Privacy Policy
Last updated: March 17, 2026. ComplianceRadar.dev ("we", "us", "our") operates the ComplianceRadar.dev service and is committed to protecting your privacy in line with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.
For the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws, the Data Controller responsible for this website and the ComplianceRadar.dev service is Damir Andrijanic. Any references to "ComplianceRadar.dev" collecting, processing, or securing data legally refer to Damir Andrijanic.
1. Data controller
The data controller responsible for your personal data is Damir Andrijanic, operating ComplianceRadar.dev as a sole proprietor. You may contact us regarding data protection at the contact details provided on our website and legal notice.
2. What data we collect and why
We collect the following categories of personal data for the purposes described:
- Email addresses — When you provide an email (e.g. when requesting scan results or signing up), we use it to deliver your scan report, send product-related communications, and for lead generation and marketing with your consent where required by law.
- Website URLs — The URLs you submit for compliance scanning are processed to perform the scan and generate the compliance report. We use this information only for providing the service and improving our offering.
- Uploaded architecture documents (PDF) — If you upload a technical architecture PDF, we process its contents to generate compliance and Annex IV documentation insights for non-live projects. We retain uploaded content only as needed to complete processing and display your report.
- Contact form data — If you contact us, we process your name, email, selected category, and message to respond to your request and manage support, sales, or data protection inquiries.
- Account and authentication data — If you create an account (e.g. via email/password or Google sign-in), we store the data necessary to authenticate you and link your scans to your account, in accordance with our terms of service.
PDF uploads are intended only for technical architecture documentation. You must not upload personal data or special-category personal data in those documents.
To provide AI analysis, extracted text from scanned URLs and uploaded PDFs is sent to Google Gemini API. This processing is part of the core service workflow for generating findings and recommendations.
3. Legal basis
We process your data on the following legal bases under the GDPR: performance of a contract (delivering scans and paid reports), legitimate interests (service improvement, security, fraud prevention), and where applicable your consent (e.g. marketing, optional cookies).
4. Third-party sub-processors
We use the following sub-processors to operate the service. Each is bound by data processing agreements and/or standard contractual clauses where required:
- Vercel — Hosting and serverless execution of our application.
- Supabase — Managed PostgreSQL database infrastructure and related operational database services.
- Stripe — Payment processing. Card and payment data are handled directly by Stripe; we do not store full payment card details. Stripe's privacy policy and DPA apply.
- Zoho — Transactional emails (e.g. authentication emails, waitlist verification, and service notifications).
- Google OAuth (Google Sign-In) — If you sign in with Google, authentication-related account data is processed through Google Identity services.
- Google Gemini API — AI-powered compliance analysis for website scan text and uploaded architecture document text.
5. International data transfers
Where service providers process data outside the EEA (including in the United States), we use appropriate safeguards such as the EU Standard Contractual Clauses and provider contractual commitments. You may request additional information about these safeguards via our contact channels.
6. Cookie consent and tracking controls
We apply a deny-by-default cookie mechanism for non-essential technologies. Analytics and marketing-related tracking stay disabled unless and until you provide explicit consent via our cookie controls. You can withdraw or change consent at any time.
7. Waitlist double opt-in
Waitlist signups use a double opt-in workflow. Your email address is activated for waitlist communications only after you confirm ownership through a verification step.
8. Private-by-default reports and publication responsibility
Scan reports are private by default and protected by access controls intended to prevent unauthorized access. If you choose to make a report public or share it externally, you are solely responsible for that publication decision and for any resulting disclosure of information.
For non-authenticated URL scans, report access is protected through a signed, time-limited result access token contained in the report URL. Without a valid token (or explicit publication), the report is not accessible.
Architecture document uploads require an authenticated user account so resulting document reports are bound to the account owner by default.
9. Public Trust Badge & Verification Registry
If you choose to embed the Public Trust Badge on your website, you explicitly consent to the public display of limited business identity and verification data in our badge verification surfaces (including public badge views or registry entries, where available) for transparency, trust signaling, and third-party validation purposes.
This public display may include your company or organization name, website URL/domain, and scan-derived risk classification or badge status as determined by our verification systems at the relevant point-in-time. By embedding the badge, you acknowledge and authorize this disclosure for as long as the badge is active or until the listing is revoked, removed, or updated in accordance with our Terms and operational policies.
10. Retention and storage
We retain scan results, account data, and logs only as long as necessary to provide the service, comply with legal obligations, and resolve disputes. You may request deletion of your data subject to applicable retention requirements.
For URL scans, we do not keep raw fetched HTML as a persistent report artifact, but we do retain structured scan outputs and model-generated findings so reports can be viewed in the product.
For uploaded architecture PDFs, we process documents only long enough to complete analysis and generate the report. Raw PDF data, extracted text, and intermediate processing artifacts are cleared after successful processing. If processing is delayed, retried, or fails, this data may be retained temporarily until the job reaches a terminal state. Structured report outputs remain available in your scan history subject to your account and legal obligations.
11. Application logging practices
We aim to minimize personal data in routine logs and keep operational logging focused on reliability and security monitoring. Some limited metadata or error context may be stored when required for service operation, incident response, and fraud prevention.
11a. Enterprise Privacy Mode (planned)
We are planning an Enterprise Privacy Mode to support stricter processing boundaries, retention controls, and enterprise privacy requirements. Availability and scope will be published in future product updates.
12. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict processing, data portability, and to object to processing. You also have the right to lodge a complaint with a supervisory authority. To exercise these rights, contact us using the details on our website.
The competent supervisory authority for our company is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (Landesbeauftragte fuer Datenschutz und Informationsfreiheit Nordrhein-Westfalen, LDI NRW).
You can submit rights requests through our contact form by selecting Data protection request (GDPR rights), including for requests related to architecture document uploads and report data.
13. Security
We implement technical and organizational measures to protect your data. For more detail, see our Security page.
14. Changes
We may update this privacy policy from time to time. The "Last updated" date at the top will be revised, and we will notify you of material changes where appropriate.