complyeah
Legal

Privacy Policy

Effective July 15, 2026

This Privacy Policy explains how complyeah ("complyeah," "we," "us") collects, uses, and protects personal data when you visit complyeah.com or use our external penetration-testing service (the "Service"). We are the data controller for this processing.

Information we collect

  • Account data - your email address (we use passwordless magic-link sign-in, so we never store passwords).
  • Domains & verification - the domains you add, the ownership-challenge tokens we issue, and the DNS or HTTP proof used to verify them.
  • Authorization records - the scope, rules of engagement, timestamp, and IP address recorded when you authorize a scan.
  • Scan data & reports - findings, evidence, and the reports and certificates generated for your verified domains.
  • Technical & usage data - IP address, request logs, and, with your consent, analytics about how the site is used.

Cookies and analytics

We use a single essential cookie to keep you signed in to the control panel; it is required for the Service and is not used for tracking.

With your consent, we use Google Analytics to understand how the marketing site is used. Analytics cookies load only after you select "Accept" in our cookie banner - by default they are disabled (Google Consent Mode). You can change your choice at any time via "Cookie preferences" in the footer.

How we use your data

  • To provide the Service - verify ownership, run authorized scans, and produce reports and certificates.
  • To secure and operate the Service, prevent abuse, and enforce our Terms.
  • To communicate with you (sign-in links and service notices).
  • With consent, to measure and improve the website.

Legal bases (GDPR)

We rely on: performance of a contract (providing the Service), legitimate interests (security, abuse prevention, service operation), consent (analytics cookies), and legal obligation where applicable.

Sharing and subprocessors

We do not sell personal data. We share data only with subprocessors that help us run the Service:

  • Google Cloud Platform - hosting, database, and storage (EU region).
  • Resend - transactional email (sign-in links).
  • Google Analytics - website analytics, only with your consent.

Data retention

We keep account and scan data for as long as your account is active and as needed to provide the Service, then delete or anonymize it within a reasonable period, unless a longer period is required by law.

Security

Secrets are stored in a managed secret manager and never in logs. Traffic is encrypted in transit (HTTPS), data is encrypted at rest, and access is scoped by least privilege. No method of transmission or storage is perfectly secure, but we work to protect your data.

International transfers

The Service is hosted in the EU. Where data is processed outside your region, we rely on appropriate safeguards such as the EU Standard Contractual Clauses.

Your rights

Depending on your location, you may have the right to access, correct, delete, restrict, or object to processing of your personal data, and to data portability. To exercise these rights, or to withdraw analytics consent, contact us. You may also lodge a complaint with your data protection authority.

Changes and contact

We may update this policy; material changes will be reflected by the effective date above. Questions or requests: privacy@complyeah.com.