Privacy Policy

Last updated: February 18, 2026

1. Who we are

complixo is operated by Toine.com B.V., registered in the Netherlands (KVK 87544903, BTW NL864325381B01). We provide a self-serve compliance management platform for European businesses.

Contact: privacy@complixo.com

2. What data we collect

We collect the following categories of personal data:

  • Account data: name, email address, hashed password
  • Organization data: company name, sector, jurisdiction
  • AI system records: descriptions, providers, models, classifications, compliance documentation you enter
  • Usage data: login timestamps, feature usage, export history
  • Payment data: processed by Stripe (we do not store card numbers)

3. Why we process your data

PurposeLegal basis
Providing the serviceContract performance (Art. 6(1)(b) GDPR)
Account security & fraud preventionLegitimate interest (Art. 6(1)(f) GDPR)
Service improvement & analyticsLegitimate interest (Art. 6(1)(f) GDPR)
Transactional emails (welcome, trial expiry)Contract performance (Art. 6(1)(b) GDPR)
Legal compliance & audit trailLegal obligation (Art. 6(1)(c) GDPR)

4. Where your data is stored

All data is stored in the European Union. Our infrastructure providers and their data locations:

  • Supabase (database & authentication) — Frankfurt, Germany (eu-central-1)
  • Vercel (hosting & serverless functions) — EU region (fra1)
  • Stripe (payments) — EU-certified, PCI DSS Level 1 compliant
  • Resend (transactional email) — processes email metadata

We do not transfer personal data outside the European Economic Area unless covered by appropriate safeguards (Standard Contractual Clauses).

5. Data retention

  • Account data: retained while your account is active, deleted within 30 days of account deletion
  • AI system records: retained while your account is active
  • Audit logs: retained for 5 years (EU AI Act documentation requirement)
  • Payment records: retained for 7 years (tax obligation)

6. Your rights

Under the GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (“right to be forgotten”)
  • Export your data in a portable format
  • Restrict processing
  • Object to processing based on legitimate interests

To exercise these rights, contact us at privacy@complixo.com. You can also export or delete your data directly from Settings in your dashboard. We will respond within 30 days.

7. Cookies & tracking

complixo uses the following types of cookies and tracking:

  • Strictly necessary cookies: authentication and session management (always active, no consent required)
  • Analytics (with consent): if you accept cookies via our cookie banner, we load Google Analytics (GA4) for usage analysis. GA4 may set analytics cookies. If you decline, no Google cookies are placed and no data is sent to Google.

We do not use advertising cookies or third-party advertising trackers.

8. Security

We protect your data with encryption at rest (AES-256), encryption in transit (TLS 1.3), row-level security ensuring tenant isolation, hash-chained audit trails for tamper detection, and strict Content Security Policy headers.

9. Changes to this policy

We may update this privacy policy from time to time. We will notify you of material changes via email or a notice in the application. The “last updated” date at the top indicates the most recent revision.

10. Contact & complaints

For privacy inquiries: privacy@complixo.com

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).