Privacy Policy

ComplyJet (the “Company,” “we,” “us,” or “our”) provides compliance automation software to business customers (the “Services”). This Privacy Policy explains how we collect, use, disclose, and protect Personal Data when you visit www.complyjet.com (the “Website”), use the Services, interact with us, or otherwise provide Personal Data to us.

Quick summary

• Two data categories: Service Data (we act as a controller) and Customer Data (we act as a processor/business associate).
• We do not sell Personal Data and we do not share it for cross-context/behavioral advertising.
• We honor Global Privacy Control (GPC) signals and offer rights requests under applicable laws.
• We store and process data in the United States and India.

1. Scope of this Privacy Policy

This Policy applies to our Services, the Website, and other interactions you may have with ComplyJet (for example, support or events). It does not apply to third-party products or services that integrate with our Services (“Third-Party Services”). A separate customer agreement (e.g., Order/Terms) governs access to and use of the Services and the processing of data submitted to the Services (“Customer Data”). The customer (e.g., your employer) controls its instance and associated Customer Data.

Who we are

• Legal entity: ComplyJet Private Limited (India)
• Registered address: 2508, Tower 1, Marina Skies, Green Hills, Hyderabad, India – 500018
• Contact: privacy@complyjet.com

2. Information we collect and receive

A. Service Data (we are the controller)

• Account & profile – name, work email, company, role, authentication factors, user IDs
• Billing & transactions – subscription details, invoicing and payment tokens, tax IDs, transaction history
• Usage & logs – device/browser info, IP address, feature usage, pages viewed, timestamps, crash reports
• Device & location – device type/OS and approximate location (derived from IP), subject to your settings
• Cookies/online identifiers – see our Cookie Notice for details and controls
• Support & communications – tickets, chat transcripts, emails, call recordings (where permitted), feedback, and form submissions

B. Customer Data (we are the processor/business associate)

Examples include:

• Compliance evidence – policies, audit artifacts, screenshots, test outputs, vulnerability data, remediation notes
• Cloud/DevOps metadata – configurations, resource identifiers, access events, IAM data surfaced by provider APIs
• Vendor & risk data – questionnaires, contracts, security attestations
• Tickets & logs – issue trackers, SOC alerts, incident records
• Training & HRIS – role and training completion records imported from your systems
• PHI (HIPAA) – only if you have a signed Business Associate Agreement (BAA) and enable PHI-related features

C. Third-Party Services & sources

Customers may enable integrations (e.g., AWS, Azure, GCP, Okta, Google Workspace, Jira, GitHub, MDM/EDR). When enabled, those providers may share information with us as authorized.
We may also receive business contact data from partners and providers for fraud prevention and B2B marketing.

Google APIs
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

3. How we use information

Service Data (as controller):

1. Provide, maintain, and secure the Services; authenticate users; monitor availability; prevent abuse
2. Operate our business – billing, accounting, tax, audits, legal compliance, enforcing agreements
3. Support & communicate – product updates, security and transactional notices, responding to requests
4. Improve & develop – quality assurance, analytics, fixing issues, building new features (using aggregated/de-identified data)
5. B2B marketing – where permitted, with consent/opt-out controls

Customer Data (as processor/business associate):
Processed only on the customer’s instructions to deliver the Services. Not used for advertising or unrelated purposes.

Legal bases (EEA/UK): Contract performance, legitimate interests (e.g., product improvement, security, B2B marketing), legal obligation, and consent (where required for cookies/marketing).

4. Data retention

• Service Data: retained as long as needed for stated purposes, to comply with law, and to resolve disputes.
• Customer Data: retained for the subscription term and deleted or returned per customer’s instructions and our backup/log cycles.

5. How we share and disclose information

• Operating the Services: shown to authorized users within a customer’s instance.
• Service providers/sub-processors: hosting, email, billing, analytics, support providers. We remain responsible. [View current sub-processors](Trust Center URL/subprocessors).
• Corporate affiliates & transactions: affiliates or during a merger, acquisition, financing, etc.
• Third-Party Services: shared as needed for integrations.
• Legal, safety, and rights: to comply with law, protect rights, property, safety.
• With consent: where directed by you or the customer.

We do not sell Personal Data or share it for cross-context behavioral advertising.

6. Security

We apply administrative, technical, and physical safeguards appropriate to the data, including access controls, encryption (in transit and at rest where supported), vulnerability management, employee training, and third-party assessments. No method is 100% secure.

7. Age limitations

Our Services are for organizations and professionals. We do not knowingly allow use by or collect Personal Data from anyone under 16 where prohibited by law. If you believe a child has provided Personal Data, contact privacy@complyjet.com.

8. Changes to this Privacy Policy

We may update this Policy from time to time. The “Effective date” above shows when the latest version took effect. We will post updates here and, if material, provide additional notice. Continued use after an update signifies acceptance.

9. Identifying the controller and processor

• The customer is the controller of Customer Data.
• ComplyJet is the processor of Customer Data and the controller of Service Data and other information collected directly.

10. Your privacy rights

Depending on your location, you may have rights to: access, correct, delete, obtain a copy (portability), restrict/object to processing, withdraw consent, and appeal decisions.

How to exercise: Email privacy@complyjet.com with your name, organization, relationship to us, and request details. We may verify identity and, for Customer Data, coordinate with your organization.

• GPC & opt-out: We honor Global Privacy Control signals.
• Marketing opt-out: Use unsubscribe links or email us.

11. HIPAA

If a customer signs a BAA and enables PHI features, we act as a Business Associate and process PHI solely to provide the Services, implement safeguards, and flow obligations to sub-processors. Customers must not upload PHI unless a BAA is in place.

12. Region-specific disclosures

A. European Economic Area, United Kingdom, and Switzerland

• Controller: ComplyJet Private Limited
• Legal bases: See Section 3
• Representative: Not applicable
• Complaints: You may lodge a complaint with your supervisory authority

B. United States (including California)

• Consumer rights: access, deletion, correction, portability, opt-out of certain processing (e.g., targeted ads)
• No sale/share: We do not sell or share Personal Data for cross-context behavioral ads
• Sensitive personal information: Used only for necessary purposes (e.g., security, authentication, account management)
• Notice at collection: categories may include identifiers, commercial info, internet/electronic activity, professional info, limited inferences, approximate geolocation. See Sections 2–5 for details.

C. India (DPDP Act)

• Data fiduciary: ComplyJet Private Limited
• Grievance officer: Upendra Varma – upendra@complyjet.com, 2508, Tower 1, Marina Skies, Green Hills, Hyderabad, India – 500018‍
• Rights: access, correction, erasure, grievance redressal, consent withdrawal‍
• Children: we do not knowingly process children’s Personal Data

13. Third-party links and integrations

The Services may link to or integrate with third-party sites and platforms. Their privacy practices are governed by their own policies. Customers control which integrations are enabled and what data is shared.

14. Contact us

ComplyJet Private Limited
2508, Tower 1, Marina Skies, Green Hills, Hyderabad, India – 500018

• Email: privacy@complyjet.com
• Security incidents: security@complyjet.com
• EU/UK representative: Not applicable
• Grievance officer (India): Upendra Varma – upendra@complyjet.com

Annexes

1. Sub-processor list

‍