Privacy Policy

Who We Are

Complybase Ltd is the data controller for personal data processed through the Complybase platform. We are registered in England and Wales.

If you have any questions about how we handle your data, please contact our data protection contact at privacy@complybase.co.

This Policy applies to all personal data we collect when you visit our website at complybase.co, create an account, or use the Complybase platform and its features.

Data We Collect

Account and identity data

• Full name and email address (provided at registration)
• Company name, company type (brand owner, importer, retailer, etc.), and company size
• Password (stored as a hashed value — we never store your plaintext password)
• Subscription plan and billing status

Packaging and compliance data

• Documents you upload (supplier invoices, delivery notes, product lists)
• Packaging material weights extracted from those documents (e.g. tonnes of glass, aluminium, plastic)
• EPR fee calculations, period comparisons, and compliance reports generated by the platform
• Data you enter manually into the platform

Usage and technical data

• Pages visited, features used, and actions taken within the platform
• IP address and browser/device type (collected by our hosting infrastructure)
• Error logs and performance diagnostics
• Timestamps of logins, uploads, and report generation

Team member data

If your account owner invites you as a team member, we process your name and email address for the purpose of granting you access to the account. You may receive a notification email when you are invited.

How We Use Your Data

We use the data we collect for the following purposes:

• Providing the Service — account management, document processing, EPR calculations, report generation, period comparison, material optimisation
• AI-powered extraction — your uploaded documents are sent to OpenAI's API to extract packaging material data (see Third-Party Processors for details)
• Billing and subscription management — processing payments, tracking plan status, sending invoices
• Communications — sending welcome emails, account notifications, product updates, and (where you have opted in) marketing communications
• Security and fraud prevention — detecting and preventing unauthorised access, abuse, or fraud
• Service improvement — analysing aggregated, anonymised usage patterns to improve features and performance
• Legal compliance — meeting obligations under UK law, including responding to lawful requests from authorities

We do not sell your personal data to third parties, use your packaging data to train AI models, or share your data for advertising purposes.

Legal Basis for Processing

Under UK GDPR, we rely on the following lawful bases:

• Contract (Article 6(1)(b)) — processing necessary to perform our contract with you, i.e. providing the Complybase platform and its features
• Legitimate interests (Article 6(1)(f)) — improving the Service, preventing fraud, maintaining security, and sending service-related communications. Our legitimate interests are balanced against your rights and freedoms
• Legal obligation (Article 6(1)(c)) — processing required to comply with applicable law (e.g. retaining financial records)
• Consent (Article 6(1)(a)) — for optional marketing communications; you may withdraw consent at any time by emailing privacy@complybase.co

Data Storage & Security

Where your data is stored

Your account data, uploaded documents and generated reports are stored in Supabase, which operates databases in the EU (Frankfurt region by default). Data processed through our serverless API functions is hosted on Vercel with infrastructure in the EU. Both providers operate under UK GDPR-compatible data processing agreements.

International transfers

Document content is transmitted to OpenAI's API, which processes data in the United States. This transfer is covered by appropriate safeguards, including OpenAI's standard contractual clauses and data processing agreement, ensuring a level of protection equivalent to UK GDPR requirements.

Security measures

We implement industry-standard technical and organisational measures to protect your data, including:

• All data in transit encrypted with TLS 1.2 or higher
• Data at rest encrypted using AES-256
• Passwords hashed using bcrypt before storage
• JWT-based session tokens with short expiry windows
• Row-level security policies in our database
• Access to production systems restricted to authorised personnel only

While we take these measures seriously, no system is completely secure. If you suspect a security incident affecting your account, contact us immediately at contact@complybase.co.

Third-Party Processors

We use the following sub-processors to deliver the Service. Each is bound by a data processing agreement consistent with UK GDPR requirements:

We do not share your data with any other third parties without your explicit consent, except where required by law.

Data Retention

We retain your personal data for as long as your account is active or as necessary to provide the Service. Specific retention periods:

• Account data — retained for the duration of your subscription, plus 30 days after account closure to allow data export
• Uploaded documents — retained while your account is active; deleted within 30 days of account closure
• Generated reports and EPR calculations — retained while your account is active
• Financial/billing records — retained for 7 years as required by UK law (HMRC)
• Security logs — retained for 90 days

You may request early deletion of your data at any time by contacting privacy@complybase.co. We will action deletion requests within 30 days, subject to any overriding legal obligations (such as financial record retention).

Your Rights

Under UK GDPR you have the following rights with respect to your personal data:

To exercise any of these rights, email privacy@complybase.co with "Data Request" in the subject line. We will respond within 30 days. We may need to verify your identity before processing the request.

These rights are not absolute and may be subject to limitations under applicable law. Where we cannot fulfil a request in full, we will explain why.

Cookies

Complybase uses a minimal set of cookies and browser storage:

• Authentication token — a JWT stored in localStorage to keep you logged in. This is strictly necessary for the Service to function and does not require consent
• Session preferences — UI state such as selected billing period or collapsed sidebar sections, stored in localStorage

We do not use third-party advertising or tracking cookies. We do not use Google Analytics or similar behavioural tracking tools. If this changes, we will update this Policy and request consent where required.

Children

The Complybase platform is a business compliance tool intended solely for use by adults (aged 18 and over) acting in a professional capacity on behalf of a business. We do not knowingly collect personal data from individuals under the age of 18.

If you believe that a person under 18 has provided us with personal data, please contact us at privacy@complybase.co and we will delete that information promptly.

Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in the law, our data practices, or the features of the Service. When we make material changes, we will notify you by email and display a notice within the platform at least 14 days before the changes take effect.

The "Last updated" date at the top of this page reflects when the Policy was most recently revised. We encourage you to review this Policy periodically.

Continued use of the Service after the effective date of any change constitutes your acceptance of the revised Policy.

Contact & Complaints

For any privacy-related questions, to exercise your data rights, or to raise a concern, please contact us: