EU AI Act high-risk obligationsapply 2 Dec 2027/Are you using the time?Check readiness →

Privacy Policy

Last updated: April 2026·Version 2.0·Effective April 2026

This Privacy Policy explains how Complira Ltd (“Complira”, “we”, “us”, “our”) collects, uses, and protects personal data. It applies to everyone who interacts with us — visitors to complira.io, prospective customers, Complira dashboard users, and the end users of customers who integrate the Complira SDK.

If you have questions about anything in this policy, email us at privacy@complira.io.

NO TRACKING

No cookies. No banner. No tracking pixels.

Marketing pages on complira.io set zero cookies. We use Vercel Analytics — cookieless and aggregate-only — for website usage measurement. Authentication cookies on the dashboard are strictly necessary and exempt from consent under ePrivacy regulations. No HubSpot tracking, no LinkedIn insight tag, no session recording. No banner is required because nothing is tracked across sessions.

1. Two different ways we handle data

Complira plays two distinct roles depending on the context, and your rights differ between them. We want to be upfront about this because it affects who you should contact when you want to exercise your rights.

When we are the Controller

We are the Data Controller for personal data we collect and use for our own purposes. This includes:

  • Information you give us when you visit complira.io (analytics, contact form submissions)
  • Information you give us when you book a demo or contact our sales team
  • Information about you as a Complira dashboard user (your name, email, account details)
  • Records of our communications with you (emails, support requests, meeting notes)

For this category of data, you exercise your rights against us directly. We are responsible for responding to your requests.

When we are the Processor

We are the Data Processor when we handle data on behalf of one of our customers. This includes:

  • AI prompts and outputs that our customers’ employees submit through their integration of our SDK
  • Identifiers and metadata associated with those AI interactions
  • Review and oversight records created by our customers’ compliance personnel

In this category, our customer is the Controller, not us. We process this data only on our customer’s documented instructions, set out in our Data Processing Agreement.

If you are an end user of a product that uses Complira (for example, you used an AI feature at work that turned out to be logged with us), your rights are exercised against your employer or the organisation operating the product, not directly against Complira. We will assist that organisation in responding to your request, but we cannot fulfil it independently — we have no contractual relationship with you and no authority to make decisions about your data.

If you contact us by mistake, we will tell you who you should contact instead.

2. What personal data we collect

When you visit complira.io

We collect aggregate website usage data through Vercel Analytics, a privacy-preserving, cookieless analytics tool. This means:

  • We see how many people visit each page, which referrers they came from, what country they are approximately located in, and what device and browser they used
  • We do not set cookies, track you across sessions, build a profile of your behaviour, or identify you as an individual
  • No cookie consent banner is required because no cookies are set

If you submit our contact form, we collect your name, email address, and the message you send. This information is delivered to our Microsoft 365 inbox where Thomas Eriksen (Founder & Privacy Owner) reads and responds personally.

When you book a demo or contact sales

We use Calendly for demo scheduling. When you book a meeting, Calendly collects your name, email, the meeting time, and any notes you choose to provide. This information is then synced to our HubSpot CRM and visible on our Outlook Calendar.

If you contact us by email or LinkedIn before booking a demo, we may add you to HubSpot as a prospect. We record your name, professional title, employer, email, and notes about our conversations.

When you sign up as a Complira dashboard user

When your organisation grants you access to the Complira dashboard, we collect:

  • Your name and email address (provided by your organisation administrator)
  • Your password hash and multi-factor authentication credentials (managed by Clerk, our authentication provider — we never see your actual password)
  • Your role within the organisation (Owner, Admin, Reviewer, or Viewer)
  • Records of your activity in the dashboard, including reviews you perform, settings you change, and reports you generate

When your employer uses our SDK

If your employer integrates the Complira SDK into one of their AI-powered products, the AI prompts and outputs they choose to log with us may contain personal data — including names, identifiers, or any other information your employer’s product processes.

In this case, your employer is the Data Controller and you should direct any requests to them. Complira is the Processor, acting on your employer’s instructions per our Data Processing Agreement.

3. Why we collect this data and what gives us the right to

We process personal data only when we have a lawful basis under GDPR Article 6. The basis depends on the context.

Contract performance

We rely on contract performance when processing is necessary to deliver the service you or your employer signed up for. This covers dashboard authentication, audit log storage, review workflows, billing, and customer support.

