Privacy Policy
Last updated: February 2026
This Privacy Policy describes how ComplianceHarbor (“we,” “us,” or “our”), operated via complianceharbor.ai, collects, uses, discloses, and protects your personal information when you access or use our ComplianceHarbor platform, APIs, and related services (collectively, the “Service”). By using the Service, you acknowledge that you have read and understood this Privacy Policy.
1. Information We Collect
1.1 Account Data
When you register for an account, we collect your name, email address, company name, and password. If you upgrade to a paid plan, we collect billing information through our payment processor, Stripe. We do not directly store full credit card numbers on our servers.
1.2 Assessment Data
When you use our API or MCP tools, we process the change window parameters, configuration item metadata, geographic coordinates, vendor identifiers, and other technical parameters you submit for risk assessment. Assessment results—including risk scores, conflict details, and suggested maintenance windows—are temporarily stored to support shareable report links.
1.3 Usage Data
We automatically collect information about how you interact with the Service, including API request timestamps, endpoints accessed, response codes, assessment counts, external API call volume and estimated processing costs, IP addresses, user agent strings, and referring URLs. This data is used for rate limiting enforcement, billing metering, security monitoring, and service improvement.
1.4 Cookies & Session Data
We use HTTP-only, secure cookies solely for session management (JWT authentication tokens). We do not use third-party tracking cookies, advertising cookies, or analytics cookies. Our cookies are strictly necessary for the operation of the Service and cannot be disabled while using authenticated features.
2. How We Use Your Information
We use the information we collect for the following purposes:
- Providing, operating, and maintaining the ComplianceHarbor Service
- Processing your risk assessments and generating conflict analysis reports
- Managing your account, subscription, and API key provisioning
- Processing payments, enforcing plan limits, and tracking usage-based billing
- Sending transactional emails, including account verification, password resets, payment receipts, trial expiration notifications, and usage alerts
- Enforcing rate limits and acceptable use policies
- Detecting, preventing, and responding to security incidents, fraud, and abuse
- Monitoring per-customer resource consumption and managing infrastructure costs
- Improving the accuracy and performance of our risk scoring engine and intelligence data sources
- Complying with legal obligations and responding to lawful requests
3. Legal Basis for Processing (GDPR Article 6)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:
- Performance of a Contract (Art. 6(1)(b)): Processing necessary to provide the Service you have subscribed to, including account management, risk assessments, billing, and API access.
- Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, including security monitoring, fraud prevention, service improvement, and enforcement of our terms, provided such interests are not overridden by your data protection rights.
- Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, regulations, or legal processes.
- Consent (Art. 6(1)(a)): Where you have given explicit consent, such as opting in to marketing communications. You may withdraw consent at any time.
4. Data Retention
We retain your data according to the following schedule:
- Assessment Results: Automatically purged 24 hours after creation. Shareable report links expire at the same time.
- Account Data: Retained for the duration of your active subscription. Upon cancellation, account data is retained for 30 days to allow for reactivation, after which it is permanently and irreversibly deleted.
- API Keys: SHA-256 hashed representations are retained until the key is revoked or the account is deleted. Plaintext keys are never stored.
- Usage & Billing Records: Retained for the period required by applicable tax and financial regulations (typically 7 years), after which they are deleted.
- Server Logs: Retained for up to 90 days for security monitoring and debugging purposes, then automatically rotated and deleted.
5. Data Sharing & Sub-Processors
We do not sell, rent, or trade your personal data. We share data only with the following categories of sub-processors, each bound by data processing agreements (DPAs):
| Sub-Processor | Purpose | Data Shared |
|---|---|---|
| Stripe, Inc. | Payment processing (PCI DSS Level 1 certified) | Name, email, billing address, payment method tokens |
| Resend, Inc. | Transactional email delivery | Email address, name, email content |
| Google Cloud Platform | Application hosting and cloud infrastructure | All data processed by the Service (encrypted at rest and in transit) |
We may also disclose your information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
6. International Data Transfers
The Service is hosted in the United States on Google Cloud Platform infrastructure. If you access the Service from outside the United States, your personal data will be transferred to and processed in the United States. We rely on the following safeguards for international data transfers:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data processing agreements with all sub-processors that include appropriate transfer mechanisms
- Technical and organizational measures to ensure data protection equivalent to EEA standards
7. Security Measures
We implement industry-standard technical and organizational security measures to protect your personal data, including:
- Encryption in Transit: All communications are encrypted using TLS 1.3. HTTPS is enforced on all endpoints.
- API Key Security: API keys are SHA-256 hashed before storage. Plaintext keys are displayed only once at creation and are never stored or logged.
- Password Security: User passwords are hashed using bcrypt with a minimum cost factor of 12. Plaintext passwords are never stored.
- HTTP Security Headers: We deploy helmet-based security headers including Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, and Referrer-Policy.
- Rate Limiting: API and authentication endpoints are protected by tiered rate limiting to prevent brute-force attacks and abuse.
- Access Controls: Role-based access controls, API key scoping, and per-tenant data isolation ensure that users can only access their own data.
- Infrastructure Security: The platform runs on SOC 2 Type II certified cloud infrastructure, backed by Google Cloud Platform with enterprise-grade SLAs and multi-region availability.
8. Your Rights Under GDPR
If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:
- Right of Access (Art. 15): Request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
- Right to Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
- Right to Restriction of Processing (Art. 18): Request that we restrict the processing of your personal data under certain circumstances.
- Right to Data Portability (Art. 20): Request your personal data in a structured, commonly used, machine-readable format (JSON).
- Right to Object (Art. 21): Object to the processing of your personal data based on legitimate interests.
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent.
- Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority.
To exercise any of these rights, contact us at privacy@complianceharbor.ai. We will respond to verified requests within 30 days.
9. Your Rights Under CCPA/CPRA
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
- Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined under CPRA beyond what is necessary for the Service.
To exercise your CCPA/CPRA rights, contact us at privacy@complianceharbor.ai. We will verify your identity before processing any request. You may also designate an authorized agent to submit a request on your behalf.
10. Children’s Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete such data. If you believe a child under 16 has provided us with personal data, please contact us at privacy@complianceharbor.ai.
11. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
- Document the breach, its effects, and the remedial actions taken in our internal breach register
- Provide affected users with information about the nature of the breach, the data involved, and recommended protective measures
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the “Last updated” date at the top of this page
- Notify registered users via email at least 30 days before material changes take effect
- Post a prominent notice on our website
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
13. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: privacy@complianceharbor.ai
- Website: https://complianceharbor.ai
For GDPR-related inquiries, you may also contact your local data protection supervisory authority.