Privacy Policy

1. Data Controller

ComplianceRadar ("we", "us", "our") is the data controller responsible for your personal data. If you have questions about this policy or your data, contact us at privacy@complianceradar.com.

2. What Data We Collect

We collect the following categories of personal data:

• Account Information: Email address, display name, and password (hashed) when you create an account.
• Substance Portfolio: Chemical substance names, CAS numbers, supplier names, markets, and notes you upload.
• Billing Information: Subscription plan, payment status, and billing period dates. Payment card details are processed directly by Stripe and never stored on our servers.
• Preferences & Settings: Display preferences, notification frequency, source filters, keyword filters, and impact thresholds.
• Usage Data: Monthly counts of AI summaries used, API requests made, and sources accessed.
• Technical Data: API key metadata (name, creation date, last used — keys are stored as SHA-256 hashes), webhook URLs and delivery logs.
• Analytics Data: Anonymized page views and performance metrics collected via Vercel Analytics (only with your consent).

3. How We Use Your Data

We process your personal data for the following purposes:

• Providing the Service: Matching your substance portfolio against regulatory updates and delivering personalized compliance alerts.
• Email Notifications: Sending regulatory impact digests and instant alerts based on your subscription preferences.
• Billing & Payments: Managing your subscription, processing payments through Stripe, and enforcing plan limits.
• Service Improvement: Understanding how the platform is used to improve features and performance (analytics, with consent).
• Security: Protecting your account through authentication, row-level security, and API key management.

4. Legal Bases for Processing (GDPR Art. 6)

• Performance of Contract (Art. 6(1)(b)): Processing your account data, substance portfolio, and alert preferences to deliver the service you signed up for.
• Consent (Art. 6(1)(a)): Analytics cookies (Vercel Analytics). You can withdraw consent at any time via the cookie banner.
• Legitimate Interest (Art. 6(1)(f)): Basic security measures, fraud prevention, and service reliability monitoring.

5. Third-Party Data Processors

We share your data with the following trusted third-party processors:

• Supabase (AWS EU): Database hosting and authentication. Stores all user data. Supabase Privacy Policy
• Stripe: Payment processing. Receives your email and payment method details. Stripe Privacy Policy
• Resend: Email delivery service. Receives your email address and alert content. Resend Privacy Policy
• Vercel: Hosting and analytics. Collects anonymized page view and performance data (with consent). Vercel Privacy Policy

6. Cookies

We use the following types of cookies:

• Essential Cookies: Required for authentication and session management (Supabase Auth). These cannot be disabled.
• Analytics Cookies: Vercel Analytics uses first-party cookies to collect anonymized usage data. These are only active if you consent via our cookie banner.

You can change your cookie preferences at any time by clearing your browser's local storage or using our cookie consent banner.

7. Data Retention

• Account Data: Retained for as long as your account is active. Upon account deletion, all personal data is permanently removed via cascading deletion.
• Usage Tracking: Monthly usage counters are retained for billing purposes and deleted with your account.
• Email Logs: Transactional email delivery logs are maintained by Resend according to their retention policy.
• Webhook Deliveries: Delivery logs are retained for troubleshooting and deleted when the associated webhook or account is removed.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): You can request a copy of all personal data we hold about you.
• Right to Rectification (Art. 16): You can update your profile information at any time from your account settings.
• Right to Erasure (Art. 17): You can delete your account and all associated data from your account settings.
• Right to Data Portability (Art. 20): You can export all your data in JSON format from your account settings.
• Right to Object (Art. 21): You can opt out of analytics tracking via the cookie banner and disable email notifications in your alert settings.
• Right to Withdraw Consent: Where processing is based on consent (analytics), you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, use the self-service options in your account settings or contact us at privacy@complianceradar.com.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Row-level security (RLS) policies ensuring users can only access their own data.
• Password hashing via bcrypt (managed by Supabase Auth).
• API keys stored as SHA-256 hashes.
• HTTPS encryption for all data in transit.
• Webhook secrets for secure payload verification.

10. International Data Transfers

Your data is primarily stored in the EU (Supabase on AWS EU). Where data is processed outside the EU (e.g., Stripe, Resend), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

12. Contact & Complaints

If you have any questions about this policy or wish to exercise your data rights, contact us at privacy@complianceradar.com.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.