Privacy Policy

ComplAI ("we", "us") is a SaaS platform that helps organisations achieve and maintain GDPR and ISO 27001 compliance. This policy explains what personal data we collect when you use the service, how we use it, the legal bases we rely on, and your rights under the GDPR and the UK Data Protection Act.

Controller: Niriis S.A., registered office: Patision 132, 112 57 Athens, Greece. GEMI 173456789 · VAT EL801234567.

Data Protection Officer: dpo@hotelbrain.com.

From you directly when you sign up and use the service:

• Account data — email address, display name, password hash (or Google OAuth identifier).
• Organisation profile — business name, website URL, industry, location, employee count, departments, and the personal data categories you tell us your organisation processes.
• Compliance content you create — policies, risks, evidence, audit records, supplier assessments, training records, and any other artefacts you generate or upload.
• Billing data — handled by Stripe; we receive only customer ID, plan, and subscription status. Card details never touch our servers.
• Usage telemetry — page-level analytics, AI generation events (counts and durations), error reports via Sentry. No content of generated documents is sent to telemetry.

• To provide the service you signed up for (Art. 6(1)(b) — performance of contract).
• To run AI generation against the Google Gemini API on your behalf when you click a Generate button. The prompts include your business profile context but we do not use your prompts or outputs to train any model.
• To bill you according to your subscription plan (Art. 6(1)(b)).
• To meet our legal obligations such as tax records, fraud prevention, and security monitoring (Art. 6(1)(c)).
• For the legitimate interest of keeping the service secure and improving it (Art. 6(1)(f)) — anonymous error monitoring and aggregated usage stats.

We use the following service providers to run ComplAI. Each is bound by a Data Processing Agreement and processes data only on our documented instructions:

• Google Cloud (Firebase) — authentication, Firestore database, hosting (EU multi-region by default).
• Google AI (Gemini API) — AI generation. Prompts are not retained by Google for model training.
• Stripe — payment processing.
• Sentry — error monitoring (EU region).
• Vercel — application hosting (EU region).

The current sub-processor list is published in your dashboard at Vendors.

Where data leaves the EEA, we rely on the EU–US Data Privacy Framework (where the recipient is certified) or the EU Standard Contractual Clauses with additional technical safeguards (encryption in transit and at rest).

We keep your account and all content you produce for as long as your subscription is active, plus 90 days after cancellation to allow recovery. After that we delete or fully anonymise your data. Tax-related billing records are kept for the period required by Greek and EU tax law (currently 10 years).

Under the GDPR you can ask us at any time to:

• Access the personal data we hold about you (Art. 15)
• Rectify inaccuracies (Art. 16)
• Erase your data (Art. 17)
• Restrict or object to processing (Arts. 18, 21)
• Receive a portable export (Art. 20) — you can already do this from /dashboard/exports for your own org content.
• Withdraw consent at any time where consent is the legal basis

You also have the right to lodge a complaint with your supervisory authority (in Greece: the Hellenic Data Protection Authority — www.dpa.gr).

We apply the technical and organisational measures expected of an ISO 27001 aspirant: encryption in transit (HSTS, TLS 1.2+) and at rest, server-side authentication on every API endpoint, Firestore security rules that enforce per-organisation isolation, audit logging for sensitive operations, and a documented incident response plan.

We use a small set of cookies that are strictly necessary to keep you signed in and to remember your active organisation. We do not set advertising or third-party tracking cookies. The cookie banner you see on first visit gives you a record of the consent we relied on.

We will post material changes here and, where required, notify you by email before they take effect.

Email privacy@hotelbrain.com. For data-protection-specific requests, mark the email "DPO Request" and we will respond within 30 days.