Complezy

Complezy Privacy Policy

Effective Date: 17/12/2025
Last Updated: 17/12/2025

1. Introduction

Complezy ("Complezy", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data when you use our ESG questionnaire and ESG data management platform (the "Service") or visit our website.

This Privacy Policy applies to:

  • Individuals who create or are invited to a Complezy account
  • Representatives of business customers who use Complezy
  • Visitors to our website and marketing pages

By using Complezy, you acknowledge that you have read and understood this Privacy Policy.

2. Who We Are and How to Contact Us

Data Controller

Complezy LLC

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: privacy@complezy.com

If applicable:

Data Protection Officer (DPO): privacy@complezy.com

3. Personal Data We Collect

3.1 Information You Provide to Us

Account and Profile Data

  • Name
  • Business email address
  • Password (stored in hashed form)
  • Job title and department
  • Company name, industry, and size

Customer and Billing Data

  • Billing contact name and details
  • Company billing information
  • Tax/VAT number (if applicable)
  • Subscription details and invoices
  • Payment card details are processed by our payment provider and are not stored in full by us.

ESG and Questionnaire Data

In course of using Service, you and your organization may upload or enter:

  • ESG metrics (e.g., emissions, energy use, workforce statistics)
  • ESG policies and documents
  • Customer questionnaires and your responses
  • Supporting evidence (e.g., certifications, audit reports)

This content may contain personal data about your staff or other individuals. Your organization is responsible for ensuring it has a lawful basis to provide this data to Complezy.

Support and Communication Data

  • Records of emails and messages you send to us
  • Support tickets and call notes
  • Feedback and survey responses

3.2 Information We Collect Automatically

When you use our website or Service, we automatically collect:

  • IP address and approximate location (city/region)
  • Browser type and version, device type, operating system
  • Referring URL and pages visited
  • Date and time of access
  • Log data about feature usage, clicks, and performance events

We use cookies and similar technologies for these purposes (see Section 13).

3.3 Information We Receive from Third Parties

  • Payment and subscription status information from our payment provider
  • Authentication/identity data from your organization's SSO/identity provider (if enabled)
  • Limited business contact information from publicly available sources or partners (e.g., LinkedIn or company websites)

4. Legal Bases for Processing

Where GDPR or similar laws apply, we process personal data on following legal bases:

  • Contract: To create and manage accounts, provide the Service, and handle billing and support.
  • Legitimate Interests: To secure and improve the Service, understand usage, prevent abuse, and communicate with business users about related products and features.
  • Consent: For certain cookies/analytics and for optional marketing communications, where required by law.
  • Legal Obligations: To comply with tax, accounting, and other regulatory requirements and to respond to lawful requests.

5. How We Use Personal Data

We use personal data to:

  • Provide, operate, and maintain the Service
  • Authenticate users and manage access and permissions
  • Process subscriptions, payments, and invoices
  • Store and display ESG data, questionnaires, and responses for your organization
  • Provide customer support and respond to inquiries
  • Monitor and improve performance, stability, and security
  • Analyze usage trends to improve features and user experience
  • Send service-related communications (e.g., security alerts, updates)
  • Send marketing communications where permitted (you can opt out at any time)
  • Detect, investigate, and prevent fraud and abuse
  • Comply with applicable laws and enforce our terms

We do not sell personal data.

6. How We Share Personal Data

We share personal data only as necessary and with appropriate safeguards:

6.1 Within Your Organization

Other authorized users in your workspace (e.g., your colleagues, admins) can see ESG data, questionnaires, and related content according to permissions and roles configured by your organization.

6.2 Service Providers

We use third-party providers to help deliver the Service, including:

  • Cloud hosting and infrastructure
  • Payment processing
  • Email delivery and notifications
  • Analytics and error monitoring
  • Customer support tools

These providers process personal data on our instructions and are bound by confidentiality and data protection obligations.

6.3 Legal, Compliance, and Safety

We may disclose personal data:

  • If required by law, regulation, or legal process
  • To respond to requests from public authorities
  • To protect the rights, property, or safety of Complezy, our users, or others
  • To investigate and prevent fraud or security issues

6.4 Business Transfers

If we are involved in a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction. We will notify you of any material change to ownership or use of personal data.

