ComplyLayer Back

Privacy Policy

Last updated: May 2026

ComplyLayer Ltd ("ComplyLayer", "we", "us", "our") is committed to protecting the personal information of our customers and website visitors. This Privacy Policy explains what data we collect, how we use it, and what rights you have in relation to your data when you use the ComplyLayer platform at complylayer.com.

By using our service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

We collect the following categories of personal information:

  • Account Information

    When you register, we collect your name, work email address, company name, and password (stored as a bcrypt hash). If you sign up via Google OAuth, we receive your name and email from Google.

  • Usage Data

    We automatically collect information about how you interact with ComplyLayer: pages visited, features used, session duration, browser type, operating system, and IP address (anonymised after 30 days). This helps us improve the product.

  • AI System Inventory Data

    When you use ComplyLayer to manage your compliance, you enter information about your AI systems — including system names, descriptions, risk classifications, and associated documentation. This data belongs to you and is processed on your behalf.

  • Payment Information

    Billing is handled by Stripe. We never store full card numbers or CVV codes. We retain only the last four digits of your card, expiry date, and billing address for record-keeping purposes.

  • Communications

    If you contact us by email or support chat, we retain records of that correspondence to resolve your query and improve our support.

2. How We Use Your Information

We use your personal data to:

  • · Provide, operate, and maintain the ComplyLayer platform
  • · Process your subscription and manage billing
  • · Send transactional emails (account confirmation, password reset, invoices)
  • · Send product updates and compliance alerts (you may opt out at any time)
  • · Analyse aggregate usage patterns to improve product features
  • · Detect, prevent, and investigate security incidents and fraud
  • · Comply with legal obligations and respond to lawful requests from authorities

We process your data on the lawful basis of contract performance (to deliver the service you signed up for), legitimate interests (product improvement and security), and consent (marketing communications).

3. Data Sharing

We do not sell your personal data. We share data only with the following processors under appropriate data processing agreements:

  • Amazon Web Services (AWS)

    Our cloud infrastructure provider. All data is stored in AWS EU (Ireland) data centres.

  • Stripe

    Payment processing. Stripe is PCI-DSS Level 1 certified and processes billing data on our behalf.

  • Postmark

    Transactional email delivery for account and billing notifications.

We may disclose your information if required by law, court order, or regulatory authority, or to protect the rights, property, or safety of ComplyLayer, our customers, or the public.

4. Data Retention

We retain your account and AI system data for as long as your account is active. If you cancel your subscription, we retain your data for 30 days to allow you to re-subscribe and recover your information, after which it is permanently deleted.

Billing records are retained for 7 years to comply with financial reporting obligations under English law. Anonymised usage analytics are retained indefinitely.

5. Your GDPR Rights

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under GDPR and UK GDPR:

  • · Access: Request a copy of the personal data we hold about you
  • · Rectification: Request correction of inaccurate or incomplete data
  • · Erasure: Request deletion of your personal data ("right to be forgotten")
  • · Portability: Receive your data in a structured, machine-readable format
  • · Restriction: Request that we restrict processing of your data in certain circumstances
  • · Objection: Object to processing based on legitimate interests

To exercise any of these rights, email us at privacy@complylayer.com. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority — in the UK, the Information Commissioner's Office (ICO).

6. Security

We take security seriously. Measures we have in place include:

  • · Encryption at rest: all data stored in AWS is encrypted using AES-256
  • · Encryption in transit: all connections use TLS 1.2 or higher
  • · Passwords are hashed using bcrypt with a minimum cost factor of 12
  • · Access to production systems is restricted to authorised personnel via SSO and MFA
  • · Regular third-party penetration testing

No method of transmission over the internet or electronic storage is 100% secure. If you discover a security vulnerability, please report it responsibly to security@complylayer.com.

7. Cookies

We use essential cookies for authentication and session management, and optional analytics cookies to understand aggregate usage. See our Cookie Policy for full details.

8. Contact Us

For privacy-related enquiries, contact our Data Protection contact at:

ComplyLayer Ltd
Email: privacy@complylayer.com
Jurisdiction: England & Wales

9. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of England and Wales. For EU residents, we comply with GDPR as a data controller established in the UK, and we have appointed a UK GDPR representative as required.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-product notice at least 14 days before the changes take effect. Continued use of ComplyLayer after the effective date constitutes acceptance of the updated policy.