Legal
Privacy policy
Last updated: February 2026
1. Introduction
ComplianceVault (“we”, “our”, or “us”) is committed to protecting the privacy of our users. This policy explains how we collect, use, and safeguard your personal data when you use our mobile application and web services.
2. Data we collect
We collect the following types of information:
- Account information: name, email address, and password when you create an account.
- Organisation data: organisation name, team member details, and subscription tier.
- Compliance evidence: documents, certificates, and files you upload to the platform.
- Usage data: how you interact with the application, including features used and actions taken.
- Device information: device type, operating system, and app version for troubleshooting.
3. How we use your data
- To provide and maintain the ComplianceVault service.
- To send renewal reminders and notifications you have configured.
- To generate compliance packs and audit reports on your behalf.
- To improve the product based on aggregated, anonymised usage patterns.
- To communicate important service updates and security notices.
4. Data storage and security
Your compliance data (database records and uploaded files) is stored using Supabase infrastructure hosted in London, UK (AWS eu-west-2). Our web application runs on Vercel, pinned to their London region (lhr1). All data is encrypted in transit using TLS and at rest using AES-256 encryption. File uploads are stored in isolated, access-controlled storage buckets.
Ancillary services used for push notifications (Firebase Cloud Messaging) and email delivery (Resend) may process limited data (device tokens, email addresses) outside the UK. No compliance documents or evidence files are sent to these services.
5. Data sharing
We do not sell your personal data. We share data only in the following circumstances:
- When you share compliance packs via secure links with your chosen recipients.
- With infrastructure providers (Supabase, Vercel) who process data on our behalf under strict agreements.
- When required by law or to protect our legal rights.
6. Sub-processors
We use the following third-party sub-processors to deliver the ComplianceVault service. Each operates under a data processing agreement with us.
| Provider | Purpose | Data location |
|---|---|---|
| Supabase (AWS) | Database, authentication, file storage | London, UK (eu-west-2) |
| Vercel | Web application hosting, serverless functions | London, UK (lhr1) |
| Stripe | Payment processing, subscription billing | EU / US |
| Resend | Transactional email delivery | US |
| Firebase (Google) | Push notifications (device tokens only) | US |
| Plausible Analytics | Privacy-friendly web analytics (no cookies, no personal data) | EU (Germany) |
No compliance documents or evidence files are shared with Stripe, Resend, Firebase, or Plausible. Only Supabase stores your uploaded files and compliance records.
7. Your rights
Under UK GDPR and the Data Protection Act 2018, you have the right to access, correct, delete, or export your personal data. You can exercise these rights through the app settings or by contacting us directly.
8. Data retention
We retain your data for as long as your account is active. When you delete your account, your personal data and uploaded files are permanently removed within 30 days. Anonymised usage data may be retained for analytics purposes.
9. Cookies and tracking
The ComplianceVault mobile app does not use cookies. Our web services use essential cookies only for authentication and session management. We do not use third-party advertising trackers.
10. Changes to this policy
We may update this privacy policy from time to time. Significant changes will be communicated via in-app notification. Continued use of the service after changes constitutes acceptance of the updated policy.
11. Contact
For privacy-related questions or data requests, contact us at privacy@thecompliancevault.co.uk.
Your data is safe with ComplianceVault
256-bit encryption, UK-hosted, GDPR compliant.