We do not share personal data with third parties for their independent marketing purposes.

7. Data Retention

We retain personal data for as long as necessary to:

  • Provide the Service and maintain your account
  • Meet our contractual and legal obligations
  • Resolve disputes and enforce our agreements

In general:

  • Account and profile data are retained while your account is active and for a limited period afterward, unless we are required to keep them longer.
  • ESG and questionnaire data are retained for as long as your organization maintains it in the Service or instructs us to delete it.
  • Billing and transaction records are retained for the period required by tax and accounting laws.

When data is no longer needed, we delete or anonymize it in line with our retention policies.

8. Your Rights

Depending on your location and applicable law (e.g., GDPR, UK GDPR, or similar regimes), you may have the following rights:

  • Access: Request a copy of personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data in certain circumstances.
  • Restriction: Request that we restrict processing in certain cases.
  • Portability: Request a copy of your personal data in a structured, commonly used, machine-readable format.
  • Objection: Object to processing based on legitimate interests, including direct marketing.
  • Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise these rights, contact us at privacy@complezy.com. We may need to verify your identity before responding. We aim to respond within the time required by applicable law.

You also have the right to lodge a complaint with your local data protection authority if you believe your rights have been infringed.

9. Security

We use appropriate technical and organizational measures to protect personal data, including:

  • Encryption of data in transit and at rest (where applicable)
  • Access controls and role-based permissions
  • Secure password storage
  • Regular security updates and monitoring
  • Limited access to personal data by staff on a need-to-know basis

No system can be completely secure, but we work continuously to protect your information. You are responsible for keeping your login credentials confidential and for securing devices you use to access Complezy.

10. International Data Transfers

Depending on where you are located and where our infrastructure and providers are based, your personal data may be transferred to and processed in countries outside your own, including outside the European Economic Area (EEA) or UK.

Where such transfers occur and the destination country does not provide an adequate level of protection under applicable law, we implement appropriate safeguards, such as standard contractual clauses approved by the European Commission or equivalent mechanisms.

You can contact us at privacy@complezy.com for more information about these safeguards.

11. Children's Privacy

Complezy is intended for business use and is not directed at children under 18. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact us at privacy@complezy.com and we will delete it.

12. Third-Party Sites and Services

The Service and our website may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party sites or services you visit.

13. Cookies and Similar Technologies

We use cookies and similar technologies to:

  • Keep you logged in and provide core functionality
  • Understand how the website and Service are used
  • Improve performance and user experience
  • Remember your preferences

Where required by law, we obtain your consent before using non-essential cookies (such as certain analytics or marketing cookies). You can manage cookies through your browser settings and, where provided, through our cookie banner or preferences tool. Disabling certain cookies may affect functionality.

14. Marketing Communications

If you are a business contact or user, we may send you emails about:

  • Product updates and new features
  • Educational content and best practices
  • Webinars, events, and offers related to Complezy

You can opt out of marketing emails at any time by clicking "unsubscribe" in the email or by contacting us at privacy@complezy.com. We will still send essential service and transactional emails (for example, about security, billing, or changes to terms).

15. Region-Specific Information

15.1 European Economic Area (EEA) and United Kingdom

If you are in the EEA or UK, Complezy LLC is the controller of your personal data, unless we are acting on behalf of your organization as a processor. In that case, your organization's privacy notice will govern, and we process your data only under their instructions.

You have the rights described in Section 8. You may also lodge a complaint with your local supervisory authority.

15.2 California (CCPA/CPRA)

If you are a California resident, you have certain rights under California law, including:

  • The right to know what categories of personal information we collect and how we use and disclose it
  • The right to request access to and deletion of your personal information (subject to certain exceptions)
  • The right to not be discriminated against for exercising your privacy rights

Complezy does not sell or share personal information in the sense defined by CCPA/CPRA. To make a request under California law, contact us at privacy@complezy.com.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top and, where appropriate, provide additional notice (for example, by email or in-app message).

If you continue to use the Service after an update, you agree to the revised Privacy Policy.

17. How to Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or our handling of personal data, please contact:

Email: privacy@complezy.com

If applicable, you may also contact our Data Protection Officer at:
privacy@complezy.com