← Back to ComplyKit

Privacy Policy

Version 2.0 — Last updated: 5 May 2026

This policy is provided in compliance with Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR") and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus, IKS).

1. Data Controller

The data controller responsible for the processing of your personal data under this policy is:

Fikret Alimov (operating as "ComplyKit")
Established in: Tallinn, Estonia
Address: [Postal address in Tallinn, Estonia — to be added by owner before paid launch]
Estonian Commercial Register code (Äriregister): [Not yet registered — to be added if and when a legal entity is established]
Email: hello@nocodelisted.com
Privacy contact: privacy@nocodelisted.com

No Data Protection Officer (DPO) has been appointed; ComplyKit's processing activities do not currently meet the thresholds in GDPR Art. 37 that would mandate one.

2. Personal Data We Collect

Waitlist signup (homepage):

  • Email address you submit
  • The fact and timestamp of your marketing-consent opt-in

Privacy Policy Generator:

  • Email address (to deliver your generated draft)
  • Your company name and website
  • Your business type and primary country of operation
  • The categories of personal data your service collects (your selections)
  • The third-party services and subprocessors you use (selections + free-text)
  • Your privacy / DPO contact email (if provided)
  • Your data retention period
  • The full generated draft Privacy Policy

⚠️ The free-text "other services" field and the DPO contact email field may contain personal data (e.g. an individual's email address). Please do not paste sensitive personal data into free-text fields. We truncate free-text input at 200 characters.

Automatically (via our hosting provider, Vercel):

  • IP address (truncated / anonymised by Vercel)
  • Browser user-agent and device type
  • Referring URL and timestamps of requests

3. Lawful Basis for Processing

We process your personal data on the following lawful bases under GDPR Article 6:

  • Waitlist signup → Art. 6(1)(a) consent. You tick the marketing-consent checkbox before we add you. You may withdraw consent at any time.
  • Generator transaction → Art. 6(1)(b) performance of a contract. When you submit the generator form we process your inputs to deliver the requested draft document to you.
  • Server logs and security telemetry → Art. 6(1)(f) legitimate interests. Our legitimate interest is operating, securing, and debugging the service. We balance this against your rights and use only privacy- preserving telemetry (Vercel's aggregate analytics; no third-party tracking pixels or advertising cookies).

4. Subprocessors

We share your personal data with the following processors, each of whom processes data on our behalf under a Data Processing Addendum:

Processor
Purpose
Location
Transfer Mechanism
Supabase Inc.
Database — storing waitlist emails and generator inputs/outputs
EU region (Frankfurt); corporate HQ in Singapore
Stays in EEA where possible; SCCs apply to any extra-EEA support access
OpenAI, L.L.C.
AI generation of policy drafts (your generator inputs are sent to the OpenAI API)
United States
EU Standard Contractual Clauses (SCCs) per OpenAI’s DPA. OpenAI does not use API inputs for model training and retains them for up to 30 days for abuse monitoring.
Vercel Inc.
Hosting, edge caching, request logs, aggregate analytics
United States (with EU edge nodes)
EU Standard Contractual Clauses (SCCs) per Vercel’s DPA

5. International Data Transfers

Some of our subprocessors are located in the United States (OpenAI, Vercel). When we transfer your personal data outside the European Economic Area, we rely on the EU Standard Contractual Clauses (SCCs) issued by the European Commission (Decision 2021/914) as the transfer mechanism, as documented in each subprocessor's Data Processing Addendum.

You may request a copy of the relevant safeguards by emailing privacy@nocodelisted.com.

6. Data Retention

  • Waitlist email: retained until you unsubscribe or request deletion.
  • Generator inputs and generated drafts: retained for up to 90 days from generation, after which records are anonymised (email and company-identifying fields removed) and aggregated retained-only data is kept solely to improve the service.
  • Server / hosting logs: retained per Vercel's default retention (typically 30 days for request logs).

7. Your Rights

If you are in the EU, EEA, or UK, you have the following rights under the GDPR / UK GDPR:

  • Access (Art. 15) — request a copy of your data
  • Rectification (Art. 16) — correct inaccurate data
  • Erasure / right to be forgotten (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Objection (Art. 21), including objection to direct marketing at any time
  • Withdrawal of consent (Art. 7(3)) — without affecting the lawfulness of prior processing
  • Lodge a complaint with a supervisory authority (Art. 77)

How to exercise your rights: email privacy@nocodelisted.com from the address associated with your data. We will respond within 30 days as required by Art. 12(3).

Right to complain. You have the right to lodge a complaint with a data-protection supervisory authority. As the controller is established in Estonia, the competent supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI). You may also complain to the supervisory authority of your habitual residence or place of work.

8. Cookies and Tracking

We do not use advertising cookies, tracking pixels, or third-party analytics that set cookies on your device. Our hosting provider (Vercel) provides aggregate, cookie-less analytics on a legitimate-interests basis. We do not run Google Analytics, Meta Pixel, TikTok Pixel, or similar trackers.

If we ever introduce non-essential cookies (e.g., for product analytics), we will display a consent banner that complies with the ePrivacy Directive and § 1031 of the Estonian Electronic Communications Act (Elektroonilise side seadus) before any non-essential cookie is set.

9. Children's Privacy

ComplyKit is not intended for use by children under 16 years of age, and we do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact privacy@nocodelisted.com so we can delete it.

10. Automated Decision-Making

We do not engage in automated decision-making with legal or similarly significant effects (GDPR Art. 22). The Privacy Policy generator uses an AI model (OpenAI) to produce a textual draft based on your inputs, but no automated decision is made about you that produces legal effects.

11. Security

We use TLS in transit; data at rest is stored in an encrypted Supabase database. Access to production credentials is restricted to the controller. We will notify the relevant supervisory authority of any personal-data breach within 72 hours where required by GDPR Art. 33.

12. Changes to This Policy

We may update this policy as our processing activities evolve. The version number and last-updated date at the top of this page will always reflect the current version. Material changes will be announced on the homepage and, where you have given us a marketing consent, by email.

13. Contact

For any privacy-related questions, complaints, or rights requests, contact privacy@nocodelisted.com or hello@nocodelisted.com.

See also our Imprint and Terms of Service.