Skip to main content
CompliantHQ

Privacy Policy

Last updated: April 2026

Data controller

CompliantHQ is operated by Style4 Solutions AB (Org.nr 556910-5926), Lievägen 3, 599 31 Ödeshög, Sweden. Email: hello@complianthq.ai

What data we collect

When you create an account or use our scanning service, we collect:

  • Email address — used for authentication (magic link login) and notifications.
  • Website URLs — the sites you register for scanning.
  • Billing details — company name, address, VAT number (if provided).
  • Scan results — cookies, third-party requests, WCAG findings, and consent violations detected on your sites.

We do not collect passwords (we use magic link authentication) and we do not use tracking cookies on complianthq.ai.

How we use your data and legal basis

Every processing activity is grounded in a specific legal basis under GDPR Art. 6:

  • Magic-link login and account management — legal basis: contract (Art. 6.1.b).
  • Scan notifications and product-related email — legal basis: contract (Art. 6.1.b).
  • Trial reminders and onboarding email — legal basis: legitimate interest (Art. 6.1.f).
  • AI analysis of scan results for action plans and chat — legal basis: contract (Art. 6.1.b).
  • Billing and bookkeeping — legal basis: contract (Art. 6.1.b) and legal obligation under the Swedish Accounting Act (Bokföringslagen; Art. 6.1.c).
  • Security logging and incident response — legal basis: legitimate interest (Art. 6.1.f).

We do not sell, share, or transfer your data to third parties except to the sub-processors described below.

Sub-processors

We use the following sub-processors to operate the service. All are bound by a data processing agreement and may only process your data on our behalf according to our instructions.

  • Anthropic PBC (USA) — AI analysis of scan results. For each action plan or chat reply, we send a summary of scan results (cookie names, script URLs, WCAG findings, page titles, and HTML snippets from publicly reachable pages on your site) to Anthropic's Claude API. We do not send login credentials, payment data, or data from authenticated areas of your site. If your public pages happen to contain personal data (e.g., contact emails), it may be included. Anthropic Privacy Policy.
  • Mailjet (EU) — transactional email delivery. Your email address and email content pass through Mailjet's servers. Mailjet Privacy Policy.
  • Hetzner (Finland) — hosting for our application and database servers.
  • Playwright/Chromium — automated browser running on our own servers to scan your sites. No data is sent to Google or other third parties from the scanning process itself.

International transfers

Anthropic PBC is based in the United States. The transfer is made under the EU-US Data Privacy Framework (to which Anthropic is certified), supplemented by the European Commission's Standard Contractual Clauses (SCCs) as a safeguard under GDPR Art. 46. All other sub-processors are based within the EU/EEA.

Data storage and retention

Your data is stored in a MariaDB database on servers located in Finland. Retention by data category:

  • Account and profile data — for the lifetime of your account; deleted within 30 days after you delete the account.
  • Scan results and action plans — for the lifetime of your account; deleted with the account.
  • Invoicing and bookkeeping records — retained for 7 years after the end of the financial year as required by the Swedish Accounting Act (Bokföringslagen 1999:1078), even if the account is deleted.
  • Email delivery logs (Mailjet) — 30 days for delivery troubleshooting.
  • AI prompt/response logs (Anthropic) — 90 days for quality monitoring and debugging.
  • Server and security logs — 90 days for incident response and access auditing.

Your rights

Under GDPR, you have the right to:

  • Access your personal data.
  • Correct inaccurate data.
  • Delete your account and all associated data (except bookkeeping data required by law).
  • Export your data in a machine-readable format.
  • Object to processing or request restriction.

To exercise any of these rights, email us at hello@complianthq.ai.

If you believe our processing violates GDPR, you have the right to lodge a complaint with the Swedish supervisory authority, Integritetsskyddsmyndigheten (IMY): imy.se.

Cookies

CompliantHQ uses only essential cookies: a session cookie for authentication and a locale cookie (NEXT_LOCALE) to remember your language preference. We do not use analytics, advertising, or tracking cookies.

Changes to this policy

We may update this policy from time to time. Changes will be posted on this page with an updated date. Continued use of the service after changes constitutes acceptance.

Privacy Policy — CompliantHQ