ComplianceMonitor.io
Legal

Privacy Policy

We built ComplianceMonitor.io because we believe people deserve to know how their data is handled. This page explains exactly how we handle yours.

Last updated 26 May 2026 · GDPR · ePrivacy · CCPA

Who we are

ComplianceMonitor.io is operated from Greece by the ComplianceMonitor team. For the purposes of the EU General Data Protection Regulation (GDPR), we act as the data controller for personal data we collect from visitors and account holders of compliancemonitor.io.

When you use the Evidence API or your dashboard to scan a website, you instruct us to process technical data about that website. In that flow we act as a data processor on your behalf.

What we collect

Account information

When you sign up: your email address, a hashed password, and your chosen workspace name. If you pay for a plan, our payment provider also handles your billing address and the last four digits of your card. We never see or store full card numbers.

Scan data

For every audit we run on your behalf we record the target URL, the timestamp, the violations detected, the cookies that were set, the third-party requests made by the browser, and the resulting compliance score. This is the product.

Usage data

We log when API keys are used, which endpoints they hit, and how often — purely to apply rate limits and detect abuse. We do not log the response bodies returned to your application.

Marketing site visits

On compliancemonitor.io itself we use no analytics, no advertising tags, no cross-site identifiers and no third-party cookies. Our own server logs the IP address and user agent of each request for 30 days, after which they are deleted, and we use them only to keep the service up and to investigate incidents.

How we use it

We process your data to:

We do not sell, rent or trade personal data. We do not use your data to train machine-learning models, and we do not profile you for advertising.

Legal basis

Under GDPR Art. 6(1), we rely on:

Sharing & subprocessors

We share personal data only with a short list of carefully chosen subprocessors who help us deliver the service. All are bound by data processing agreements and EU-compliant safeguards.

We do not transfer data to other parties for any purpose except where required by law.

International transfers

Our primary infrastructure is located in the European Union. Where a subprocessor processes data outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (2021/914) and additional technical safeguards including transport encryption and storage encryption at rest.

Retention

DataRetention
Account profileFor as long as your account is active, plus 30 days after deletion
Scan history & reports13 months by default. Configurable in your dashboard.
API request logs30 days
Server logs (IP + UA)30 days
Invoices & tax records10 years, as required by Greek law

Your rights

Wherever you live, we treat the following rights as universal. Under GDPR they are specifically enumerated in Articles 15–22:

To exercise any of these rights, email us at [email protected]. We respond within 30 days. You also have the right to lodge a complaint with the Greek Data Protection Authority (HDPA) or your local supervisory authority.

California residents have additional rights under the CCPA — including the right to know, the right to delete and the right to opt out of sale. We don't sell personal data, so the third right is effectively automatic.

Children

ComplianceMonitor.io is a B2B tool. We don't knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

Changes to this policy

When we change anything material in this policy — new subprocessors, new processing purposes, expanded retention — we will email account holders at least 30 days before the change takes effect. The bottom of this page always shows the date of the last revision.

Contact

Privacy questions go straight to a human, not a ticketing queue.