Privacy Policy
Last updated: June 17, 2026
1. Introduction
ComplyReady is an open beta service operated by its founder, Dragan, an individual based in Serbia. ComplyReady is not yet a registered company. In this Privacy Policy, "we", "us", and "our" refer to the founder operating ComplyReady. This policy explains how we collect, use, and protect your information when you use the Service, and it will be updated if a company is formed or paid plans are introduced.
2. Information We Collect
We collect the following types of information:
Account information: name, email address, company name, and password when you register.
Usage data: how you interact with the Service, features used, and actions taken within the platform.
Content you provide: security questionnaires, answers, policies, and company profile information you upload or create.
Connected-account data: read-only configuration and security findings from cloud and source-control accounts you choose to connect (see Section 4).
Technical data: IP address, browser type, device information, and cookies.
3. How We Use Your Information
We use your information to:
- Provide, operate, and improve the Service
- Run security checks and generate questionnaire answers and policies
- Send transactional emails (e.g. sign-up confirmation, password reset)
- Send product updates
- Provide support and respond to your requests
- Comply with legal obligations
ComplyReady is free during open beta, so we do not collect or process any payment information. If paid plans are introduced, this policy will be updated to describe payment processing before any charges apply.
4. Connected Infrastructure Data
If you connect a cloud or source-control account — Amazon Web Services (AWS), Google Cloud, DigitalOcean, OpenStack, or GitHub — the Service reads from it to assess your security posture. This is a core part of how ComplyReady works, so we explain it clearly:
What we access: read-only configuration and metadata needed to run security checks — for example encryption settings, IAM and access configuration, logging configuration, and repository and branch-protection settings.
What we do not do: we never modify, create, or delete anything in your accounts; we do not access the application data or customer data stored inside those systems; and we do not store your cloud credentials. We store connection identifiers and role references (such as an IAM role ARN or external ID) and use short-lived, read-only access to perform each scan.
What we keep: the results of each scan — which checks passed or failed and the related resource references — so we can show you your posture over time and help answer security questionnaires from verified data.
Your control: you can disconnect a connected account at any time, which stops all further access. You can also revoke access directly in your provider.
5. AI Processing
Content you upload (security questionnaires and company profile information) is sent to Anthropic's API to generate draft answers and policies. We do not use your content to train AI models, and the content is processed only to provide the Service to you.
6. Service Providers and Data Sharing
We do not sell your personal data. We share data only with the providers that help us run the Service, and only as needed to provide it:
- Supabase — database and authentication hosting.
- Resend — transactional email delivery.
- Anthropic — AI processing of questionnaire and policy content.
- Cloud and source providers you connect — AWS, Google Cloud, DigitalOcean, OpenStack, and GitHub, which the Service reads from on a read-only basis at your direction.
These providers process data on our behalf under their own data protection and security terms. We will add a payment processor to this list if and when paid plans launch. We may also disclose information where required by law, court order, or a governmental authority.
7. Data Storage and Security
Your account data and content are stored in a managed Supabase (PostgreSQL) database. ComplyReady is operated from Serbia. We apply security measures including encryption in transit and at rest and access controls limiting who can access data. For the specific hosting region, contact us at privacy@complyready.io.
8. Data Retention
We retain your data for the duration of your account plus 30 days after deletion. You may request deletion at any time by deleting your account in Settings or contacting us at privacy@complyready.io.
9. Your Rights (GDPR)
If you are located in the European Economic Area you have the right to:
- Access your personal data
- Correct inaccurate data
- Request deletion of your data
- Object to processing
- Data portability
- Lodge a complaint with a supervisory authority
To exercise these rights contact: privacy@complyready.io
10. Cookies
We use essential cookies for authentication and session management. We do not use tracking or advertising cookies. You can control cookies through your browser settings.
11. Children's Privacy
The Service is not directed to children under 16. We do not knowingly collect personal data from children.
12. Changes to This Policy
We will notify you of material changes to this Privacy Policy via email. The updated policy will be posted on this page with a new effective date.
13. Contact
For privacy questions or to exercise your rights: privacy@complyready.io
ComplyReady — an open beta service operated by its founder, Serbia.