ComplyLayer logoComplyLayer

Privacy Policy

Last updated: June 2026

Comply Layer, Inc. ("ComplyLayer", "we", "us", "our") is committed to protecting the personal information of our customers and website visitors. This Privacy Policy explains what data we collect, how we use it, and what rights you have in relation to your data when you use the ComplyLayer platform at complylayer.com or our optional browser extension.

By using our service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

We collect the following categories of personal information:

  • Account Information

    When you register, we collect your name, work email address, company name, and password (stored as a bcrypt hash). If you sign up via Google OAuth, we receive your name and email from Google.

  • Usage Data

    We automatically collect information about how you interact with ComplyLayer: pages visited, features used, session duration, browser type, operating system, and IP address (anonymised after 30 days). This helps us improve the product.

  • AI System Inventory Data

    When you use ComplyLayer to manage your compliance, you enter information about your AI systems — including system names, descriptions, risk classifications, and associated documentation. This data belongs to you and is processed on your behalf.

  • Payment Information

    Billing is handled by Stripe. We never store full card numbers or CVV codes. We retain only the last four digits of your card, expiry date, and billing address for record-keeping purposes.

  • Communications

    If you contact us by email or support chat, we retain records of that correspondence to resolve your query and improve our support.

2. Browser Extension

ComplyLayer offers an optional browser extension ("the Extension") for Chrome that allows organisations to monitor which AI tools their employees use, in support of EU AI Act and other regulatory compliance programmes. This section explains how the Extension handles data separately from the main platform.

What the Extension collects

The Extension runs only on a defined, maintained list of recognised AI-tool domains (for example chatgpt.com, claude.ai, gemini.google.com, perplexity.ai, copilot.microsoft.com, and other AI assistants, generators, and productivity tools). This list is kept current and synced from the ComplyLayer server, so it may change over time. Detection works at two levels: most domains are recorded as a simple page visit only, while a smaller set of AI chat/assistant tools — where a user types a prompt — may also capture a short prompt preview as described below. When activity occurs on a recognised domain, the Extension records the following and transmits it over HTTPS to the ComplyLayer API, associated with the organisation and user account the Extension is connected to:

  • · The domain and URL of the AI-tool page visited (e.g. chatgpt.com) and a timestamp
  • · The event type — page visit, prompt submission, or file upload — and the detected tool name
  • · On AI chat/assistant tools, for a prompt submission, a preview of up to 240 characters of the submitted prompt text (used so administrators can assess compliance risk such as sensitive data being shared)
  • · For a file upload, the file name only (never the file contents)
  • · The email/identifier of the connected user account, so activity can be attributed within the organisation

What the Extension does not collect

  • · Full prompt text beyond the 240-character preview, or any AI responses/outputs
  • · The contents of uploaded files (only the file name is recorded)
  • · Passwords, form inputs, or any sensitive data typed on any website
  • · Any data from sites that are not on the recognised AI-tool domain list, or browsing history unrelated to AI tools

Storage

In chrome.storage.local the Extension stores only your authentication token and the cached list of monitored AI-tool domains (refreshed periodically from the server). No browsing data is stored locally beyond what is needed to transmit an event. Event data is stored on ComplyLayer's servers (AWS, EU region) and retained for as long as the organisation's account is active, then deleted in line with the retention period in Section 5.

Who can see this data

Event data collected by the Extension is associated with the organisation whose API token is configured. Only the organisation's designated administrators with access to the ComplyLayer Monitoring dashboard can view this data. ComplyLayer staff do not access individual event records except when required to investigate a support issue and with the customer's permission.

Lawful basis and employee notice

The Extension is deployed by employers to fulfil regulatory obligations (EU AI Act Article 29 obligations and similar). The lawful basis for processing is legitimate interests of the employing organisation (regulatory compliance and risk management). Employers are responsible for informing their employees that the Extension is installed and for obtaining any consents required under local employment law.

How to remove the Extension

You can disconnect the Extension at any time by clicking Disconnect in the Extension popup, or by removing the Extension entirely from your browser's extension manager. No further data will be collected after disconnection.

3. How We Use Your Information

We use your personal data to:

  • · Provide, operate, and maintain the ComplyLayer platform
  • · Process your subscription and manage billing
  • · Send transactional emails (account confirmation, password reset, invoices)
  • · Send product updates and compliance alerts (you may opt out at any time)
  • · Analyse aggregate usage patterns to improve product features
  • · Detect, prevent, and investigate security incidents and fraud
  • · Comply with legal obligations and respond to lawful requests from authorities

We process your data on the lawful basis of contract performance (to deliver the service you signed up for), legitimate interests (product improvement and security), and consent (marketing communications).

4. Data Sharing

We do not sell your personal data. We share data only with the following processors under appropriate data processing agreements:

  • Amazon Web Services (AWS)

    Our cloud infrastructure provider. All data is stored in AWS EU (Ireland) data centres.

  • Stripe

    Payment processing. Stripe is PCI-DSS Level 1 certified and processes billing data on our behalf.

  • Resend

    Transactional email delivery for account, verification, and billing notifications.

We may disclose your information if required by law, court order, or regulatory authority, or to protect the rights, property, or safety of ComplyLayer, our customers, or the public.

5. Data Retention

We retain your account and AI system data for as long as your account is active. If you cancel your subscription, we retain your data for 30 days to allow you to re-subscribe and recover your information, after which it is permanently deleted.

Billing records are retained for 7 years to comply with financial reporting obligations under English law. Anonymised usage analytics are retained indefinitely.

6. Your GDPR Rights

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under GDPR and UK GDPR:

  • · Access: Request a copy of the personal data we hold about you
  • · Rectification: Request correction of inaccurate or incomplete data
  • · Erasure: Request deletion of your personal data ("right to be forgotten")
  • · Portability: Receive your data in a structured, machine-readable format
  • · Restriction: Request that we restrict processing of your data in certain circumstances
  • · Objection: Object to processing based on legitimate interests

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority — in the UK, the Information Commissioner's Office (ICO).

7. Security

We take security seriously. Measures we have in place include:

  • · Encryption at rest: all data stored in AWS is encrypted using AES-256
  • · Encryption in transit: all connections use TLS 1.2 or higher
  • · Passwords are hashed using bcrypt with a minimum cost factor of 12
  • · Access to production systems is restricted to authorised personnel via SSO and MFA
  • · Regular third-party penetration testing

No method of transmission over the internet or electronic storage is 100% secure. If you discover a security vulnerability, please report it responsibly to [email protected].

8. Cookies

We use essential cookies for authentication and session management, and optional analytics cookies to understand aggregate usage. See our Cookie Policy for full details.

9. Contact Us

For privacy-related enquiries, contact our Data Protection contact at:

Comply Layer, Inc.
131 Continental Dr, Suite 305
Newark, DE 19713
United States
Email: [email protected]

10. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of England and Wales. For EU residents, we comply with GDPR as a data controller established in the UK, and we have appointed a UK GDPR representative as required.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-product notice at least 14 days before the changes take effect. Continued use of ComplyLayer after the effective date constitutes acceptance of the updated policy.