Privacy Policy
We built ComplianceMonitor.io because we believe people deserve to know how their data is handled. This page explains exactly how we handle yours.
Last updated 26 May 2026 · GDPR · ePrivacy · CCPA
Who we are
ComplianceMonitor.io is operated from Greece by the ComplianceMonitor team. For the purposes of the EU General Data Protection Regulation (GDPR), we act as the data controller for personal data we collect from visitors and account holders of compliancemonitor.io.
When you use the Evidence API or your dashboard to scan a website, you instruct us to process technical data about that website. In that flow we act as a data processor on your behalf.
What we collect
Account information
When you sign up: your email address, a hashed password, and your chosen workspace name. If you pay for a plan, our payment provider also handles your billing address and the last four digits of your card. We never see or store full card numbers.
Scan data
For every audit we run on your behalf we record the target URL, the timestamp, the violations detected, the cookies that were set, the third-party requests made by the browser, and the resulting compliance score. This is the product.
Usage data
We log when API keys are used, which endpoints they hit, and how often — purely to apply rate limits and detect abuse. We do not log the response bodies returned to your application.
Marketing site visits
On compliancemonitor.io itself we use no analytics, no advertising tags, no cross-site identifiers and no third-party cookies. Our own server logs the IP address and user agent of each request for 30 days, after which they are deleted, and we use them only to keep the service up and to investigate incidents.
How we use it
We process your data to:
- Run the compliance scans you request and return the results
- Authenticate API requests and enforce per-plan rate limits
- Send you transactional emails — receipts, security alerts, expiring keys
- Keep our infrastructure secure and detect abuse
- Comply with our own legal obligations — invoicing, tax records, lawful requests
We do not sell, rent or trade personal data. We do not use your data to train machine-learning models, and we do not profile you for advertising.
Legal basis
Under GDPR Art. 6(1), we rely on:
- (b) Contract — when we run scans, authenticate API calls and deliver the service you've subscribed to
- (c) Legal obligation — when we keep tax records or respond to lawful requests
- (f) Legitimate interests — when we log requests for abuse detection or send security alerts. We balance this against your rights and provide an objection channel
Sharing & subprocessors
We share personal data only with a short list of carefully chosen subprocessors who help us deliver the service. All are bound by data processing agreements and EU-compliant safeguards.
- Hetzner Online GmbH (Germany) — hosting and database storage
- Bunny.net (Slovenia) — CDN edge caching for the public badge SVGs
- Stripe Payments Europe Ltd. (Ireland) — subscription billing
- Postmark / ActiveCampaign (EU region) — transactional email
We do not transfer data to other parties for any purpose except where required by law.
International transfers
Our primary infrastructure is located in the European Union. Where a subprocessor processes data outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (2021/914) and additional technical safeguards including transport encryption and storage encryption at rest.
Retention
| Data | Retention |
|---|---|
| Account profile | For as long as your account is active, plus 30 days after deletion |
| Scan history & reports | 13 months by default. Configurable in your dashboard. |
| API request logs | 30 days |
| Server logs (IP + UA) | 30 days |
| Invoices & tax records | 10 years, as required by Greek law |
Your rights
Wherever you live, we treat the following rights as universal. Under GDPR they are specifically enumerated in Articles 15–22:
- Access — get a copy of the data we hold about you
- Rectification — correct anything that's wrong
- Erasure — delete your account and the data tied to it
- Restriction & objection — pause or stop certain processing
- Portability — receive your data in a machine-readable format
- Withdraw consent at any time, where consent is the legal basis
To exercise any of these rights, email us at hello@compliancemonitor.io. We respond within 30 days. You also have the right to lodge a complaint with the Greek Data Protection Authority (HDPA) or your local supervisory authority.
California residents have additional rights under the CCPA — including the right to know, the right to delete and the right to opt out of sale. We don't sell personal data, so the third right is effectively automatic.
Children
ComplianceMonitor.io is a B2B tool. We don't knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
Changes to this policy
When we change anything material in this policy — new subprocessors, new processing purposes, expanded retention — we will email account holders at least 30 days before the change takes effect. The bottom of this page always shows the date of the last revision.
Contact
Privacy questions go straight to a human, not a ticketing queue.
- Email: hello@compliancemonitor.io
- Postal: ComplianceMonitor, Athens, Greece
- Supervisory authority: HDPA