Informational notice: This privacy policy is provided for informational purposes. Kodex-Compliance is not a law firm. This document does not constitute legal advice. For legal guidance specific to your situation, please consult a qualified data protection lawyer.
How we handle your data
Last updated:
Table of Contents
- 1. Introduction & Data Controller
- 2. Data We Collect
- 3. Legal Basis for Processing
- 4. How We Use Your Data
- 5. AI Processing Disclosure
- 6. Data Sharing & Third Parties
- 7. International Data Transfers
- 8. Data Retention
- 9. Your Rights
- 10. Security Measures
- 11. Cookies
- 12. Children's Privacy
- 13. Changes to This Policy
- 14. Contact & DPO
1. Introduction & Data Controller
Kodex-Compliance (“we”, “us”, “our”) operates the Kodex platform — an AI-assisted compliance management tool designed for EU regulatory frameworks including GDPR, the EU AI Act, NIS2, DORA, ISO 27001, SOC 2, and the Cyber Resilience Act. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR).
Data Controller: Kodex-Compliance is the data controller responsible for the personal data you provide when using our platform.
Contact details
Address: [Registered address — to be updated upon incorporation]
Email: contact@kodex-compliance.eu
All personal data is processed and stored within the European Economic Area (EEA) by default. Where data is transferred outside the EEA, appropriate safeguards apply as described in Section 7.
2. Data We Collect
We collect only the data necessary to provide our compliance management service. This includes:
Account data
- Full name and email address (provided at registration)
- Organisation name, size, and industry sector
- Role within your organisation
- Profile preferences and notification settings
Compliance content
- Uploaded compliance evidence documents and artefacts
- Compliance scan results, scores, and gap analyses
- Policy documents you create or import within the platform
- Risk register entries and risk assessments
- Framework-specific questionnaire responses
AI chat interactions
- Messages sent to the Kodex AI compliance assistant
- AI-generated responses and recommendations
- Conversation context used to improve response quality
Integration data
When you connect third-party integrations, we access only the data you authorise:
- GitHub: repository names, pull request metadata, and code files you explicitly share for scanning
- Google Workspace: document names and content of files you share for compliance analysis
- Notion: page titles and content of pages you connect for evidence collection
- Slack: workspace name and messages/channels you explicitly share
Payment information
Payments are processed by Stripe. We do not store your card number, CVC, or full payment card details. We retain your billing address, Stripe customer ID, and subscription status for invoicing and support purposes.
Usage and technical data
- Browser type, operating system, and device type
- IP address (stored for security and fraud prevention, not for tracking)
- Pages visited and features used within the platform
- Error logs and performance metrics for service improvement
3. Legal Basis for Processing (GDPR Art. 6)
We process your personal data under the following legal bases as set out in Article 6 GDPR. The table below maps each processing activity to its specific lawful basis.
| Processing activity | Data involved | Lawful basis (Art. 6) |
|---|---|---|
| Account creation and authentication | Name, email, organisation, role | Contract performance — Art. 6(1)(b) |
| Running compliance scans and generating reports | Uploaded documents, questionnaire answers, integration data | Contract performance — Art. 6(1)(b) |
| AI-assisted compliance analysis | Anonymised document excerpts, boolean signals (no raw PII) | Contract performance — Art. 6(1)(b) |
| AI compliance assistant (chat) | Messages, conversation context | Contract performance — Art. 6(1)(b) |
| Billing and invoicing | Billing address, Stripe customer ID, subscription status | Contract performance — Art. 6(1)(b) & Legal obligation — Art. 6(1)(c) |
| Platform stability and error monitoring | Usage data, error logs, IP address | Legitimate interest — Art. 6(1)(f) |
| Security and fraud prevention | IP address, session data, audit logs | Legitimate interest — Art. 6(1)(f) |
| Feature development and improvement | Aggregated, anonymised usage analytics | Legitimate interest — Art. 6(1)(f) |
| Marketing communications | Email address, marketing preferences | Consent — Art. 6(1)(a) |
| Responding to supervisory authority requests | As required by the specific request | Legal obligation — Art. 6(1)(c) |
| Retention of billing records (7 years) | Invoices, transaction records | Legal obligation — Art. 6(1)(c) |
Legitimate interest assessments
For processing based on legitimate interest (Art. 6(1)(f)), we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. These assessments consider the nature of the data, the reasonable expectations of data subjects, and the impact on individuals. You may request a copy of these assessments by contacting us at contact@kodex-compliance.eu.
