Privacy Policy

CompStack is a B2B compliance platform. We collect the minimum data needed to deliver the service to your organization, we never sell your data, and we never train AI models on your data. You control what your team uploads; we keep it isolated and encrypted.

CompStack Ltd. ("we", "us") is registered in Kenya with offices in Nairobi and Lagos. For privacy questions, write to privacy@compstack.io.

Account data: name, email, role, and organization, captured when you create or are invited to a tenant.

Tenant content: the records your team uploads, requirements scoping, controls, documents, evidence files, audits, CAPA, risks, and management review notes.

Usage data: service logs, access times, IP, user agent, used for security, abuse prevention, and product improvement.

AI Copilot interactions: prompts, retrieved context references, model output, and approval decisions, recorded in your tenant’s audit log so you can review every Copilot action.

To deliver the service to your organization. Your tenant content is processed only on your behalf and only to provide the platform.

To keep the service safe, detecting abuse, debugging, and meeting our security obligations.

To communicate about service changes, security incidents, and product updates you opt into.

We do not sell your data, and we do not train any AI models on it.

With sub-processors we contract for specific purposes (database hosting, CDN, AI inference, transactional email). Our current list lives at /security; we will notify you in advance of changes.

With your other team members inside the same tenant, based on the role and site permissions you assign.

With law enforcement only where legally compelled, and we’ll notify you unless prohibited.

You have the right to access, correct, export, or delete your personal data. As a B2B customer, you can self-serve most of this from inside the application; for anything you can’t, write to privacy@compstack.io and we’ll respond within 30 days.

GDPR, UK GDPR, and CCPA rights apply where you live in the EU/UK or California. We honor equivalent rights for residents of other regions on request.

Tenant content is retained for the life of your subscription. After cancellation, we maintain a 30-day grace window during which you can export everything. After that we crypto-shred the keys for your tenant data, rendering it unreadable.

Backups containing your data are encrypted and rotated out within 90 days.

TLS 1.3 in transit, AES-256 at rest with per-tenant keys, signed URLs for evidence access, immutable audit log on every privileged action.

Read the full posture at /security.

We update this policy as the platform evolves and as regulations change. Material changes are notified at least 30 days in advance via email and inside the application.