Privacy Policy
This Privacy Policy explains how Berat Engin Büyükada, trading as Conformly ("we", "us"), collects and uses personal data when you visit https://getconformly.com or use the Conformly application (the "Service"). We have written it to meet the requirements of the EU General Data Protection Regulation (GDPR).
1. Controller and contact
For the personal data described in this policy, the controller is:
- Berat Engin Büyükada (trading as Conformly)
- İvedik OSB Mah. 1456. Cad. No: 4, Yenimahalle, Ankara, Türkiye, Türkiye
- Privacy contact: support@getconformly.com
Where you upload evidence or documents containing personal data about your staff, customers or users, you are the controller and we act as your processor, handling that data only on your instructions and for the purpose of providing the Service.
2. What we collect
Account data. Name, work email address, hashed password (or your identity-provider identifier), and your role. Provided by you at sign-up.
Organisation data. Company name, the AI systems you register, their descriptions, purposes, deployment context and the answers you give in the risk checker and wizards.
Compliance evidence. Documents, policies, notes and files you upload to the evidence vault, plus any personal data they happen to contain. We do not ask for special-category data, and you should not upload more than your compliance work requires.
Billing data. Plan, subscription status, and the transaction identifiers and receipts our merchant of record shares back with us. We never receive or store your payment card details — see section 4.
Usage and technical data. Log records of pages and features used, timestamps, IP address, browser and device type, referrer, and error diagnostics. Used to run, secure and improve the Service.
Correspondence. Emails and support messages you send us, so we can answer and keep a record.
3. Why we use it, and our lawful basis
| Purpose | Lawful basis |
|---|---|
| Creating and administering your account; providing the Service | Performance of a contract (Art. 6(1)(b)) |
| Processing your order, subscription and renewals | Performance of a contract (Art. 6(1)(b)) |
| Sending service and security notices (e.g. outages, policy changes) | Performance of a contract / legitimate interests (Art. 6(1)(b), (f)) |
| Providing support and answering enquiries | Performance of a contract / legitimate interests (Art. 6(1)(f)) |
| Securing the Service, preventing abuse and fraud | Legitimate interests (Art. 6(1)(f)) |
| Improving the Service using aggregated, de-identified usage statistics | Legitimate interests (Art. 6(1)(f)) |
| Regulation alerts and product marketing emails | Consent, or legitimate interests for existing customers — opt out any time (Art. 6(1)(a), (f)) |
| Keeping accounting, tax and compliance records | Legal obligation (Art. 6(1)(c)) |
| Establishing, exercising or defending legal claims | Legitimate interests (Art. 6(1)(f)) |
We do not sell personal data. We do not use your Customer Content to train third-party AI models. We do not carry out automated decision-making that produces legal effects concerning you — the classifier scores AI systems against the regulation, not people.
4. Payments — Paddle is our merchant of record
Purchases are processed by Paddle.com Market Ltd, which acts as the merchant of record / authorised reseller for our orders. When you pay, you are transacting with Paddle: Paddle collects your billing and payment details, processes the card or other payment method, calculates and remits sales tax/VAT, and issues the invoice.
Paddle is an independent controller of the payment data it collects for those purposes and processes it under its own privacy notice. We receive only what we need to run your subscription — such as your billing email, country, plan, transaction ID and payment status. Card numbers, CVV codes and bank details never reach our systems.
5. Sub-processors and recipients
We keep our supply chain deliberately short. We use:
| Recipient | Purpose | Location |
|---|---|---|
| Hosting & managed database provider | Running the application and storing your data | European Union |
| Object/file storage provider | Storing uploaded evidence and generated reports | European Union |
| Transactional email provider | Sign-in, notification and support emails | EU / adequacy or SCCs |
| Paddle.com Market Ltd | Payments, tax, invoicing, refunds (merchant of record) | UK / EU |
| Error monitoring & analytics | Diagnosing faults, measuring usage | EU / adequacy or SCCs |
Each sub-processor is bound by a written data processing agreement with confidentiality and security obligations, and may use the data only to provide its service to us. We may also disclose data to professional advisers, or to authorities where we are legally required to — and to an acquirer if the business is sold, in which case this policy continues to apply until replaced.
An up-to-date list of sub-processors is available on request at support@getconformly.com. Enterprise customers can ask to be notified of changes.
6. International transfers
Your Service data is hosted in the European Union. Where a provider processes data outside the EEA, we rely on an adequacy decision or on the European Commission's Standard Contractual Clauses together with, where needed, supplementary technical measures such as encryption in transit and at rest. You can request details of the safeguards for any specific transfer.
7. Retention
- Account and organisation data: for as long as your account is active, then deleted or anonymised within 90 days of closure, unless a longer period is required by law.
- Compliance evidence and generated reports: kept while your account is active so they remain available for your audits; deleted within 90 days of account closure. Export before you close your account — deletion is irreversible.
- Billing and tax records: retained for the period required by tax law (typically 7–10 years). Paddle keeps its own transaction records under its policy.
- Security and application logs: typically 12 months.
- Support correspondence: up to 24 months after the matter is closed.
You can ask us to delete data sooner — see your rights below.
8. Your rights
If you are in the EEA or the UK, you have the right to:
- Access — get a copy of the personal data we hold about you;
- Rectification — have inaccurate or incomplete data corrected;
- Erasure — have your data deleted where there is no overriding basis to keep it;
- Restriction — have processing paused while an issue is resolved;
- Portability — receive data you gave us in a structured, machine-readable format, or have it sent to another controller;
- Object — object to processing based on legitimate interests, including profiling; and to object to direct marketing at any time, absolutely;
- Withdraw consent — where processing rests on consent, without affecting prior lawful processing;
- Complain — lodge a complaint with your supervisory authority. We would appreciate the chance to resolve it first.
To exercise a right, email support@getconformly.com from the address on your account. We respond within one month, and may extend by two further months for complex requests (we will tell you if so). We may need to verify your identity. Requests are free unless manifestly unfounded or excessive.
Where the data belongs to your end users and we act as your processor, please raise the request with your own organisation — we will assist you as your processor.
9. Security
We apply measures appropriate to the risk, including: encryption in transit (TLS) and at rest; hashed passwords; role-based access control and least-privilege access for staff; tenant isolation so one organisation cannot read another's data; audit logging of sensitive actions; regular dependency patching and backups; and EU-based hosting with reputable providers. No system is perfectly secure, so we also maintain an incident process and will notify you and, where required, the supervisory authority of a personal data breach without undue delay.
10. Cookies
We keep cookies to the minimum:
- Strictly necessary — session and authentication cookies that keep you signed in and protect against CSRF. These cannot be switched off without breaking the Service, and do not require consent.
- Preferences — remembering choices such as interface state.
- Analytics — privacy-respecting, aggregated measurement of how the site is used. Where consent is required, we ask for it before setting these and you can decline without losing functionality.
You can also block or delete cookies in your browser; strictly necessary cookies being blocked will prevent sign-in.
11. Children
The Service is a business product and is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided data, contact us and we will delete it.
12. Changes
We may update this policy as the Service or the law changes. The current version is always at https://getconformly.com/privacy with the "Last updated" date above. For material changes we will notify account holders by email or in-app before they take effect.
13. Contact
Privacy questions or requests: support@getconformly.com, or Berat Engin Büyükada, İvedik OSB Mah. 1456. Cad. No: 4, Yenimahalle, Ankara, Türkiye, Türkiye.