Kompas

Privacy Policy

Last updated: 2026-04-23

1. Data Controller

The data controller for Kompas is:

Łukasz Zuber
Operating from Poland
Email: admin@certifications.zielu.uk

2. Lawful Basis

  • Contract (Art. 6(1)(b)): Account management, service delivery
  • Legal obligation (Art. 6(1)(c)): Audit logging, compliance retention
  • Legitimate interest (Art. 6(1)(f)): Security, fraud prevention
  • Consent (Art. 6(1)(a)): Optional analytics (not active in MVP)

3. Categories of Data

  • Account data: name, email, organization details
  • Compliance data: controls, policies, risk assessments you create
  • Evidence: files uploaded to the evidence vault
  • AI interaction logs: prompts, outputs, model usage (for SOC 2 CC7.2 audit trail)
  • Technical data: IP address, user agent, access timestamps

4. Processors

We use the following subprocessors:

  • Hosting infrastructure (VPS provider)
  • AI providers (only if cloud AI mode enabled): Anthropic, OpenAI, OpenRouter

When cloud AI is used, data may be transferred outside the EEA under Standard Contractual Clauses (SCCs). Self-hosted mode with local LLM keeps all data within your infrastructure.

5. Retention Periods

  • Account data: retained while account is active + 1 year after termination
  • Compliance data: retained per your organization's retention policy, minimum 7 years for audit purposes
  • AI interaction logs: 3 years (SOC 2 requirement)
  • Audit logs: 7 years (non-deletable, WORM storage)

6. Your Rights (GDPR Articles 15–22)

You have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erasure (subject to legal retention requirements)
  • Data portability
  • Object to processing based on legitimate interests
  • Restrict processing in certain circumstances

To exercise these rights, contact: admin@certifications.zielu.uk

7. Data Breach Notification

In the event of a personal data breach, we will notify affected users and the relevant supervisory authority within 72 hours, as required by GDPR Article 33–34.

8. Children's Data

Kompas is not directed at individuals under 16. We do not knowingly collect data from children.

9. Automated Decision-Making

Kompas uses AI to generate suggestions and drafts. All AI outputs require human review and approval before being applied. No solely automated decisions with legal or significant effects are made.

10. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

President of the Personal Data Protection Office (UODO)
Stawki 2, 00-193 Warsaw, Poland
www.uodo.gov.pl

11. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified via email or in-app notice.