Withdrawing consent
Where processing relies on your consent (Art. 6(1)(a)), you may withdraw it at any time from your account settings or by contacting us. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
4. How We Use Your Data
- Authenticating your identity and managing your account
- Running automated and AI-assisted compliance scans against the frameworks you select
- Generating compliance gap reports, audit-ready documentation, and risk registers
- Providing the AI compliance assistant with context relevant to your questions
- Sending transactional emails (account confirmations, scan completion notices, invoices)
- Detecting and preventing fraud, abuse, and security incidents
- Improving platform features using aggregated, anonymised usage analytics (we do not train AI models on your data — all AI processing uses third-party models under data processing agreements)
- Complying with legal and regulatory obligations applicable to Kodex-Compliance
We do not use your data for advertising, do not sell it to third parties, and do not build individual marketing profiles.
5. AI Processing Disclosure
EU AI Act transparency notice
Kodex uses AI systems to assist with compliance analysis. In accordance with the EU AI Act, we disclose the following about our AI-powered features.
AI provider and data isolation
We use Anthropic Claude (provided by Anthropic, PBC) to analyse compliance evidence, generate gap assessments, and power the AI compliance assistant.
The AI model never accesses your systems directly. When you connect an integration (GitHub, Google Workspace, Slack, Notion), Kodex's own servers fetch data using the OAuth tokens you authorise. Before any data is sent to the AI model, a PII anonymiser strips personal identifiers (names, emails, phone numbers, national IDs, IBANs) and replaces them with placeholders. The AI receives only anonymised boolean signals and sanitised document excerpts — never raw source code, credentials, or personal data. See our AI Transparency Notice for a detailed breakdown of the data isolation architecture.
Anthropic processes this data as a data processor under a Data Processing Agreement. See Anthropic's Privacy Policy for details.
Advisory nature of AI outputs
AI-generated compliance assessments, scores, and recommendations are advisory only. They do not constitute legal advice and should not be relied upon as a substitute for professional legal or compliance counsel.
No automated decision-making with legal effects
We do not use automated processing — including AI — to make decisions that produce legal effects or similarly significant consequences for you or your organisation without human oversight. All material compliance determinations involve human review by your team or our compliance specialists.
Right to human review
You may at any time request human review of any AI-generated assessment by contacting us at contact@kodex-compliance.eu. We will provide a human-reviewed response within 10 business days.
Model training
We do not permit Anthropic to use your data to train its foundation models. We operate under Anthropic's API terms which prohibit using customer-submitted data for model training without explicit opt-in consent.
6. Data Sharing & Third Parties
We share your data only with the sub-processors necessary to operate the platform. We maintain Data Processing Agreements (DPAs) with all processors.
| Processor | Purpose | Data location |
|---|---|---|
| Anthropic, PBC | AI analysis and compliance assistant | USA (SCC applies) |
| Supabase, Inc. | Database, authentication, and file storage | EU (Frankfurt) |
| Stripe, Inc. | Payment processing and billing | USA/EU (SCC applies) |
| Upstash, Inc. | Caching and background job queues | EU region selected |
| Vercel, Inc. | Application hosting and edge delivery | USA/EU (SCC applies) |
| Resend, Inc. | Transactional email delivery | EU |
| Sentry (Functional Software Inc.) | Error monitoring and performance | EU (Frankfurt ingest) |
| OpenAI (OpCo, LLC) | AI inference (secondary provider) | USA (SCC applies) |
We do not sell, rent, or trade your personal data with third parties for marketing or commercial purposes. We may disclose data where required by law or to protect the legal rights of Kodex-Compliance.
7. International Data Transfers
Our primary infrastructure (Supabase) is located within the EU. However, some of our sub-processors — including Anthropic, Vercel, and Stripe — may process data in countries outside the European Economic Area (EEA), including the United States.
