Privacy Policy

1. Who We Are

Complizo (“we”, “us”, or “our”) is the data controller responsible for your personal data when you use the Complizo service (“the Service”). If you have questions about how we handle your data, contact us at privacy@complizo.com.

2. Data We Collect

2.1 Data you provide directly

• Account data: your name and email address when you sign in via Google OAuth or magic link.
• Organisation data: your organisation name and billing plan.
• AI feature data: descriptions of your AI features that you enter to generate questionnaire answers (e.g. feature name, category, data types, risk flags).
• Questionnaire content: the text of customer questionnaires you paste into the Service.
• Generated answers: the AI-generated answers stored in your account for reuse.

2.2 Data collected automatically

• Usage data: pages visited, features used, and actions taken within the Service (collected via PostHog analytics).
• Technical data: IP address, browser type, device type, and operating system.
• Cookies: authentication session cookies and analytics cookies. See Section 7 for details.

2.3 Payment data

Payment card details are processed directly by Stripe, Inc. and are never stored on our servers. We receive only a payment token, subscription status, and billing information (e.g. last 4 digits of card, billing country).

3. How We Use Your Data

We process your personal data for the following purposes:

• To provide the Service — processing your AI feature data and questionnaire text to generate answers. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• To manage your account and billing — creating and maintaining your account, processing payments, and sending transactional emails. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• To improve the Service — analysing aggregated usage patterns to understand how users interact with the Service. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
• To communicate with you — sending onboarding emails, product updates, and responses to your support requests. Legal basis: legitimate interests or consent depending on context.
• To comply with legal obligations — retaining records as required by applicable law. Legal basis: legal obligation (Art. 6(1)(c) GDPR).

We do not use your AI feature data or questionnaire content to train AI models. This data is processed solely to generate your answers.

4. Third-Party Sub-Processors

We share your data with the following third-party service providers solely to operate the Service. Each has been assessed for GDPR compliance:

SCCs = EU Standard Contractual Clauses. We have Data Processing Agreements in place with each sub-processor.

5. Data Retention

• Account data: retained for the duration of your account plus 90 days after deletion.
• AI feature data and questionnaire answers: retained for the duration of your account. Deleted within 30 days of account deletion on request.
• Billing records: retained for 7 years as required by EU financial regulations.
• Analytics data: aggregated analytics retained indefinitely; individual event data retained for 12 months in PostHog.

6. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the GDPR (or UK GDPR):

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure: request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.
• Restriction: request that we restrict processing of your data in certain circumstances.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email privacy@complizo.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

7. Cookies

We use the following cookies:

• Authentication cookie (essential): a session cookie set by NextAuth to keep you signed in. It expires when you sign out or after 30 days of inactivity. This cookie is necessary for the Service to function.
• Analytics cookies (optional): PostHog sets cookies to track product usage events. No personal data is shared with third-party advertisers. You may opt out by enabling “Do Not Track” in your browser or contacting us.

8. Data Security

We implement appropriate technical and organisational security measures to protect your personal data, including TLS encryption in transit, encryption at rest, and access controls. However, no internet transmission is completely secure. If you believe your account has been compromised, contact us immediately at privacy@complizo.com.

9. International Transfers

Some of our sub-processors (listed in Section 4) are based outside the EEA. Where personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or on an adequacy decision, to ensure an adequate level of protection.

10. Children’s Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@complizo.com and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice on the Service at least 14 days before the changes take effect. The “Effective date” at the top of this page reflects when the current version was last updated.

12. Contact Us

For any privacy-related questions, requests, or complaints, contact our data protection contact at: privacy@complizo.com