Privacy Policy
Last updated: [TODO: date] · Applies to compliance-concierge.example
1. Controller
[TODO: legal entity name and address] is the controller responsible for the processing of personal data described in this policy. Contact: kristian.hoffmann@me.com. [TODO: add Data Protection Officer contact if one is appointed.]
2. Data we process
- Account data: name, email address, authentication events.
- Content you upload: evidence documents (policies, SOC 2 reports, etc.) and questionnaires, plus the drafts and reviews generated from them.
- Billing data: processed by our payment provider, Stripe — we do not store full card numbers ourselves.
- Technical data: request logs necessary for security and abuse prevention. We do not use tracking or advertising cookies.
3. Purpose and legal basis
We process this data to provide the service you sign up for (contract performance, Art. 6(1)(b) GDPR), to secure the service (legitimate interest, Art. 6(1)(f) GDPR), and to comply with legal obligations such as invoicing (Art. 6(1)(c) GDPR).
4. Subprocessors
- Hostinger — server hosting for our self-hosted database, authentication, and file storage stack, Frankfurt (Germany).
- Mistral AI — evidence search and draft assistance, an EU company (Paris, France) with EU-hosted inference. Content is not used for model training.
- Vercel — web hosting, Functions pinned to Frankfurt (fra1).
- Stripe — payment processing for subscriptions. Stripe does not receive your document or questionnaire data.
[TODO: attach or link the current Data Processing Addendum (DPA) for each subprocessor.]
5. Retention
We retain your data for as long as your account is active. Deleting a document removes its source file and all embedded chunks via cascade delete. [TODO: confirm retention periods for billing records and backups.]
6. Your rights
Under the GDPR you have the right to access, rectify, erase, and port your personal data, to restrict or object to certain processing, and to lodge a complaint with a supervisory authority. To exercise any of these rights, email kristian.hoffmann@me.com.
7. Contact
Questions about this policy or a Data Processing Addendum request: kristian.hoffmann@me.com.