Legal

Privacy Policy

Last updated: April 24, 2026

How COMPLYRA collects, uses, and protects your personal data.

Compliance Note: This policy is designed to comply with the EU General Data Protection Regulation (GDPR), Saudi Personal Data Protection Law (PDPL), UAE Federal Decree-Law No. 45/2021, and Bahrain Law No. 30/2018.

1. Who We Are

COMPLYRA is a regulatory compliance management platform. As a data controller, we collect and process personal information relating to client personnel and registered platform users.

2. Data We Collect

  • Account data: Name, email address, phone number, company name, and job title.
  • Usage data: Login logs, IP addresses, browser information, and platform activity.
  • Compliance data: Questionnaire answers, uploaded documents, and notes entered by users.
  • Contact data: Messages submitted via contact forms or demo requests.

3. How We Use Your Data

  • To provide, maintain, and improve the platform services.
  • To process subscriptions, billing, and account management.
  • To send compliance notifications and deadline alerts.
  • To respond to your enquiries and support requests.
  • To fulfil legal and regulatory obligations.

4. Legal Basis for Processing

  • Contract performance: To process account data and deliver services.
  • Legitimate interests: To improve and secure the platform.
  • Legal obligation: For audit trails, AML requirements, and other legal duties.
  • Consent: For marketing communications — optional and withdrawable at any time.

5. Data Sharing

We do not sell your personal data. We may share data with:

  • Vetted cloud infrastructure providers (hosting and payment processors).
  • Regulatory or law enforcement bodies when legally required.
  • Assigned auditors within their defined access scope on the platform.

6. Data Security

We implement AES-256 encryption for all sensitive data at rest, TLS 1.3 for data in transit, two-factor authentication, role-based access controls, and comprehensive audit trails. See our Security page for full details.

7. Data Retention

We retain personal data according to the following schedule:

Data TypeRetention PeriodLegal Basis
Account dataSubscription duration + 6 months post-terminationContract / legitimate interests
Audit & activity logs5 years from date of entryLegal obligation / regulatory compliance
Compliance data (answers & documents)Subscription duration + 12 monthsContract
Incident and breach records5 years from incident dateLegal obligation (GDPR Article 33)
Data subject requests (DSRs)3 years from completionLegal obligation / accountability
Contact and support messages2 yearsLegitimate interests

Upon expiry of the applicable retention period, data is securely deleted or anonymised in accordance with our documented data disposal procedures.

7a. Data Breach Notification

In the event of a personal data breach, we commit to the following timelines:

  • Within 48 hours: Notify affected clients (data controllers) with details of the breach, categories of data involved, approximate number of data subjects affected, and remediation measures taken.
  • Within 72 hours: Report to the relevant supervisory authority (e.g. SDAIA for Saudi PDPL, competent EU DPA for GDPR) where the breach is likely to result in a risk to individuals' rights and freedoms.
  • Without undue delay: Notify affected data subjects directly where the breach is likely to result in a high risk to their rights and freedoms.
Notice content: All breach notifications include the nature of the breach, data categories and approximate volume affected, likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

7b. International Data Transfers

Your data may be processed on servers located in the GCC region or the European Union. We ensure all cross-border transfers are lawful through:

  • EU Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Article 46).
  • Supplementary technical and organisational safeguards per EDPB recommendations.
  • Contractual requirements binding all sub-processors to maintain equivalent data protection standards.

7c. Children's Data & Automated Decisions

The platform is designed exclusively for use by organisations and their employees. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor's data has been submitted in error, please contact us immediately for deletion.

We do not use automated decision-making or profiling that produces legal or similarly significant effects on data subjects (GDPR Article 22). All compliance assessments are reviewed by authorised human users.

8. Your Rights

Under GDPR, Saudi PDPL, and equivalent laws, you have the right to:

🔍Access your personal data
✏️Rectification of inaccurate data
🗑️Erasure (right to be forgotten)
📦Data portability
🚫Object to processing
⏸️Restriction of processing

To exercise any of these rights, contact us via our Contact form. We will respond within 30 days.

9. Cookies

We use only strictly necessary cookies for session management and secure authentication. We do not use marketing or third-party tracking cookies.

10. Privacy Contact

For privacy enquiries or to lodge a complaint, please use our Contact page.