Privacy Notice
Effective: June 26, 2026
1. Who we are
ComplianceCheq is operated by Estuary Bridging the Divide. For the personal data we collect about visitors and subscribers in connection with the ComplianceCheq service, Estuary Bridging the Divide acts as the data controller. You can contact us at support@compliancecheq.com.
2. Personal data we collect
- Account data: name, email, password hash, organization name, role.
- Authentication data: sign-in identifiers (including Google OAuth identifiers if you use social sign-in), session tokens.
- Subscription metadata: plan, billing status, renewal dates, Paddle customer and subscription identifiers. Card numbers and full billing details are collected and stored by Paddle, not by us.
- Service usage: URLs you submit for scanning, scan results, reports you generate, tasks you create, support messages.
- Technical telemetry: IP address, browser and device identifiers, log timestamps, error traces.
- Cookies: session and preference cookies required for authentication; see Section 9.
3. Why we use it and legal basis
- To provide the service (account creation, running scans, generating reports, storing your data). Legal basis: performance of the contract between you and Estuary Bridging the Divide.
- To process payments and manage subscriptions via Paddle. Legal basis: performance of the contract and compliance with tax and accounting obligations.
- To secure the service and prevent abuse (rate limiting, fraud and SSRF detection, audit logging). Legal basis: our legitimate interest in protecting the service and users; legal obligation where applicable.
- To improve the product (aggregate usage analytics, debugging). Legal basis: our legitimate interest in improving the service.
- To provide customer support and to send transactional notices (purchase confirmation, payment failure, security notices). Legal basis: performance of the contract.
- To send marketing emails, only if you opt in. Legal basis: your consent, which you can withdraw at any time.
4. Who we share data with
- Paddle.com Market Limited and its affiliates — our Merchant of Record. Paddle receives the personal data necessary to process your purchase, manage your subscription, handle taxes and invoicing, and provide payment-related customer service. Paddle acts as an independent controller for that processing. See Paddle's buyer privacy notice at paddle.com/legal/privacy.
- Infrastructure and tooling subprocessors — cloud hosting, database, email delivery, error monitoring, and analytics providers used to operate the service. They act as processors on our behalf and may only use the data to provide their service to us.
- Professional advisers — accountants, auditors, and legal counsel where necessary.
- Authorities — where required by applicable law, regulation, court order, or to protect rights, safety, or property.
- Successors — in the context of a merger, acquisition, or sale of assets.
We do not sell personal data.
5. International transfers
Where personal data is transferred outside your country of residence (including outside the UK/EEA), we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or applicable adequacy decisions.
6. Retention
We retain personal data for as long as your account is active and for a reasonable period afterwards to comply with legal, tax, and accounting obligations, to resolve disputes, and to enforce agreements. Scan data and reports are retained for the lifetime of your subscription unless you delete them earlier. After the applicable retention period we delete or anonymize the data.
7. Your rights
Depending on where you live, you have the right to:
- access the personal data we hold about you;
- request rectification or erasure;
- restrict or object to processing;
- receive your data in a portable format;
- withdraw consent at any time where processing is based on consent;
- lodge a complaint with your local data protection authority.
To exercise any of these rights, email support@compliancecheq.com. We will respond within one month, or sooner where required by law.
8. Security
We use appropriate technical and organizational measures to protect personal data, including encryption in transit, hashed passwords, role-based access controls, row-level security on our database, and audit logging. No system is perfectly secure; please report suspected vulnerabilities to support@compliancecheq.com.
9. Cookies
We use strictly necessary cookies for authentication and session management. We do not use advertising cookies. If we add analytics cookies in the future, we will request your consent and provide controls before enabling them.
10. Changes
We may update this notice from time to time. Material changes will be notified by email or via the application before they take effect.