Compyl Privacy Policy

This Privacy Policy explains how Compyl (“we”, “us”, “our”) collects, uses, discloses, and protects Personal Data when you visit our websites, interact with us, or use our products and services (collectively, the “Services”).

1) Who we are (Controller / Business / Data User)

Company / legal entity: InfoSecToolKit Inc. Registered in Delaware, trading as “Compyl”

Registered address: 33 Irving Pl, New York, NY, 10003
Privacy contact: privacy@compyl.com

For EU/UK purposes, Compyl generally acts as a data controller for website and marketing data, and a data processor/service provider when processing Customer Data in our SaaS on behalf of a customer (the “Customer”), as described below.

2) Scope: Website data vs. Customer Data (SaaS)

This Policy covers:

• Website/marketing data (e.g., when you browse our site, request a demo, download content, or contact us).
• Business contact data (e.g., if you are a prospect, partner, vendor, or event attendee).
• Customer Data in the platform: If your employer or another organization is our Customer and gives you access to Compyl, your use may involve Customer Data processed under the Customer’s instructions. In that case, the Customer controls that data and their privacy notice may apply. We process Customer Data under the applicable contract and data processing terms.

3) Personal Data we collect

We may collect the following categories (depending on how you interact with us):

1. Identifiers & contact details

• • Name, business email, phone number, company, job title, account credentials.

1. Device, usage & technical data

• • IP address, device identifiers, browser type, pages viewed, referring URLs, log files, session data, and approximate location derived from IP.

1. Communications

• • Messages you send us (forms, emails, chat), meeting notes, support tickets, and recordings (where permitted and disclosed).

1. Commercial & transactional information

• • Subscription details, billing contact details, invoices, payment status (we typically do not store full payment card details; our payment providers may process them).

1. Customer Data (in-product)

• • Data uploaded into the platform by or for a Customer (e.g., evidence artifacts, policies, vendor questionnaires, access review data, users and roles). The specific data depends on how Customers configure the product.

Sensitive data
We do not intentionally collect “sensitive” data through our website. In the product, Customers may upload information that could be sensitive in some jurisdictions. Where we process sensitive data, we do so only to provide the Services, implement security, and meet legal obligations, consistent with Customer instructions.

4) How we collect Personal Data

We collect Personal Data:

• Directly from you (forms, demo requests, support, account creation). 
• Automatically through cookies and similar technologies when you use our Services.
• From third parties such as resellers/partners, publicly available sources (e.g., LinkedIn), and service providers supporting our marketing and operations.

5) How we use Personal Data (purposes)

We use Personal Data to:

1. 1. Provide the Services (authenticate users, operate features, process Customer instructions).
   2. Communicate with you (respond to requests, send service announcements, provide support).
   3. Sales and marketing (send newsletters, event invites, product updates—where allowed; you can opt out).
   4. Security and fraud prevention (monitor, detect, and prevent misuse; protect accounts and systems).
   5. Analytics and improvement (understand usage; fix bugs; improve performance and user experience).
   6. Compliance and legal (meet legal obligations, enforce contracts, resolve disputes).

• Business operations (billing, vendor management, audits, corporate transactions).

6) Legal bases for processing (EU/EEA & UK)

Where GDPR/UK GDPR applies, we rely on the following legal bases as appropriate:

• Contract (to provide Services or take steps at your request).
• Legitimate interests (e.g., security, service improvement, B2B marketing where permitted), balanced against your rights.
• Consent (e.g., certain cookies; where required for marketing).
• Legal obligation (e.g., compliance, recordkeeping).

7) Cookies, analytics, and similar technologies

We use cookies and similar technologies to:

• Enable core site functionality,
• Remember preferences,
• Measure performance and usage,
• Support marketing campaigns (where enabled and information is provided).

Where required, we present a cookie banner allowing you to accept/reject non-essential cookies. You can also control cookies via your browser settings.

8) How we disclose Personal Data

We may disclose Personal Data to:

1. Service providers / processors
   Vendors who help us run the Services (e.g., hosting, analytics, email delivery, CRM, support tools, payment processors). They are authorized to process Personal Data only as needed to provide services to us and must protect it in line with industry standards and our own information security protection mechanisms.
2. Customers (for Customer Data)
   If you use the Services through a Customer, we may disclose certain data to that Customer (e.g., admin access, audit logs) according to the Customer’s configuration, requirements and instructions.
3. Legal and safety
   Where required by law or to protect rights, safety, and security.
4. Corporate transactions
   In connection with a merger, acquisition, reorganization, or sale of assets (with appropriate protections).

We do not “sell” Personal Data in the traditional sense. Some privacy laws define “sale” or “share” broadly (e.g., for cross-context behavioral advertising). 

9) International data transfers

Because we operate globally, Personal Data may be transferred to and processed in countries other than where you live (including where our service providers operate).

Where required, we use appropriate safeguards such as:

• EU Standard Contractual Clauses (SCCs) and UK addendum / UK transfer mechanisms,
• Other lawful transfer tools recognized by applicable law.

International transfer transparency is a core expectation under EU/UK notice rules and several APAC regimes. 

10) Data retention

We retain Personal Data only as long as necessary for the purposes described in this Policy, including to:

• Provide Compyl Services,
• Meet legal, accounting, and audit obligations,
• Resolve disputes and enforce agreements.

