Privacy Policy

    How RedComply collects, uses, shares, and protects your personal data under the GDPR.

    1. Who we are

    RedComply ("we", "our", or "us") operates an AI-assisted EN 18031 cybersecurity compliance platform under the EU Radio Equipment Directive. The controller of your personal data is RedComply. To contact us about this notice or to exercise your rights, please use the privacy contact form at /contact/privacy. This notice describes how we process your personal data in accordance with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and applicable Member State law.

    2. What data we collect

    We collect three categories of personal data while you use the platform, described below.

    Account data

    When you register for the platform we collect:

    • Email address
    • Name
    • Company name (optional)
    • Country (optional)
    • Language preference and UI settings
    • An authentication identifier used to manage your session

    Technical data

    When you use the platform we collect:

    • Authentication tokens (delivered as httpOnly, Secure, SameSite=Lax cookies)
    • IP address and User-Agent (used by our authentication provider to detect suspicious activity; not used for marketing profiling)
    • Basic application logs needed to operate and secure the service

    Compliance content you create

    While using the platform you generate, upload, or store:

    • Technical documentation tables (asset inventories, security mechanisms, justifications, decision-tree outcomes)
    • Test plan records (conceptual, functional completeness and functional sufficiency assessments, evaluator comments)
    • Documents you upload to the project Knowledge Base (for example network scans, test reports, interface enumeration logs)
    • Conversations and context exchanged with the in-app AI Assistant

    3. Why we process your data and on what legal basis

    We process your personal data for the following purposes:

    • Provide the service (account management, storing your projects, AI-assisted suggestions, Knowledge Base storage) - core product functionality
    • Secure the service (authentication, session management, audit logging, abuse prevention)
    • Respond to your requests (support, privacy requests, contract administration)
    • Send optional product updates and newsletters (only if you opted in)
    • Comply with our own legal obligations (for example retaining compliance records under the EU Radio Equipment Directive)

    Legal basis under Article 6 GDPR

    Each processing activity has a lawful basis:

    • Performance of the contract with you (Art. 6(1)(b)) - account management, compliance data storage, AI-assisted features
    • Legitimate interest (Art. 6(1)(f)) - audit logging, service security, abuse prevention. On request we will share the balancing test for these activities.
    • Consent (Art. 6(1)(a)) - marketing emails through our email service provider (you can withdraw consent at any time)
    • Legal obligation (Art. 6(1)(c)) - retention of compliance documentation evidencing your RED conformity assessments

    4. Who we share your data with

    We do not sell your personal data. We share it only with vetted processors acting on our documented instructions under Article 28 GDPR. We use the following categories of recipients:

    Categories of processors

    • Cloud infrastructure provider - hosts our authentication, database, object storage and compute. Data is stored in the European Economic Area (Ireland).
    • AI agent service - powers the in-app AI Assistant. United States. The provider in turn uses its own sub-processor to perform large language model inference and embeddings on our behalf.
    • Email service provider - transactional and marketing email. Ireland (EEA).

    Legal requests

    We may disclose personal data where strictly necessary to:

    • Comply with a lawful order from a competent authority
    • Protect the rights, property or safety of RedComply, our users, or the public
    • Investigate or prevent abuse of the platform

    We never sell your personal data or share it for third-party advertising.

    5. How we protect your data

    We apply technical and organisational measures required by Article 32 GDPR:

    • Transport Layer Security (TLS) for all traffic between browser, server and processors
    • Encryption at rest for database and object storage
    • httpOnly, Secure, SameSite-scoped session cookies
    • Role-based access control and least-privilege database accounts
    • Per-user and per-project isolation for AI agent memory and Knowledge Base files
    • Audit logging of changes to compliance records
    • Secrets managed through environment variables and rotated on personnel changes
    • Regular dependency updates and security reviews

    No security measure can guarantee absolute protection. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours under Article 33 GDPR and notify you directly when Article 34 requires it.

    6. Your rights

    As a data subject you have the following rights under Articles 15 to 22 GDPR:

    • Access - receive a copy of the personal data we hold about you (Art. 15)
    • Rectification - ask us to correct inaccurate or incomplete data (Art. 16)
    • Erasure - ask us to delete your data where Article 17 applies. This triggers a cascade that removes your AI agents and memory in the AI agent service, your Knowledge Base files, your compliance data in our database, and your marketing records.
    • Restriction - ask us to pause processing while a dispute is resolved (Art. 18)
    • Portability - receive your data in a structured, machine-readable format (Art. 20). We provide this through an in-app data export function.
    • Objection - object to processing based on legitimate interests (Art. 21)
    • Withdraw consent - for processing based on consent, such as marketing (Art. 7(3)). This does not affect processing already carried out.
    • Lodge a complaint with a supervisory authority (Art. 77). The Italian supervisory authority (Garante per la protezione dei dati personali, www.garanteprivacy.it) is our lead authority; you may also complain to your local authority.

    To exercise any of these rights, please use the privacy contact form at /contact/privacy. You can also manage your account and marketing preferences directly in the in-app "Privacy" settings. We respond within one month under Article 12(3), extendable by two months for complex requests.

    11. Children

    The platform is intended for compliance professionals in a business context and is not directed at anyone under 16. We do not knowingly collect personal data from children. If we become aware that we have collected such data we will delete it promptly; please contact us via the privacy contact form if you believe a child has provided us with personal data.

    12. Changes to this policy

    We may update this Privacy Policy to reflect changes to our services, processors or the law. When we do, we will:

    • Update the "Last updated" date at the top of this page
    • Notify registered users by email for material changes
    • Show an in-app notice on next sign-in
    • For changes to our sub-processor list, provide at least 30 days advance notice where required by customer contracts

    If you disagree with a change, you may exercise your rights in Section 6 (including erasure) at any time.

    Submit a privacy requestBack to Home