Privacy Policy
Effective: 27 May 2026
Controller
Complaix GmbH (to be confirmed on legal signoff), Berlin, Germany. Contact: privacy@complaix.eu.
What we collect
- Account information — name, email, organisation, role.
- AI system records and compliance artefacts you enter.
- Usage logs — pages visited, actions taken, IP, user agent, timestamps.
- Billing information — processed by Stripe; we store only the identifiers needed to reconcile subscriptions and invoices.
Why we process it
- Providing the Complaix service (contract, GDPR Art. 6(1)(b)).
- Security and abuse prevention (legitimate interest, GDPR Art. 6(1)(f)).
- Compliance with legal obligations such as tax and the EU AI Act audit trail.
Retention
Account data is kept for the life of the subscription. Compliance artefacts required by EU AI Act Art. 18 are retained for 10 years (audit trail integrity), with PII anonymised on account deletion. Billing records are kept for as long as tax law requires.
Your rights
- Access and portability — Art. 15 / 20. Self-service at Settings → Privacy & data.
- Erasure — Art. 17. Self-service at the same page.
- Rectification — Art. 16. Update your profile in Settings.
- Objection / restriction — Art. 21 / 18. Contact privacy@complaix.eu.
- Lodge a complaint with your local supervisory authority.
Sub-processors
Supabase (EU West, hosting), Vercel (EU, application runtime), Brevo (EU, transactional email), Stripe (EU + global for payment settlement), Anthropic (where AI features are enabled — documented per customer). Full versioned list with RSS feed at /subprocessors; contractual text in the DPA.
Cookies
We use strictly necessary cookies for session, locale, and security. Analytics cookies are optional and gated behind the cookie banner.
Changes
Material changes are announced at least 30 days before taking effect via the account admin email.