Privacy Policy
Last updated: March 30, 2026
1. Who we are
Complaro ApS (CVR 46053362), Copenhagen, Denmark ("Complaro", "we", "us") operates the CRA compliance platform at app.complaro.com and the website at complaro.com.
For questions about this policy or your data, contact us at info@complaro.com.
2. What data we collect
Account data
When you sign up, we receive your name, email address, and organization name from our authentication provider (Clerk). We also store your role within your organization and team membership.
Product & compliance data
You provide product names, manufacturer details, and Software Bills of Materials (SBOMs). We generate and store vulnerability scan results, CRA classification analyses, compliance scores, and ENISA reports based on this data.
Billing data
Payment is processed by Stripe. We store your Stripe customer ID, subscription plan, and billing period. We do not store credit card numbers — these are handled entirely by Stripe.
Integration data
If you connect integrations (Slack, Jira), we store the configuration you provide (webhook URLs, Jira credentials). These are used solely to deliver notifications and create issues on your behalf.
Usage & log data
We log API requests (method, path, status code, response time, IP address) for security and debugging. Logs are retained for 30 days. We do not use third-party analytics or tracking tools.
Email preferences
If you opt in to marketing emails, we store your consent status, the timestamp of your consent, and an unsubscribe token. You can withdraw consent at any time via the unsubscribe link in any email or in your account settings.
3. Why we process your data
We process your data for the following purposes:
- Providing our service — account management, vulnerability scanning, compliance reporting, and billing (legal basis: contract performance).
- Security & abuse prevention — request logging, rate limiting, and API key management (legal basis: legitimate interest).
- Marketing emails — product updates and CRA compliance insights, only if you opt in (legal basis: consent).
4. Third-party services
We use the following sub-processors to deliver our service:
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Clerk | Authentication | Email, name, organization | US |
| Stripe | Payment processing | Billing details, plan info | US/EU |
| Resend (AWS SES) | Email delivery | Email address, email content | EU (eu-west-1) |
| Railway | Backend hosting | All application data | US |
| Vercel | Frontend hosting | Static assets, IP addresses | Global CDN |
| GitHub / NVD | Vulnerability data | Component names & versions (public data) | US |
5. Cookies
We use essential authentication cookies set by Clerk to keep you signed in. These are first-party, session-based cookies required for the service to function. We do not use advertising, analytics, or tracking cookies.
6. Data retention
- Account data — retained while your account is active, deleted within 30 days of account deletion.
- Product & scan data — retained while your account is active.
- Server logs — retained for 30 days.
- Billing records — retained as required by Danish accounting law (5 years).
- Email consent records — retained to document your consent or withdrawal of consent.
7. Your rights
Under the GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Delete your data ("right to be forgotten")
- Export your data in a portable format
- Restrict processing
- Object to processing based on legitimate interest
- Withdraw consent for marketing emails at any time
To exercise any of these rights, email info@complaro.com. We will respond within 30 days. You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet).
8. International transfers
Some of our sub-processors are located outside the EU/EEA (see section 4). Where this is the case, transfers are protected by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework, as applicable.
9. Security
We protect your data with encryption in transit (TLS), hashed API keys (SHA-256), JWT-based authentication, rate limiting, and security headers. Vulnerability reports can be sent to info@complaro.com.
10. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or a notice in the app. The "last updated" date at the top indicates the most recent revision.