Legitimate interests

We rely on legitimate interests for activities that are necessary to run a sustainable business and that do not override your rights. These include:

  • Sending you sales communications if you have engaged with us as a prospect
  • Maintaining a CRM record of our business relationship
  • Measuring website usage through Vercel Analytics
  • Investigating security incidents
  • Responding to inbound contact form submissions

For each of these, we have considered the impact on you and concluded that our interests do not override your reasonable expectation of privacy. If you disagree with any specific use, you have the right to object — see Section 6.

Legal obligation

We rely on legal obligation when we are required to retain or disclose data by law, including responding to lawful requests from regulators or law enforcement, retaining billing records for tax purposes, and notifying affected parties of personal data breaches under GDPR Article 33 and 34.

Consent

We only rely on consent in narrow circumstances, such as if you opt into a marketing newsletter (we do not currently operate one). We do not rely on consent as the basis for any of the processing activities described in this policy. You will not be asked to consent to a cookie banner because we do not set cookies.

Detail in our internal Lawful Basis document

A more detailed analysis of the lawful basis for each processing activity, including legitimate interests assessments where relevant, is maintained in our internal Lawful Basis for Processing document. This is available on request to enterprise customers and procurement teams under appropriate confidentiality terms.

4. Who we share your data with

We share personal data with a small number of trusted sub-processors who help us operate. We have signed Data Processing Agreements with every one of them, and a complete list including each sub-processor’s role, region, and data category is published at complira.io/subprocessors.

In summary, our sub-processors are:

  • Supabase — primary database, Frankfurt (eu-central-1)
  • Vercel — application hosting, Frankfurt (fra1)
  • Clerk — authentication and identity, EU region
  • Resend — transactional email delivery, EU region
  • HubSpot — customer relationship management, EU region
  • Microsoft 365 — email, calendar, documents, and meetings, Ireland (EU Data Boundary)
  • Calendly — demo scheduling, US-headquartered with EU residency where available
  • Stripe — subscription billing (planned, pending Irish company formation)

We do not sell personal data to anyone, and we do not share it with advertisers, data brokers, or any third party for marketing purposes.

We may share personal data with regulators, courts, or law enforcement when required by law. Where the law allows, we will tell you about such requests before complying. Where the law prohibits this, we will tell you afterwards.

If Complira Ltd is acquired or merges with another organisation, personal data may be transferred to the acquiring entity as part of the transaction. We will notify you in advance and explain your options.

5. Where your data lives and how it is protected

Data location

All customer audit log data is stored exclusively in Frankfurt, Germany (Supabase eu-central-1). Application code runs in Vercel’s Frankfurt region (fra1). Authentication data lives with Clerk in EU region. Email and productivity data lives with Microsoft 365 in Ireland with EU Data Boundary enabled.

The only sub-processor headquartered outside the EU is Calendly, which is US-based. We use Calendly’s EU data residency option where available and only for demo scheduling — never for customer audit data. The residual international transfer concern is addressed through Standard Contractual Clauses in our Data Processing Agreement with Calendly.

Security measures

We protect personal data through layered security controls including encryption at rest (AES-256) and in transit (TLS 1.2 or higher), database-level isolation between customers using PostgreSQL Row-Level Security, multi-factor authentication enforced for all dashboard users, append-only audit log storage with cryptographic integrity hashing, and documented incident response procedures. A more detailed Security Overview is published at complira.io/security.

Administrative access

We disclose openly that infrastructure-level administrative access to customer data exists at Complira (specifically, the ability to bypass Row-Level Security via Supabase project owner credentials). This access is controlled through our Break-Glass Access Procedure: it is used only for incident response, customer-authorised support, or legal compliance, every use is logged within 24 hours, and affected customers are notified within 48 hours unless a specific exception applies. Our internal Customer Notification Policy for Administrative Access Events sets out the full commitment.

6. Your rights

Under GDPR, you have the following rights with respect to personal data we hold about you as Controller:

  • Right of access (Article 15) — get a copy of the personal data we hold about you, and information about how we use it
  • Right to rectification (Article 16) — correct inaccurate or incomplete data
  • Right to erasure (Article 17) — ask us to delete your data, subject to exceptions where we need to retain it for legal or contractual reasons
  • Right to restrict processing (Article 18) — ask us to stop processing your data while a dispute is resolved
  • Right to data portability (Article 20) — receive your data in a structured, commonly used, machine-readable format
  • Right to object (Article 21) — object to processing based on legitimate interests, including sales outreach
  • Right not to be subject to automated decision-making (Article 22) — see Section 7

To exercise any of these rights, email us at privacy@complira.io. We will acknowledge your request within two working days, verify your identity, and respond within 14 days where possible (and in any event within 30 days, the legal maximum).

