Home

Privacy Policy

Last updated: 15 July 2026

Compliance One helps companies prove they handle data responsibly, so it would be a bad look if we didn't hold ourselves to the same standard. This policy explains, in plain language, what personal data we collect, why, where it lives, and the control you have over it. No dense legalese, no buried surprises.

The short version

We collect the minimum we need to run our website and platform. We never sell your personal data. You choose which region your data is stored in — the EU, the US, or Asia-Pacific. We protect it with encryption, strict access controls, and continuous monitoring. And you can ask us at any time to show you, correct, export, or delete your data.

The rest of this page is the detail behind those promises.

Who this applies to

This policy covers people who visit complianceonecloud.com, people who contact us or request a demo, and people who use the Compliance One platform through an organisation that subscribes to it. Where an organisation uploads its own data to the platform, that organisation is the controller of that data and we act as its processor — the Data Processing Addendum governs that relationship in detail.

What we collect

We group the data we collect into three buckets, so it's clear what comes from where:

  • Information you give us directly. When you fill in the demo form or email us, that's your name, work email, company, and whatever you write in the message. When your organisation sets up an account, that includes account details for its users.
  • Information we collect automatically. Like most websites, we log basic technical data when you visit — for example your approximate location (derived from your IP address), browser type, the pages you view, and the referring link. This helps us keep the site fast, secure, and free of bots.
  • Customer content. This is the evidence, documents, and records your organisation uploads to the platform. We process it strictly on your organisation's behalf to provide the service — we don't mine it, sell it, or use it to train models.

Why we use it (with examples)

We only use personal data for reasons you would reasonably expect:

  • To run the service. For example, storing your organisation's evidence so an auditor can review it, or sending a password-reset email when someone asks for one.
  • To respond to you. For example, replying to a demo request or a support question.
  • To keep everyone safe. For example, using Cloudflare Turnstile to block bots on our forms, or rate-limiting requests to stop abuse.
  • To improve the product. For example, understanding which help articles get read so we can write better ones. We use aggregate, not intrusive, analysis for this.
  • To meet legal and security obligations. For example, keeping billing records for the period tax law requires.

Our legal bases (for GDPR)

If you're in the EU, UK, or another region with GDPR-style rules, we rely on a specific legal basis for each use:

  • Performance of a contract — to deliver the service your organisation signed up for.
  • Legitimate interests — to secure our systems, prevent abuse, and understand how the site is used, balanced against your rights.
  • Consent — for optional things like marketing emails, which you can withdraw at any time.
  • Legal obligation — where the law requires us to keep or disclose certain data.

Where your data lives

This is the part people care about most, so we'll be specific. The platform runs on Amazon Web Services (AWS). When your organisation signs up, it chooses a data region, and its evidence is stored there in its own isolated storage bucket — not pooled in a shared table. We support three regions:

  • European Union — hosted in AWS Frankfurt (eu-central-1), for data that must stay in the EU.
  • United States — hosted in AWS Northern Virginia (us-east-1).
  • Asia-Pacific — hosted in AWS Singapore (ap-southeast-1).

For organisations with the strictest requirements

Enterprise customers can go a step further and bring their own AWS S3 storage, keeping their evidence entirely within their own account and under their own custody. Some operational and website data (like analytics and logs) may be processed in other regions by our sub-processors — we list them, and their roles, on our Sub-processors page.

How we protect it

We hold our own security programme to the same six frameworks we help our customers with — ISO 27001, SOC 2, ISO 42001, HIPAA, PCI DSS, and NIS2. In practice that means:

  • Encryption in transit (TLS) and at rest for stored data.
  • Physical tenant isolation — each organisation's evidence sits in its own bucket, not commingled.
  • Least-privilege access controls, so staff can only reach what their role genuinely requires.
  • Continuous monitoring and logging, so unusual activity is caught quickly rather than months later.

Who we share it with

We do not sell personal data, and we don't share it for anyone else's advertising. We share it only with a small set of vetted sub-processors who help us run the service — for example AWS for hosting, Cloudflare for bot protection, and an email provider for transactional messages. Each is contractually bound to protect your data and use it only on our instructions. The full list, and what each one does, is on our Sub-processors page. We may also disclose data where the law genuinely requires it, and if we're ever part of a merger or acquisition, we'll tell you before your data becomes subject to a different policy.

International transfers

Because we offer regional storage, you can keep personal data in your chosen region. Where data does cross borders — for example when a support engineer in one country helps with an account in another — we rely on appropriate safeguards such as the EU Standard Contractual Clauses, and we minimise what's transferred.

Cookies and analytics

Our website uses a small number of cookies and similar technologies to keep the site working, remember your preferences, and understand aggregate usage so we can improve it. We keep this light and non-invasive, and we don't use cookies to build advertising profiles of you.

How long we keep it

We keep personal data only as long as we need it, then delete or anonymise it. For example: demo-request messages are kept while we follow up and for a reasonable period after; customer content is kept for the life of the subscription and then deleted or returned as set out in the DPA; and billing records are kept for the period tax and accounting law requires.

Your rights

Depending on where you live, you have rights over your personal data — and we honour them regardless of where you're based, because it's the right thing to do. You can ask us to:

  • Show you what personal data we hold about you.
  • Correct anything that's wrong or out of date.
  • Delete your data, where we're not required to keep it.
  • Export your data in a portable format.
  • Restrict or object to certain processing, or withdraw consent you previously gave.

Children

Compliance One is a tool for businesses, not children. We don't knowingly collect personal data from anyone under 16, and if we learn we have, we'll delete it.

Changes to this policy

If we make a meaningful change, we'll update the date at the top and, for significant changes, let affected users know rather than quietly editing this page. The version you're reading was last updated on the date shown above.

How to reach us

Questions about your data, or want to exercise one of the rights above? Email us at hello@complianceonecloud.com and a real person will help.