Retention periods:

• Website inquiries / demo requests: Until the information is no longer required
• Marketing subscriptions: until you unsubscribe or 2 years of inactivity
• Account and Customer Data: for the duration of the Customer contract, plus 60 days after termination unless otherwise required or instructed
• Security logs: 7 years

11) Security

We implement industry standard administrative, technical, and organizational measures designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These are regularly tested and conform with SOC2 and aligned to industry best practices. Customers can review our testing and compliance to these standards using the Compyl trust center if requested. 

No system is 100% secure. You are responsible for keeping your credentials confidential and using appropriate security settings to limit disclosure.

12) Data breaches

Where required, Compyl will notify affected individuals, Customers, and/or regulators of certain data breaches within legally required timeframes. Compyl will also disclose information about potential breaches to government security and privacy entities where legally obligated.

13) Your rights and choices

Depending on where you live, you may have the right to:

• Access and obtain a copy of your Personal Data,
• Correct/rectify inaccurate data,
• Delete/erase data (subject to exceptions),
• Restrict or object to certain processing,
• Data portability (in some jurisdictions),
• Withdraw consent (where processing is based on consent),
• Opt out of targeted advertising / certain disclosures (some jurisdictions),
• Appeal a decision (some US states),
• Lodge a complaint with a regulator.

EU/UK rights are set out in GDPR Chapter 3 (Articles 12–22). 

How to exercise rights:
Email privacy@compyl.com with the subject “Privacy Request.” We will verify your identity (and, where applicable, your authority to act for someone else) before fulfilling a request.

Authorized agents:
Where permitted (e.g., some US laws), you may use an authorized agent to submit requests on your behalf. We will require proof of authorization and may still verify your identity.

Response times:
We respond within timeframes required by law.

14) Marketing communications

You can opt out of marketing emails at any time by using the “unsubscribe” link or contacting us. Even if you opt out, we may still send non-marketing communications (e.g., security or service notices).

Regional disclosures

1. A) United States (state privacy laws, incl. California)

Several US states grant residents privacy rights similar to access, deletion, correction, portability, and opt-out of targeted advertising/profiling, with variations by state (e.g., CA, VA, CO, CT, UT, TX and others). 

A1) California (CCPA/CPRA) “Notice at Collection”

At or before collection, California requires disclosure of categories collected, purposes, and other details, and grants specific rights (including correction and limiting certain uses of sensitive PI). 

Categories collected: See Section 3 above.
Purposes: See Section 5 above.
Retention: See Section 10 above.
Sensitive Personal Information: We do not intentionally collect sensitive PI via the website. In the product, Customers may upload data that could be sensitive; we process it to provide the Services and protect security.
Sale/Share: We do not sell or share
Opt-out mechanisms: honor browser-based signals where required/recognized 

We do not discriminate against users for exercising CCPA/CPRA rights. 

A2) Other US state residents

Depending on your state, you may have the right to:

• confirm/ access, correct, delete, and obtain a copy/portable copy of personal data,
• opt out of targeted advertising, certain profiling, and certain disclosures,
• appeal our decision if we decline a request (in some states).

To appeal (where applicable), email privacy@compyl.com with the subject “Appeal.”

1. B) EU/EEA (GDPR)

If you are in the EU/EEA, you have GDPR rights including access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making.
You also have the right to lodge a complaint with your local supervisory authority.

1. C) United Kingdom (UK GDPR)

If you are in the UK, you have similar rights under the UK GDPR and may complain to the UK Information Commissioner’s Office (ICO). ICO guidance emphasizes clearly describing rights, lawful bases, and complaint routes. 

1. D) Australia (Privacy Act 1988 & Australian Privacy Principles)

We manage Personal Information in an open and transparent way and maintain an up-to-date privacy policy consistent with APP expectations.
Access and correction: You may request access or correction of your Personal Information.
Complaints: Contact us first at privacy@compyl.com. If unresolved, you may contact the OAIC.

1. E) Canada (PIPEDA + Québec Law 25)

PIPEDA applies to many commercial activities in Canada and is based on fair information principles (including accountability, identifying purposes, consent, safeguards, access).
In Québec, Law 25 modernizes privacy obligations and strengthens transparency and governance obligations. 

You may request access/correction and challenge our compliance by contacting privacy@compyl.com. If unresolved, you may complain to the Office of the Privacy Commissioner of Canada (and, in Québec, the CAI where applicable).

1. F) Hong Kong (PDPO)

Hong Kong’s PDPO is principle-based and requires fair collection and transparency under Data Protection Principles.
You may request access and correction of your personal data by contacting privacy@compyl.com.

1. G) Singapore (PDPA)

Singapore PDPA includes obligations such as notification/purpose limitation, protection, retention limitation, and transfer limitation.
You may request access/correction and withdraw consent (where applicable) by contacting privacy@compyl.com.

1. H) Indonesia (PDP Law)

Indonesia’s PDP Law is a comprehensive framework with rights and controller/processor obligations, including rules relevant to cross-border transfers and compliance expectations.
You may submit requests to privacy@compyl.com.

1. I) Thailand (PDPA)

Thailand’s PDPA is in force and provides rights similar to access, rectification, erasure, portability, and related notice requirements.
You may submit requests to privacy@compyl.com.

15) Children’s privacy

Our Services are not directed to children, and we do not knowingly collect Personal Data from children without appropriate consent where required. If you believe a child has provided Personal Data to us, contact privacy@compyl.com.

16) Changes to this Policy

We may update this Policy from time to time. We will post the updated version and change the “Last updated” date. Material changes may be communicated through the Services or by other appropriate means.

17) Contact us

For questions or requests, contact:
Email: privacy@compyl.com
Mail: InfoSecToolKit Inc, 33 Irving Place, New York, NY, USA, 10003.