Privacy Policy
cmpli LLC · Effective Date: March 10, 2026
This Privacy Policy explains how cmpli LLC ("cmpli," "we," "us," or "our") collects, uses, stores, shares, and protects your information when you use the cmpli platform ("Platform"). We are committed to transparency about our data practices and to protecting the information entrusted to us.
1. Information We Collect
We collect information in the following categories:
| Category | Data Collected | Purpose | Retention |
|---|---|---|---|
| Account | Email address, display name, password (hashed) | Authentication and account management | Until account deletion |
| Organization Profile | Organization name, industry, employee count, country, timezone, domain, data types handled, work location | Tailoring security guidance to your business context | Until account deletion |
| Security Contacts | Name, title, email, phone, notes for security and IT contacts | Enabling security coordination and provider management | Until removed (soft delete) |
| Vendor & Systems | Service names, categories, criticality, data types stored, provider details | Tracking critical systems and vendor risk | Until deleted (hard delete) |
| Assessments | Security assessment responses, decision notes, risk scores, task completion data | Generating security guidance and tracking progress | Until account deletion |
| Backup Config | Backup scope, location, provider, restore testing dates, ransomware resilience | Evaluating backup posture | Until deleted (hard delete) |
| File Uploads | Documents uploaded (PDF, DOCX, XLSX, CSV, TXT, PPTX) | Supporting assessments and documentation | Until deleted; encrypted at rest (AES-256-GCM) |
| Authentication | OAuth tokens from identity providers, WebAuthn credential public keys, TOTP secrets (encrypted) | Multi-factor authentication and secure login | Until credential removed or account deleted |
| Usage & Audit | IP address, user agent, action logs (create, update, delete, export, login), timestamps | Security monitoring, audit trail, session integrity | Retained per audit policy |
| AI Interactions | Input/output token counts, operation type, estimated cost, duration | Usage tracking, cost management, service improvement | Retained per audit policy |
| Payment | Processed by Stripe; we store Stripe customer ID only, not card details | Subscription billing | Until subscription ends |
2. How We Collect Information
2.1 Directly From You
When you register an account, complete assessments, upload documents, add contacts, configure your organization profile, or interact with AI-powered features.
2.2 From Third-Party Identity Providers
If you authenticate using Google, Microsoft, or Apple, we receive your email address, display name, and a provider-specific identifier. We use PKCE (Proof Key for Code Exchange) for all OAuth flows.
2.3 Automatically
When you use the Platform, we automatically collect your IP address and user agent string for session fingerprinting and security purposes. These are hashed (SHA-256, first 16 characters) and embedded in your session token to detect unauthorized access. We do not use tracking pixels, third-party advertising cookies, or cross-site tracking technologies.
3. How We Use Your Information
- Providing and maintaining the Platform and its features
- Generating security guidance tailored to your organization
- Processing AI-assisted analysis using third-party AI providers
- Authenticating your identity and securing your sessions
- Processing payments through our payment processor
- Monitoring for unauthorized access and maintaining audit trails
- Communicating service updates, security alerts, and account notifications
- Improving the Platform based on aggregated, anonymized usage patterns
- Complying with legal obligations
We do not sell your personal information. We do not use your data for advertising purposes.
4. How We Share Your Information
We share your information only in the following circumstances:
4.1 Third-Party Service Providers
We use the following categories of service providers who process data on our behalf:
| Service | Purpose | Data Shared |
|---|---|---|
| Cloudflare | CDN, DDoS protection, WAF, TLS termination, DNS | IP address, request metadata (encrypted in transit) |
| Linode (Akamai) | Cloud hosting, managed database, object storage | All platform data (encrypted at rest and in transit) |
| Stripe | Payment processing | Email, subscription plan; card details handled directly by Stripe |
| Anthropic (Claude AI) | AI-assisted analysis and content generation | Assessment data and prompts submitted for AI processing; subject to AI usage limits |
| Sentry | Error monitoring (optional, requires cookie consent) | Error context, browser metadata; no PII logged |
| Better Stack | Log aggregation and uptime monitoring | Structured server logs; no passwords, tokens, or PII logged |
| Have I Been Pwned | Breach checking (optional) | Email address for breach lookup |
| Shodan | Vulnerability scanning (optional) | Domain/IP for external scan |
| Google/Microsoft/Apple | OAuth identity providers | Authentication tokens; we receive email and display name |
4.2 Partner and Advisor Access
If your Organization engages a partner or advisor through the Platform, that partner may access your organization data based on the access level granted (read-only or advisory). Partner access is scoped by tenant isolation and governed by separate agreement between you and the partner.
