Privacy Policy
Last updated: March 22, 2026
1. Introduction
OneComply ("we", "us", "our") is a SaaS compliance platform operated from the European Union. We are committed to protecting your personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and all applicable EU and national data protection laws.
This Privacy Policy explains how we collect, use, store, and share your personal data when you use our platform, visit our website, or interact with us. It also describes your rights as a data subject under the GDPR.
2. Data Controller
The data controller responsible for your personal data is:
OneComply S.A.
Registered in Luxembourg
EU hosting infrastructure
Data Protection Officer: dpo@onecomply.eu
3. Data We Collect
We collect and process the following categories of personal data:
3.1 Account Information
- Full name, email address, and job title
- Organization name, address, and LEI code
- Authentication credentials (managed via Supabase Auth)
- Role and permissions within your organization
3.2 Platform Usage Data
- Vendor risk assessments and questionnaire responses
- Compliance controls, policies, and evidence uploads
- Incident reports and management records
- Audit logs and activity timestamps
- Register of Information (ROI) data
3.3 Technical Data
- IP address, browser type, and device information
- Session data and access logs
- Cookies and similar tracking technologies
3.4 Payment Data
- Billing information processed through Stripe (we do not store credit card numbers)
- Subscription plan and payment history
4. Purposes and Legal Basis for Processing
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Providing the DORA compliance platform | Performance of contract (Art. 6(1)(b)) |
| Account management and authentication | Performance of contract (Art. 6(1)(b)) |
| Processing payments and subscriptions | Performance of contract (Art. 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Product analytics and improvement | Consent (Art. 6(1)(a)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal compliance and regulatory obligations | Legal obligation (Art. 6(1)(c)) |
| AI-powered contract analysis and insights | Legitimate interest (Art. 6(1)(f)) with safeguards |
5. Data Retention
We retain your personal data only for as long as necessary for the purposes described in this policy, or as required by applicable law:
- Account data: Retained for the duration of your subscription plus 30 days after account deletion.
- Compliance evidence: Default retention of 365 days, configurable per organization.
- Incident records: Default retention of 730 days (2 years), configurable per organization.
- Vendor assessment data: Default retention of 1,095 days (3 years), configurable per organization.
- Payment records: Retained for 7 years as required by Luxembourg tax law.
- Audit logs: Retained for 5 years for regulatory compliance purposes.
6. Third-Party Data Sharing
We share personal data with the following categories of service providers, all of whom are bound by data processing agreements (DPAs) compliant with GDPR Article 28:
Supabase (Authentication & Database)
Provides authentication services and database hosting. Data is stored in EU-region servers. Supabase acts as a data processor under our instructions.
Stripe (Payment Processing)
Processes subscription payments. Stripe is a certified PCI DSS Level 1 service provider. Only necessary billing data is shared. Stripe acts as an independent controller for fraud prevention.
OpenAI (AI-Powered Analysis)
Provides AI-powered contract analysis, policy generation, and compliance insights. Data sent to OpenAI is processed under a DPA with zero data retention for training. No personal data is included in AI prompts where avoidable.
We do not sell your personal data to any third party. We do not share data with third parties for their own marketing purposes. Our current sub-processor list is published at /legal/subprocessors.
7. Cross-Border Data Transfers
OneComply is hosted within the European Union. Where data transfers outside the EEA are necessary (e.g., for AI processing via OpenAI), we ensure appropriate safeguards are in place:
- EU Standard Contractual Clauses (SCCs) as approved by the European Commission
- Data processing agreements that comply with GDPR Chapter V
- Encryption of data in transit and at rest
- Data minimization principles applied to all cross-border transfers
8. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. You can exercise these rights by contacting our DPO or using the self-service tools in your account settings:
- Right of access (Art. 15): Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate personal data.
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format via our data export feature.
- Right to object (Art. 21): Object to processing based on legitimate interest or direct marketing.
- Right to withdraw consent (Art. 7(3)): Withdraw consent at any time for consent-based processing.
- Right to lodge a complaint (Art. 77): File a complaint with a supervisory authority, including the CNPD in Luxembourg.
We will respond to all data subject requests within 30 days. In complex cases, this may be extended by an additional 60 days with prior notice.
9. Cookie Policy
We use cookies and similar technologies on our platform. You can manage your cookie preferences at any time through our cookie consent banner.
9.1 Essential Cookies
Required for the platform to function. These include authentication tokens, session identifiers, and security cookies. These cannot be disabled.
9.2 Analytics Cookies
Help us understand how users interact with the platform to improve performance and usability. These are only set with your explicit consent.
9.3 Marketing Cookies
Used to deliver relevant content and measure the effectiveness of our communications. These are only set with your explicit consent.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Row-level security policies enforced at the database level
- Role-based access controls with principle of least privilege
- Regular security assessments and penetration testing
- Incident response procedures aligned with DORA Article 17
- Multi-factor authentication support
11. Data Protection Officer
Our Data Protection Officer can be contacted for any questions regarding this policy or your personal data:
Data Protection Officer
Email: dpo@onecomply.eu
OneComply S.A., Luxembourg
You also have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD), the supervisory authority in Luxembourg, or any other EU supervisory authority.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on our platform at least 30 days before the changes take effect. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.