Privacy Policy

Who we are

ComplySherpa, Inc. (“ComplySherpa”, “we”, “us”) provides software to help organizations automate and manage compliance workflows. This Privacy Policy explains how we collect, use, and disclose information on our marketing site and within our application.

Scope

• Marketing site (e.g., complysherpa.com) — pages like Home, Pricing, Knowledge, FAQ.
• Application (the ComplySherpa app) — authenticated product experience for customers.

Data we process

Information you provide

• Contact & trial forms: name, email, company, role, and any message you include.
• Support and feedback: content of your requests and correspondence.

Information collected automatically

• Device and usage: browser, OS, pages viewed, time on page, referrer, approximate location.
• Cookie preferences: your consent choices (essential vs. analytics).

Within the application, customers may process content they control (evidence, policies, etc.). In those cases, ComplySherpa acts as a processor for that data and the customer is the controller.

Legal bases

• Consent (GDPR Art. 6(1)(a)) for analytics cookies and marketing communications.
• Contract (Art. 6(1)(b)) to provide the app and related services.
• Legitimate interests (Art. 6(1)(f)) for security, fraud prevention, and service improvement.

Cookies & tracking (GDPR + ePrivacy)

We use a cookie consent banner to gather explicit consent for analytics cookies. Essential cookies are required for the site/app to function and are always on. You can change or withdraw consent anytime below.

Analytics & processors

When you consent to analytics, we may use:

• Microsoft Clarity (session analytics & heatmaps). We mask sensitive fields and avoid PII. Data may be stored in the EU/US per Microsoft’s regional architecture and retention settings.
• Email/CRM tools (e.g., transactional emails for trials or support). Only used as needed.

We maintain agreements and DPAs with our processors. A current list of sub-processors is available on request.

How we use information

• Provide and improve the site and app
• Respond to inquiries and support requests
• Personalize content and communications (when consented)
• Maintain security, monitor for abuse, and comply with law

Retention

We retain marketing and analytics data only as long as necessary for the purposes described or as required by law. Application (customer) data is retained per contract and customer instructions.

Your rights

Depending on your jurisdiction (e.g., GDPR, PIPEDA), you may have rights to access, correct, delete, or export your personal data, and to object or restrict certain processing. You can also withdraw consent at any time.

To exercise your rights, contact us using the details below. We will verify your request and respond within the required timeframes.

International transfers

Where data is transferred internationally, we implement appropriate safeguards (e.g., Standard Contractual Clauses) and assess partners’ privacy and security practices.

Security

We use administrative, technical, and organizational measures to protect information, including encryption in transit and at rest where applicable, access controls (SSO/RBAC), audit logging, and vulnerability management.

Children

Our services are not directed to children under 16, and we do not knowingly collect their personal data.

Contact

Mark Dias
Calgary, AB, Canada
mark@mddias.com

Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version with a new “Last updated” date and, where appropriate, notify you by email or in-app message.