4.3 Legal Requirements
We may disclose your information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of cmpli, our users, or the public.
4.4 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of that transaction. We will notify you via email or prominent notice on the Platform before your information is transferred and becomes subject to a different privacy policy.
5. Data Security
We implement technical and organizational measures to protect your data, including:
- TLS 1.3 encryption for all data in transit (enforced at Cloudflare edge)
- AES-256-GCM encryption for uploaded files with per-organization key derivation (HKDF-SHA256)
- Argon2id password hashing with no plaintext storage
- TOTP secrets encrypted in database
- Session fingerprinting (IP + user agent hash) to detect token theft
- Redis-backed token blocklist for immediate session revocation
- Comprehensive audit logging on all data mutations
- Web Application Firewall (Cloudflare WAF) blocking common attack patterns
- Content Security Policy, X-Frame-Options, and additional security headers
- Rate limiting (Redis-backed) to prevent abuse
- Input validation on all API endpoints (Zod schema validation)
- Generic error messages in production to prevent information leakage
- No logging of passwords, tokens, PII, or request bodies in server logs
While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
6. Data Retention
We retain your data as follows:
- Account and organization data: retained until you delete your account
- Soft-deleted records (contacts, decision notes): retained in inactive state until account deletion or permanent purge
- Hard-deleted records (vendors, backup profiles, providers): permanently removed upon deletion
- Audit logs: retained for the duration of the account for security and compliance purposes
- AI usage logs: retained for billing reconciliation and service improvement
- Authentication tokens: automatically expired (JWT: 15 minutes; refresh tokens: 7 days)
- Temporary tokens (password reset: 1 hour, email verification: 24 hours, OAuth state: 10 minutes): deleted after use or expiry
Upon account termination, we will provide a reasonable period for you to export your data before deletion. Organization deletion cascades to all associated data.
7. Cookies and Tracking Technologies
The Platform uses minimal cookies and browser storage:
Essential (always active): Session authentication tokens (JWT bearer tokens in memory), cookie consent preference stored in browser local storage (cmpli_cookieConsent).
Optional (requires consent): Sentry error monitoring, which collects browser metadata for debugging purposes. This is only activated if you select "Accept All" in the cookie consent banner.
We do not use advertising cookies, social media tracking pixels, or cross-site tracking technologies. We do not participate in any advertising networks.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Right to Access: Request a copy of the personal information we hold about you
- Right to Correction: Request correction of inaccurate or incomplete data
- Right to Deletion: Request deletion of your personal information, subject to legal retention obligations
- Right to Data Portability: Request your data in a structured, machine-readable format (JSON, PDF, DOCX)
- Right to Object: Object to certain processing of your personal information
- Right to Restrict Processing: Request that we limit how we use your data
- Right to Withdraw Consent: Withdraw consent for optional data processing (such as Sentry error monitoring) at any time through the cookie consent settings
To exercise any of these rights, contact us at privacy@cmpli.com. We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.
9. California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know what personal information we collect, use, and disclose
- Right to delete personal information we hold about you
- Right to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising)
- Right to non-discrimination for exercising your privacy rights
We do not sell personal information as defined by the CCPA/CPRA. We do not use or disclose sensitive personal information for purposes beyond those permitted by the CCPA/CPRA.
10. Children's Privacy
The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@cmpli.com.
11. International Data Transfers
The Platform is hosted in the United States. If you access the Platform from outside the United States, your data will be transferred to and processed in the United States. By using the Platform, you consent to this transfer. We rely on standard contractual commitments with our service providers to ensure appropriate data protection safeguards are in place.
12. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email or through a prominent notice on the Platform at least 30 days before the changes take effect. Your continued use of the Platform after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.
13. Contact Us
For questions, concerns, or requests regarding this Privacy Policy or our data practices:
cmpli LLC
Email: privacy@cmpli.com
Website: https://cmpli.com
If you have an unresolved privacy concern that we have not addressed satisfactorily, you may have the right to lodge a complaint with your local data protection authority.