If you are an end user of a product that uses Complira’s SDK, please direct your requests to your employer or the organisation operating the product. They are the Controller for that data and we cannot fulfil your request directly. We will tell you who to contact if you reach us by mistake.

You also have the right to lodge a complaint with a supervisory authority if you believe we have not handled your data correctly. Our lead supervisory authority is the Irish Data Protection Commission (dataprotection.ie). You also have the right to complain to your own local supervisory authority, especially if you reside in another EU member state.

7. Automated decision-making

Complira does not engage in any automated decision-making that produces legal or similarly significant effects on you. We do not score, classify, or profile individuals automatically. The compliance reviews performed in the Complira dashboard are conducted by human reviewers from our customer organisations — Complira’s role is to provide tooling and an audit trail for those human decisions, not to automate them.

8. How long we keep your data

Data categoryRetention period
Customer audit logsDuration of the customer’s subscription, plus a 90-day grace period after termination
Customer dashboard accountsDuration of the customer’s subscription
Prospect and CRM records24 months from the last meaningful interaction
Inbound emails and contact form submissions24 months from the last meaningful interaction
Billing and tax records7 years (per Irish Tax Consolidation Act 1997)
Website analyticsAggregate only, no individual-level retention

Customers can configure custom audit log retention windows between 180 days and 5 years through their dashboard settings. The default is 365 days. Our full Data Retention Policy is available on request.

9. International transfers

All customer audit log data and the majority of other personal data we handle stays within the European Economic Area at all times.

The only routine personal data flow involving a US-headquartered company is Calendly, used for demo scheduling. This is governed by Standard Contractual Clauses (Module Two — Controller to Processor) executed between Complira and Calendly, with EU residency selected where available.

Microsoft and HubSpot are both US-headquartered companies operating EU subsidiaries. Although the data they process for us stays in EU datacenters under EU Data Boundary commitments, we acknowledge a residual concern about US parent company access under laws like the CLOUD Act and FISA. This concern is addressed through Standard Contractual Clauses in our Data Processing Agreements with both providers.

10. Cookies and tracking

Complira does not set cookies, use tracking pixels, or fingerprint browsers. We do not use Google Analytics, Facebook Pixel, or any third-party advertising or remarketing tags.

The only analytics we use is Vercel Analytics, which is cookieless and does not identify individuals. Because we set no cookies and use no tracking technologies, no cookie consent banner is required.

If we ever introduce cookies in the future, we will update this Privacy Policy and present a clear consent mechanism before setting them.

11. Children

Complira’s services are intended for use by businesses and their employees. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, please contact privacy@complira.io and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of the policy reflects when changes were last made.

For material changes — for example, the addition of a new sub-processor, a change to retention periods, or an expansion of the data we collect — we will notify customers by email at least 14 days before the change takes effect, and we will publish a summary of the change in the version history below.

For non-material changes (correcting typos, clarifying language, updating contact information), we will simply update the policy without notification.

13. Who we are and how to contact us

Complira Ltd

Registered in Ireland · Company no. 815262

Registered office: 20 Harcourt Street, Dublin, D02H364, Ireland

Privacy Owner: Thomas Eriksen, Founder & CEO

Privacy contact: privacy@complira.io

General contact: thomas@complira.io

Website: complira.io

We do not have a separately appointed Data Protection Officer because we are not required to under GDPR Article 37. The Privacy Owner role is fulfilled by Thomas Eriksen and details are set out in our internal Privacy Owner Designation document, available on request.

For supervisory authority matters, our lead is the Irish Data Protection Commission:

Data Protection Commission

21 Fitzwilliam Square South

Dublin 2, D02 RD28

Ireland

dataprotection.ie

14. Related documents and resources

  • Sub-processors register: complira.io/subprocessors
  • Trust Centre: complira.io/trust
  • Security Overview: complira.io/security
  • Data Processing Agreement: available on request to enterprise customers under NDA
  • Lawful Basis for Processing: internal document, available on request to enterprise customers under NDA
  • Data Flow Mapping: internal document, available on request to enterprise customers under NDA

15. Version history

VersionDateAuthorSummary of changes
2.0April 2026Thomas EriksenMajor revision. Replaced earlier short-form policy. Added Controller/Processor distinction. Listed all sub-processors including Microsoft 365 (replacing Google Workspace). Added detailed lawful basis breakdown, automated decision-making statement, international transfer disclosure, retention table, administrative access disclosure. Changed contact email from legal@ to privacy@complira.io.
1.0March 2026Thomas EriksenInitial short-form policy.