Where data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V GDPR, primarily through:
- Standard Contractual Clauses (SCCs) adopted by the European Commission
- Transfer Impact Assessments (TIAs) where required by supervisory guidance
- Supplementary technical measures (encryption in transit and at rest)
You may request a copy of the relevant safeguards by contacting us at contact@kodex-compliance.eu.
8. Data Retention
We retain personal data only for as long as necessary for the purpose it was collected, or as required by law.
Retention periods
| Data type | Retention period |
|---|---|
| Account and profile data | Duration of subscription + 30 days after deletion request |
| Compliance content and evidence | Duration of subscription + 90 days (for recovery); then permanently deleted |
| AI chat history | 90 days (configurable per workspace) |
| Billing records | 7 years (legal obligation under EU accounting law) |
| Security logs | 12 months |
| Integration tokens | Until revoked by you or subscription ends |
Account deletion
You can permanently delete your account at any time from the Danger Zone section in Settings. Upon confirmation, we immediately and irreversibly delete your user account and all associated data including your organisation, projects, uploaded documents and evidence, scan results, compliance scores, framework configurations, integration connections, policies, risk registers, and generated reports. Backups containing your data are purged within 90 days. Billing records are retained for 7 years as required by EU accounting law.
9. Your Rights (GDPR Art. 15–22)
As a data subject under GDPR, you have the following rights. To exercise any of them, contact us at contact@kodex-compliance.eu. We will respond within 30 days (extendable by 2 months for complex requests, with notice).
Right of access (Art. 15)
Request a copy of the personal data we hold about you and information about how we process it.
Right to rectification (Art. 16)
Request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17)
Delete your account and all personal data instantly from the Danger Zone in Settings. Subject to legal retention obligations.
Right to data portability (Art. 20)
Download all your personal data in JSON format from Settings → Your Data. This structured, machine-readable export can be transferred to another controller.
Right to restrict processing (Art. 18)
Request that we limit the processing of your data in certain circumstances.
Right to object (Art. 21)
Object to processing based on legitimate interests or for direct marketing purposes.
Withdraw consent (Art. 7(3))
Where processing relies on consent, withdraw it at any time without affecting lawfulness of prior processing.
Lodge a complaint
You have the right to lodge a complaint with your national data protection supervisory authority.
Many of these rights can be exercised directly within your account settings. For requests that cannot be fulfilled via the platform, use the contact details in Section 14.
10. Security Measures
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction.
Technical controls
- All data encrypted at rest using AES-256 (managed by Supabase/PostgreSQL encryption)
- All data in transit encrypted via TLS 1.3
- Row-level security (RLS) policies enforced at the database layer
- Authentication tokens signed and rotated; sessions expire after inactivity
- Integration OAuth tokens stored encrypted and scoped to minimum required permissions
- Regular automated vulnerability scanning of platform dependencies
Organisational controls
- Access to production systems limited to authorised personnel on a need-to-know basis
- Employee security awareness training and background checks
- Incident response plan with defined breach notification procedures (72-hour GDPR notification target)
- Regular internal security audits and third-party penetration testing
If you discover a security vulnerability, please report it responsibly to contact@kodex-compliance.eu.
12. Children's Privacy
The Kodex platform is a professional compliance tool intended for use by businesses and their employees. It is not directed at, or intended for use by, individuals under the age of 16.
We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us immediately at contact@kodex-compliance.eu and we will delete such data promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.
When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send an email notification to all registered account holders at least 14 days before the changes take effect
- Display a prominent notice within the Kodex platform
- For significant changes affecting your rights, request fresh consent where required by GDPR
Your continued use of the platform after the effective date of changes constitutes acceptance of the updated policy, except where consent is required by law.
14. Contact & DPO
For any questions about this Privacy Policy, to exercise your data subject rights, or to raise a concern about how we handle your personal data, please contact us:
Data Protection Officer
We are currently assessing whether a Data Protection Officer appointment is required under Article 37 GDPR based on the scale and nature of our data processing activities. This section will be updated once the assessment is complete.
contact@kodex-compliance.euSupervisory authority
If you are unsatisfied with our response, you have the right to lodge a complaint with the supervisory authority in your EU member state. A list of national data protection authorities is available at edpb.europa.eu.