Privacy Policy

Last updated: May 15, 2026

Plain-language summary (not a substitute for the policy below): ComplyHat is a renderer, not a data broker. We collect the minimum to operate the Service: an account email and name, a Stripe customer reference for billing, and an audit-log payload of the operations your AI agent performs through our MCP server. Your model metadata stays in your tenant. We do not sell your data. We do not train any model on it.

1. Who this policy covers

This policy describes how ComplyHat AI (“ComplyHat”, “we”, “us”) handles personal data of customers (“Customer”, “you”) using the ComplyHat Service. It applies to data you submit through the web app, the Stripe checkout flow, the remote MCP endpoint at /api/mcp, and any direct correspondence with us.

2. What we collect

  • Account data: full name, work email, organization name, authentication identifiers issued by Supabase Auth (including OAuth client IDs and tokens for connected MCP hosts).
  • Billing data: a Stripe customer ID and subscription state. Card details and billing addresses are held by Stripe; ComplyHat never receives or stores card numbers.
  • Audit-log payload: for every MCP operation, a row in audit_logs recording actor type, actor user ID, OAuth client ID, action name, and a JSONB details field describing the operation. This is the regulated audit trail your qualified counsel may need to produce on request.
  • Model metadata you submit: framework selection, model card content, bias and drift test inputs, and any text you supply through MCP ops. This stays in your tenant and is scoped by row-level security to your organization.
  • Diagnostic logs: Vercel runtime logs (request paths, error stacks). No request bodies are persisted in runtime logs by default.

3. Why we collect it

  • To deliver the Service and authenticate your MCP host (legitimate interest).
  • To bill you and remit taxes through Stripe (contract performance, legal obligation).
  • To keep the audit trail your downstream compliance workflow may require (contract performance, legitimate interest in a defensible audit posture).
  • To investigate security incidents and debug operational failures (legitimate interest).

We do not sell, rent, or share personal data with third parties for advertising. We do not train any AI model on Customer data; ComplyHat performs zero internal LLM calls.

4. Subprocessors

We rely on the following subprocessors to operate the Service. We commit to updating this list when subprocessors change.

VendorPurposeRegion
SupabasePostgreSQL hosting, authentication, edge functions, audit-log storageUnited States
VercelNext.js hosting, edge runtime, runtime logsUnited States
StripeSubscription billing, invoicing, payment-method storageUnited States

5. Data retention

  • Account data is retained while your account is active and for thirty (30) days following a deletion request, after which it is purged from operational systems.
  • Audit logs are retained per the regulatory minimum applicable to your subscribed frameworks (typically 5 to 7 years for SR 26-2, EU AI Act technical-file evidence, and similar). You can export your audit logs at any time via the dashboard or the audit_events.list MCP op. You can download the full compliance memory as a Markdown file from the dashboard or read it via the wiki(mode=“read”) MCP op, and clear it at any time from the dashboard or via wiki(mode=“delete”).
  • Stripe billing recordsfollow Stripe’s own retention policy.
  • Vercel runtime logsare retained per Vercel’s default policy.

6. Your rights

Depending on where you reside, you may have rights under the EU General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”), or analogous laws, including the right to:

  • Access the personal data we hold about you;
  • Request correction of inaccurate or incomplete data;
  • Request deletion of your data (subject to retention obligations described in Section 5);
  • Request export of your data in a portable, machine-readable format;
  • Object to or restrict certain processing;
  • Withdraw consent where processing is based on consent.

To exercise any of these rights, email john@complyhat.ai. We will respond within the timelines required by applicable law (30 days under GDPR; 45 days under CCPA, extendable once).

7. International transfers

ComplyHat operates from the United States, and ComplyHat’s primary Supabase database and Vercel runtime are hosted in US AWS regions. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your data is transferred to and processed in the United States.

We rely on two transfer mechanisms in parallel. First, Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) executed with each subprocessor, including the Supabase Data Processing Addendum which incorporates the SCCs in its annexes. Second, where the subprocessor is self-certified, the EU-US Data Privacy Framework (in force since 10 July 2023). Each subprocessor’s certification status is published on its own trust page.

The organizations.data_region column on your tenant records your declared data residency. The default value is us. A parallel EU-region database is reserved for future deployment and will activate when an EU-resident customer requires it; we will update this Privacy Policy and notify affected accounts in advance of any routing change.

8. Data minimization

ComplyHat’s bias, drift, explainability, and adversarial-robustness engines compute in memory during the lifetime of a single MCP request and do not persist raw training datasets, prediction inputs, or model weights. Only the summary artifacts (metric values, threshold rulings, per-subgroup counts, drift scores, attribution rankings, completeness scores) and the structured report and model-card content are written to durable storage. Your model metadata, framework selections, and operator decisions are stored under row-level security scoped to your organization.

ComplyHat performs zero internal LLM calls and does not train any model on Customer data. Host agents (Claude Code, Claude Desktop, Codex Desktop, Codex CLI, OpenClaw, NemoClaw) bring their own reasoning; ComplyHat returns structured citations.

9. Children’s data

ComplyHat is a business-to-business product not directed at children under 13. We do not knowingly collect personal data from children under 13. If we learn that we have done so, we will delete it.

10. Changes to this policy

ComplyHat may modify this Privacy Policy. Material changes will be posted on this page with an updated “Last updated” date and, where reasonable, communicated via the dashboard banner or email at least thirty (30) days prior to taking effect. Continued use of the Service after the effective date constitutes acceptance of the modified policy.

11. Contact

Questions regarding this Privacy Policy or to exercise the rights described in Section 6 may be sent to john@complyhat.ai.

© 2026 ComplyHat·Terms·Privacy

ComplyHat is software, not a law firm. Its outputs are not legal advice, and your counsel reviews every document before any regulator submission.