Privacy Policy

“Complidar” (referred to here as we, us, or the Service) is operated as a sole-proprietor product pending entity formation. The Service runs an automated diagnostic scan of public web pages and generates a report describing potential legal-compliance risks. This Privacy Policy describes the personal information we handle when you visit the Service, run a free scan, purchase a paid audit, or contact us.

Information you provide directly:

• Domain you submit — the URL you enter into the scan form. We treat the domain itself as user-provided input, not personal data, but it is associated with the account that submits it.
• Email address — required at checkout (via Stripe Checkout) and on sign-in (we send a one-time magic link). We never ask for, accept, or store a password.
• Optional metadata at quote request — if you request our “Fix It For Me” service, the notes field is stored alongside the request.

Information we collect automatically:

• IP address — recorded on free-scan submissions for rate limiting and abuse prevention; recorded on magic-link requests for the same reason. Retained for thirty (30) days then purged.
• Authentication session cookie — a single first-party cookie issued by our identity provider (Supabase Auth) keeps you signed in across page loads. No third-party advertising or analytics cookies are set.
• Scan output — when you run a scan, our worker fetches the public pages of the domain you submitted and produces findings, crawl artifacts (HTML, network requests, cookies set by the scanned site, axe accessibility output), and an estimated liability range. This output is associated with your account if you are signed in, or with an anonymous scan record if you are not.

Payment information: we use Stripe to process payments. Stripe collects your card details directly; we never receive or store card numbers or full PAN data. We do store the Stripe customer ID and subscription metadata Stripe returns to us.

We do not collect special categories of personal data (race, religion, biometrics, health, etc.). If you submit any in the “notes” field of the Fix-It-For-Me form, please don’t — we’ll delete it on request.

We process the information above only for the purposes described here:

• To run the scan you requested and deliver the report.
• To authenticate you (magic link) and keep you signed in.
• To process payment, issue receipts, and manage your subscription.
• To prevent abuse (IP-based rate limits, fraud signals from Stripe Radar).
• To respond to support requests and Fix-It-For-Me quote requests.
• To improve the diagnostic detectors — but we use aggregated, de-identified findings data for this, not individual user records.
• To comply with legal obligations and respond to lawful requests.

We do not use your information to train any general-purpose machine-learning model and we do not allow our subprocessors to do so either.

We use exactly one cookie: a first-party HTTP-only session cookie used for authentication. We do not run third-party analytics, advertising, retargeting, or social-media pixels. We do not have an A/B-testing tool installed. Because we set no non-essential cookies, no cookie banner is displayed.

Local storage is used by Stripe Checkout while you are on the payment page; that data is governed by Stripe’s privacy policy.

We share personal data with the following service providers, each contractually bound to use it only to provide services to us:

• Stripe, Inc. — payment processing and billing portal. Receives your name, email, and card details. Privacy: stripe.com/privacy.
• Supabase Inc. — managed Postgres, authentication, file storage. Hosts the database where account and scan records live. Privacy: supabase.com/privacy.
• Vercel Inc. — web application hosting and edge networking. Receives HTTP request metadata (IP, user agent). Privacy: vercel.com/legal/privacy-policy.
• Railway Corporation — runs our background scanner worker. Receives the domains being scanned and the operational logs. Privacy: railway.com/legal/privacy.
• Inngest, Inc. — durable job orchestration. Receives scan IDs and job payloads. Privacy: inngest.com/privacy.
• Anthropic PBC — large-language-model API used by our detectors and the optional Fix-It-For-Me service to analyze the scan artifacts. By Anthropic’s commercial-API terms, prompt and completion data is not used to train their models. Privacy: anthropic.com/legal/privacy.
• Resend Inc. (or the email provider in use at the time) — delivers magic-link sign-in emails and receipts.

Our subprocessors are primarily based in the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US under appropriate safeguards (Standard Contractual Clauses where applicable).

• IP logs (rate limiting): 30 days, then purged.
• Scan results and crawl artifacts: retained while your account exists. You can delete an individual scan from your dashboard at any time; the record and its artifacts are removed within seven days.
• Account records: retained while your account is active. If you ask us to delete your account, we remove your data within 30 days, except records we are required to keep for tax or accounting purposes (typically seven years for receipts/invoices).
• Stripe billing records: governed by Stripe’s retention rules; typically seven years.

Depending on where you live, you may have the following rights regarding your personal information:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to fix anything inaccurate.
• Deletion — ask us to delete your data (subject to legal-retention carve-outs).
• Portability — receive your data in a machine-readable format.
• Objection / restriction — under GDPR, object to certain processing or ask us to restrict it.
• Opt out of sale or sharing — under the CCPA / CPRA, although we do not sell personal information or share it for cross-context behavioral advertising.
• Non-discrimination — we will not deny you service, charge you a different price, or provide a different level of quality for exercising any of the above.

To exercise any of these rights, email privacy@complidar.com. We will respond within 45 days. We will verify the request by replying to the email on file for your account; for unauthenticated requests we may ask for additional information to confirm identity. You may also designate an authorized agent.

If you believe we have mishandled your data, you can lodge a complaint with your local supervisory authority (e.g. the California Privacy Protection Agency or your EU data-protection authority) — though we’d appreciate the chance to fix it first.

The Service is intended for businesses and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, email privacy@complidar.com and we will delete it.

We use industry-standard safeguards: TLS for all traffic, encrypted-at-rest databases, short-lived signed magic-link tokens, role-based access controls, principle-of-least- privilege on internal accounts, and review of every code change before it ships. We never store passwords or payment-card numbers. No system is perfectly secure; if we ever experience a breach affecting your data we will notify you within the timeframe required by applicable law.

We will update the “Last updated” date at the top of this page when we revise this Privacy Policy. For material changes (changes to the categories of data we collect or the purposes for which we use it), we will email account holders at least 14 days before the change takes effect.

For privacy questions, requests, or complaints: privacy@complidar.com.