Legal

Privacy Policy

Effective Date: April 19, 2026 ยท Last Updated: April 19, 2026

ComplyRim LLC ("ComplyRim," "we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit complyrim.com, use our compliance automation products (including CRS, TraceRoot, CMDA, Vendor Triage, AgentSpendrix, Issue Manager, Evidence Vault, Shield, Instant ISO, and CaaS), or otherwise engage with us.

1. Information We Collect

1.1 Information You Provide

  • Account data: name, email, company name, job title, billing address.
  • Payment data: processed by AWS Marketplace, Stripe, or other PCI-compliant processors. We do not store full card numbers.
  • Communications: support tickets, sales inquiries, survey responses, newsletter subscriptions.
  • Content: compliance evidence, control narratives, vendor questionnaires, incident reports, and similar data you upload to our platform.

1.2 Information We Collect Automatically

  • Product telemetry: feature usage, page views, session duration, error logs.
  • Device data: browser type, operating system, device identifiers, IP address.
  • Cookies and similar technologies: see Section 7.

1.3 Information from AWS Environments (with your authorization)

When you deploy ComplyRim scanners (CRS, CMDA, TraceRoot) into your AWS account via CloudFormation, we access configuration metadata through a read-only IAM role you control. We do not access the contents of your S3 objects, databases, or application data unless you explicitly enable that feature.

2. How We Use Information

  • Provide, operate, and maintain our products.
  • Generate compliance reports, risk scores, and remediation guidance.
  • Process payments and manage subscriptions.
  • Send operational notices, security alerts, and (with consent) marketing communications.
  • Improve our products via aggregated analytics and model training on de-identified data.
  • Comply with legal obligations and enforce our Terms of Service.

3. Legal Bases (GDPR / UK GDPR)

Where GDPR applies, we process your data under the following bases: contract performance, legitimate interests (product improvement, security, fraud prevention), consent (marketing, optional cookies), and legal obligation.

4. How We Share Information

We share information only with:

  • Sub-processors (AWS, Stripe, email providers, analytics) under data processing agreements.
  • AWS Marketplace for billing and subscription management when you purchase through it.
  • Professional advisers (legal, accounting, auditors) bound by confidentiality.
  • Authorities when legally required.
  • Successors in a merger, acquisition, or asset sale (with equivalent privacy protections).

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

5. Data Retention

  • Account and billing records: duration of subscription plus 7 years for tax and audit purposes.
  • Compliance artifacts (reports, evidence): retained per your configured retention or until you delete them.
  • Telemetry logs: 13 months rolling, then aggregated or deleted.
  • Marketing contacts: until unsubscribe plus 90 days.

6. Security

ComplyRim implements administrative, technical, and physical safeguards appropriate to the risk, including encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege IAM, MFA for administrative access, SOC 2 Type II controls, and continuous monitoring via our own CRS and CMDA products.

7. Cookies

We use essential cookies for session management and optional cookies for analytics and preferences. You can manage cookies via your browser or our cookie banner. See our Cookie Preferences page for details.

8. Your Rights

Depending on your location, you may have the right to:

  • Access, correct, delete, or export your personal data.
  • Object to or restrict certain processing.
  • Withdraw consent.
  • Lodge a complaint with a supervisory authority.

Submit requests to privacy@complyrim.com. We respond within 30 days (or the period required by applicable law).

California residents (CCPA/CPRA)

You have the right to know, delete, correct, and limit the use of sensitive personal information. We do not sell or "share" personal information as defined under the CPRA.

EEA/UK residents (GDPR)

You may contact our EU representative or the UK representative at the address published on our site.

9. International Transfers

We may transfer data to the United States and other countries. Where required, we use Standard Contractual Clauses, UK International Data Transfer Addendum, or other recognized transfer mechanisms.

10. Children

Our products are not directed to children under 16. We do not knowingly collect personal information from children.

11. Changes to This Policy

We will post any changes on this page with a new "Last Updated" date. Material changes will be notified by email or in-product notice at least 30 days in advance.

12. Contact Us

ComplyRim LLC
Email: privacy@complyrim.com
General: support@complyrim.com
Address: Idaho Falls, ID, USA