AI-Copliance ("we," "us," "our") is a software service available at aicopliance.com. We provide AI-powered ISO 27001 implementation guidance to organizations worldwide.
For the purposes of applicable data protection law, AI-Copliance is the data controller for personal data collected during account registration, billing, and marketing. For Customer Data processed as part of delivering the Service, AI-Copliance acts as a data processor on your behalf.
This Privacy Policy covers:
It does not apply to the information security policies or personal data that your organization's employees or subjects may appear in as part of your Customer Data uploaded into the Service. Your organization is responsible for those individuals' data under your own applicable privacy obligations.
When you register, we collect your name, email address, organization name, and password hash (stored securely via Supabase Auth). We do not store plain-text passwords.
Billing is handled by Lemon Squeezy (our Merchant of Record). We receive order confirmation, subscription status, and customer ID from Lemon Squeezy. We do not receive or store full payment card numbers, CVVs, or bank account details.
The Service collects substantial information about your organization's security posture, including:
This data may include personally identifiable information if you choose to include it (e.g., employee role descriptions, named system owners). We recommend not including identifiable personal data about individuals in your Customer Data inputs where it can be avoided.
We automatically collect standard technical information including IP address, browser type, operating system, pages visited, features used, and timestamps. This is used for service operation, security monitoring, and product improvement.
If you contact us by email or via support channels, we retain that correspondence.
| Data Category | Source | Purpose |
|---|---|---|
| Account identity | You (registration) | Authentication, account management, communications |
| Billing/subscription | Lemon Squeezy (MoR) | Payment processing, subscription management |
| Organizational profile | You (onboarding & stages) | AI context building, document generation |
| Uploaded documents | You | AI document review and context enrichment |
| Usage/technical data | Automatically collected | Security, product improvement, analytics |
We use your data exclusively for the following purposes:
If you are located in the European Economic Area (EEA) or United Kingdom, we process personal data under the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Account registration and service delivery | Contractual necessity (Art. 6(1)(b) GDPR) |
| Billing and payment processing | Contractual necessity (Art. 6(1)(b) GDPR) |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f) GDPR) |
| Marketing emails (opt-in) | Consent (Art. 6(1)(a) GDPR) |
| Legal obligations (tax, regulatory) | Legal obligation (Art. 6(1)(c) GDPR) |
| Product analytics (anonymized/aggregated) | Legitimate interests (Art. 6(1)(f) GDPR) |
We share data only with trusted sub-processors required to operate the Service. All sub-processors are bound by data processing agreements:
| Sub-Processor | Role | Data Shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All Customer Data, account data | USA (AWS us-east-1) |
| Vercel | Application hosting and CDN | Request data, logs | USA / Global CDN |
| Anthropic | AI model API (Claude) | Customer Data included in AI prompts | USA |
| Lemon Squeezy | Payment processing (Merchant of Record) | Email, billing details | USA |
| Zoho Mail | Email service | Email content sent to/from us | USA/EU |
| GoDaddy | Domain registrar (DNS only) | Domain configuration | USA |
We may also disclose data where required by applicable law, court order, or to protect the rights, property, or safety of AI-Copliance, its users, or the public.
AI-Copliance is a global service. Your data may be transferred to and processed in countries outside your own, including the United States, where data protection laws may differ from those in your jurisdiction.
For transfers from the EEA/UK to the United States, we rely on:
By using the Service, you acknowledge that your data will be processed by Anthropic (USA) as part of AI inference. We ensure Anthropic's API is used under a commercial enterprise agreement with appropriate data protection provisions.
| Data Type | Retention Period |
|---|---|
| Active account data and Customer Data | Duration of subscription + 90 days after expiry or cancellation |
| AI-Generated Output (documents) | Duration of subscription + 90 days after expiry |
| Billing records | 7 years (legal / tax obligation) |
| Security and access logs | 12 months |
| Support correspondence | 3 years after last contact |
| Anonymized analytics | Indefinitely (no personal data) |
You may request early deletion of your Customer Data at any time by contacting privacy@aicopliance.com. Deletion is completed within 30 days, subject to legal hold obligations.
We apply industry-standard security measures to protect your data, including:
No system is completely immune to attack. If we become aware of a security incident affecting your personal data, we will notify you within 72 hours of becoming aware, consistent with GDPR Article 33 obligations.
To report a security vulnerability, email security@aicopliance.com.
Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | Obtain a copy of the personal data we hold about you |
| Rectification | Correct inaccurate or incomplete personal data |
| Erasure | Request deletion of your personal data ("right to be forgotten") |
| Restriction | Request limited processing of your data |
| Portability | Receive your data in a machine-readable format |
| Objection | Object to processing based on legitimate interests |
| Withdraw consent | Withdraw consent at any time (marketing emails) |
| CCPA opt-out | California residents: opt out of "sale" of personal information (we do not sell, but we document this right) |
To exercise any right, email privacy@aicopliance.com from the email address associated with your account. We will respond within 30 days. Identity verification may be required before processing your request.
If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority.
The Service uses essential cookies required for authentication and session management (Supabase Auth). No third-party advertising or tracking cookies are used by default.
We may use privacy-respecting analytics (e.g., anonymized page view counts) without placing tracking cookies. If we expand our use of cookies, we will update this Policy and present a consent notice where legally required.
The Service is intended for business users only and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a child has provided us personal data, we will delete it promptly.
We may update this Privacy Policy from time to time. Material changes will be communicated by email and via an in-app notice at least 30 days before taking effect. The "Last Updated" date at the top of this page reflects the most recent revision.