS) policies enforce Organization-level data isolation in the database
  • Authentication is handled by Supabase Auth with secure password hashing (bcrypt)
  • API routes require valid authentication tokens
  • Service-role database access is limited to background processing tasks

8.4 Infrastructure Security

  • Application hosted on Vercel with automatic SSL/TLS
  • Database hosted on Supabase with managed security patching
  • Rate limiting via Upstash Redis to prevent abuse
  • File storage with per-Organization path isolation

8.5 Incident Response

In the event of a data breach affecting your personal data:

  • We will notify affected users within seventy-two (72) hours of discovery, as required by GDPR
  • We will notify relevant supervisory authorities as required by applicable law
  • We will provide details of the breach, the data affected, and the measures taken to address it

9. International Data Transfers

9.1 Data Location

The Service is operated from and data is stored in the United States. If you access the Service from outside the United States, your data will be transferred to the United States.

9.2 Transfer Mechanisms (EEA/UK Users)

For transfers of personal data from the EEA or UK to the United States, we rely on:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Our Subprocessors' own data transfer mechanisms, including SCCs and other approved mechanisms
  • Where applicable, the EU-U.S. Data Privacy Framework

9.3 Data Processing Addendum

Enterprise customers may request a Data Processing Addendum (DPA) that provides additional contractual protections for personal data processed under GDPR. Contact legal@complyalways.com to request a DPA.

10. Data Retention

| Data Type | Retention Period | |-----------|-----------------| | Active account data | Duration of active account | | Customer Data (documents, questionnaires, answers) | Duration of active account + 30 days after termination | | Billing records | As required by tax law (typically 7 years) | | Usage logs | 12 months from creation | | Server logs and technical data | 90 days | | Support correspondence | 2 years | | Aggregated, anonymized analytics | Indefinite | | Database backups containing deleted data | Up to 30 days (standard backup rotation) | | Team invite tokens | 7 days (auto-expire) |

After the applicable retention period, data is permanently deleted or irreversibly anonymized.

11. Your Rights

All users of the Service have the following rights:

11.1 Access

You can access your account data, uploaded documents, and generated answers through the Service dashboard at any time.

11.2 Correction

You can update your profile information (name, organization name) through the Settings page. For corrections to other data, contact support@complyalways.com.

11.3 Deletion

You may request deletion of your account and all associated data by contacting support@complyalways.com. Deletion will be completed within thirty (30) days.

11.4 Data Export (Portability)

You can export your questionnaire answers as CSV files through the Service. For a complete export of all your data, contact support@complyalways.com.

11.5 Opt-Out of Marketing

You may opt out of marketing communications at any time by:

  • Clicking the "unsubscribe" link in any marketing email
  • Contacting support@complyalways.com

Transactional emails (billing notifications, security alerts, trial warnings) are not marketing and cannot be opted out of while your account is active.

12. GDPR-Specific Rights (EEA/UK Users)

If you are located in the European Economic Area or the United Kingdom, you have the following additional rights under the General Data Protection Regulation (GDPR):

  • Right to access (Article 15): Request a copy of the personal data we hold about you
  • Right to rectification (Article 16): Request correction of inaccurate personal data
  • Right to erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing (Article 18): Request that we limit how we process your data
  • Right to data portability (Article 20): Receive your data in a structured, machine-readable format
  • Right to object (Article 21): Object to processing based on legitimate interests
  • Right to withdraw consent (Article 7): Withdraw consent for processing based on consent at any time

How to exercise your rights:

  • Email: privacy@complyalways.com
  • Response time: Within thirty (30) days of receiving your verified request (extendable by 60 days for complex requests, with notice)

Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not adequately addressed your concerns.

13. CCPA/CPRA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights:

13.1 Categories of Personal Information Collected (Last 12 Months)

| Category | Examples | Collected | |----------|---------|-----------| | Identifiers | Name, email, IP address | Yes | | Commercial information | Subscription plan, billing records | Yes | | Internet/electronic activity | Usage data, browser type, pages visited | Yes | | Professional information | Company name, role | Yes | | Inferences | Usage patterns (aggregated only) | Yes |

13.2 Your California Rights

  • Right to know: Request disclosure of the personal information we have collected about you
  • Right to delete: Request deletion of your personal information
  • Right to correct: Request correction of inaccurate personal information
  • Right to opt-out of sale/sharing: We do not sell or share personal information for cross-context behavioral advertising
  • Right to non-discrimination: We will not discriminate against you for exercising your rights

13.3 Do Not Sell or Share

We do not sell personal information. We do not share personal information for cross-context behavioral advertising purposes.

13.4 How to Exercise Your Rights

  • Email: privacy@complyalways.com
  • Response time: Within forty-five (45) days of receiving your verified request (extendable to 90 days with notice)

We will verify your identity before processing your request by confirming ownership of the email address associated with your account.

14. Cookies and Tracking Technologies

14.1 Cookies We Use

| Cookie / Technology | Type | Purpose | Duration | |---|---|---|---| | Supabase Auth session | Strictly necessary | Authentication and session management | Session / 1 hour | | Supabase Auth refresh token | Strictly necessary | Maintaining authenticated sessions | 7 days | | __vercel_ cookies | Strictly necessary | Hosting, routing, and edge functions | Session |

14.2 Analytics (Planned)

We plan to implement PostHog for product analytics. When activated:

  • We will update this Privacy Policy to reflect the new tracking
  • Analytics will be used only for product improvement
  • We will implement a cookie consent mechanism before activating analytics cookies
  • You will be able to opt out of analytics tracking

14.3 No Third-Party Advertising Cookies

We do not use advertising cookies or third-party tracking pixels. We do not participate in ad networks or retargeting.

14.4 Managing Cookies

You can control cookies through your browser settings. Note that disabling strictly necessary cookies may prevent the Service from functioning correctly, as they are required for authentication.

15. Children's Privacy

The Service is a business-to-business product intended for use by adults aged eighteen (18) and older. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information promptly.

If you believe we have collected information from a minor, please contact us at privacy@complyalways.com.

16. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you access.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes:

  • We will update the "Last Updated" date at the top of this page
  • We will notify active subscribers via email
  • For material changes affecting how we process Customer Data, we will provide at least thirty (30) days' notice before the changes take effect

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acknowledgment of the changes. If you do not agree to the updated Privacy Policy, you should stop using the Service.

18. Contact Information

For privacy-related questions, requests, or complaints:

Fix Your Cloud LLC Doing business as: ComplyAlways Privacy inquiries: privacy@complyalways.com General support: support@complyalways.com Legal matters: legal@complyalways.com Website: https://complyalways.com

For GDPR data subject requests, please email privacy@complyalways.com with the subject line "GDPR Data Subject Request."

For CCPA requests, please email privacy@complyalways.com with the subject line "CCPA Request."

This Privacy Policy was last reviewed on April 11, 2026. This document is intended for review by qualified legal counsel before publication. It does not constitute legal advice.