1. Introduction
Netwanted S.à r.l.-S ("we", "our", or "us") operates Komplync (the "Service"), an AI-powered compliance platform for financial institutions. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service at komplync.com and app.komplync.com.
Data Controller
Netwanted S.à r.l.-S
31 Route de Luxembourg, L-7240 Bereldange, Luxembourg
RCS Luxembourg: B296689
Email: contact@netwanted.com
Tel: +352 661 633 876
2. Legal Basis for Processing
We process personal data under the following legal bases as defined by the GDPR (Regulation EU 2016/679):
- Contract Performance (Art. 6(1)(b) GDPR): To provide our Service
- Legitimate Interest (Art. 6(1)(f) GDPR): To improve our Service and prevent fraud
- Consent (Art. 6(1)(a) GDPR): For marketing communications (opt-in only)
- Legal Obligation (Art. 6(1)(c) GDPR): To comply with Luxembourg and EU laws
3. Information We Collect
3.1 Information You Provide
Account Information: Full name, email address, organization name, password (encrypted), phone number (optional), billing address.
Content Data: Marketing content you generate, prompts and instructions, compliance check results, saved templates.
Payment Information: Processed by Stripe (PCI-DSS Level 1 certified). We do not store credit card details on our servers. We retain: transaction IDs, billing addresses, invoices.
3.2 Information Automatically Collected
Usage Data: IP address (anonymized after 30 days), browser type and version, device information, pages visited and time spent, features used, error logs.
Cookies and Tracking: See our Cookie Policy for details.
4. How We Use Your Information
Service Delivery
- Create and manage your account
- Generate AI-powered marketing content
- Perform compliance checks (CSSF, GDPR, MiFID II)
- Process payments and manage subscriptions
- Provide customer support
- Send service notifications (system updates, security alerts)
Service Improvement
- Analyze usage patterns and improve AI model accuracy
- Develop new features and detect fraud or misuse
Marketing (with your consent only)
- Send newsletters about product updates
- Share compliance insights and best practices
You can opt-out of marketing emails at any time via the unsubscribe link.
5. Data Sharing and Disclosure
5.1 Service Providers (Data Processors)
| Processor | Service | Location | Safeguards |
|---|---|---|---|
| Vercel Inc. | Web hosting | EU (Frankfurt) | SCCs, encryption |
| Supabase Inc. | Database | EU (Frankfurt) | SCCs, encryption |
| Anthropic PBC | AI generation | USA | SCCs, immediate deletion |
| Stripe Inc. | Payments | EU (Ireland) | PCI-DSS, SCCs |
| Resend Inc. | USA | SCCs, encryption |
All data processors are bound by Data Processing Agreements (DPAs) that comply with GDPR Article 28.
5.2 Legal Obligations
We may disclose your information if required by court orders, Luxembourg or EU regulatory authorities (CSSF, CNPD), or law enforcement requests with valid legal basis.
6. International Data Transfers
Some service providers are located outside the EEA. We ensure adequate protection through Standard Contractual Clauses (SCCs), Data Processing Agreements (DPAs), and encryption (AES-256).
For Anthropic (USA-based AI): data is deleted immediately after processing, your content is NOT used to train AI models, and SCCs are in place.
7. Data Retention
- Account Data: Active accounts: Duration of subscription + 30 days. Closed accounts: 30 days (unless legal obligation applies).
- Content Data: Duration of subscription + 90 days. User-deleted content: permanently deleted within 30 days.
- Billing Data: 10 years (Luxembourg tax law requirement).
- Usage Logs: Anonymized after 30 days, deleted after 12 months.
- Marketing Consent: Until withdrawn, or after 3 years of inactivity.
8. Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights:
- Right of Access (Art. 15): Request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): Correct inaccurate or incomplete data.
- Right to Erasure (Art. 17): Request deletion of your personal data (exceptions apply).
- Right to Restriction (Art. 18): Limit how we use your data during disputes.
- Right to Data Portability (Art. 20): Receive your data in JSON or CSV format.
- Right to Object (Art. 21): Object to legitimate interest processing or direct marketing.
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time.
To exercise your rights: Email contact@netwanted.com with subject "GDPR Data Subject Request". We respond within 30 days.
You may also lodge a complaint with the CNPD (Commission Nationale pour la Protection des Données), 15 Boulevard du Jazz, L-4370 Belvaux — cnpd.public.lu.
9. Data Security
- AES-256 encryption at rest; TLS 1.3 in transit
- Password hashing with bcrypt
- Two-factor authentication (2FA) available
- Role-based access controls and regular security audits
- Data breach notification to CNPD within 72 hours; affected users notified without undue delay
10. Children's Privacy
Komplync is not intended for individuals under 18 years of age. We do not knowingly collect data from children. Contact us immediately if you believe a child has provided personal data.
12. Changes to This Privacy Policy
Material changes will be communicated via email (to registered users), prominent notice on our website, and in-app notification at least 30 days before changes take effect. Continued use constitutes acceptance.
13. Contact Us
Email: contact@netwanted.com
Phone: +352 661 633 876
Mail: Netwanted S.à r.l.-S, Attn: Data Protection Officer, 31 Route de Luxembourg, L-7240 Bereldange, Luxembourg