Privacy and data protection

Privacy Policy

This policy explains how Unknown Data processes personal data when organisations, administrators, employees, reviewers and auditors use C.O.M.P.A.S.S. - Compliance Control System. It is intended as a GDPR-style privacy notice for account, subscription, compliance workflow, evidence, security and support processing.

Last updated: 31 May 2026

1. Who this policy applies to

This policy applies to users of C.O.M.P.A.S.S., organisation administrators, invited team members, reviewers, auditors and people who contact Unknown Data for support or account-related questions. It applies to personal data processed through the web application, support interactions, subscription administration and related security or operational logs.

2. Controller and processor roles

For most organisation workspace content, including AI system records, assessments, control work and evidence uploads, the customer organisation decides what personal data is entered, why it is processed, who may access it and how long it should be retained. In that context, the customer organisation is normally the controller and Unknown Data acts as processor or service provider. For account administration, platform security, billing operations, service communications, support, legal compliance and protection of Unknown Data's rights, Unknown Data may act as an independent controller.

3. Data we process

Account data

Usernames, names, email addresses, authentication state, MFA status and account preferences.

Organisation data

Organisation names, country settings, roles, team membership, invitations and seat allocation.

Compliance workflow data

AI system records, use cases, role assessments, risk assessments, obligations, controls and action status.

Evidence and audit data

Files, notes, evidence metadata, audit reports, access logs and export records uploaded or generated by users.

Security and technical data

Login events, IP-related security metadata, runtime health data, browser/session signals and diagnostic logs.

Billing data

Plan, subscription, customer, invoice and payment status data needed to administer paid services.

4. Why we process data

  • To create and manage user accounts and organisation workspaces.
  • To provide AI compliance assessment, evidence, reporting and audit functionality.
  • To enforce subscription tiers, seats, access rights and billing state.
  • To secure the service, investigate misuse and maintain audit logs.
  • To provide support, troubleshoot issues and improve reliability.
  • To comply with legal, tax, accounting and security obligations.

5. Legal bases for processing

  • Contract performance: to provide accounts, subscriptions, workspaces, support and requested service functionality.
  • Legitimate interests: to secure the service, prevent misuse, diagnose issues, improve reliability and manage customer relationships.
  • Legal obligations: to meet tax, accounting, compliance, security or regulatory obligations.
  • Consent: where a specific optional feature, communication or integration requires consent under applicable law.

Where a customer organisation controls workspace content, that organisation is responsible for identifying and documenting the legal basis for the data it enters or uploads into the service.

6. Evidence uploads, special categories and customer responsibility

Users should only upload evidence that is relevant to compliance work and lawful to process. Evidence should not include unnecessary sensitive data, excessive personal data, passwords, secrets, authentication tokens or unrelated confidential material. The service is not designed for routine processing of special categories of personal data, criminal offence data, health data or children's data. If such data is uploaded, the customer organisation is responsible for ensuring a valid legal basis, necessity, proportionality, access restriction and any additional safeguards required by law. Organisation administrators are responsible for managing access to uploaded evidence and removing users who no longer need access.

7. Recipients and subprocessors

Unknown Data may use trusted service providers to operate C.O.M.P.A.S.S., including cloud hosting, storage, email delivery, monitoring and payment processing providers. Stripe may process billing and payment information. Cloud infrastructure may include Microsoft Azure services. These providers process data only for service delivery, security, support, billing and legal compliance purposes. Personal data may also be disclosed where required by law, court order, regulator request or to protect the rights, safety and security of users, customers, Unknown Data or third parties.

8. International transfers

Data may be processed in the European Economic Area or in other locations where service providers operate. Where personal data is transferred outside the EEA, appropriate safeguards should be used where required, such as adequacy decisions, standard contractual clauses, data processing agreements or equivalent transfer mechanisms. Do not rely on this policy as a guarantee that all data always remains inside one country or region unless that has been agreed separately in writing.

9. Retention

Account, organisation, compliance and evidence data is retained while the account or subscription is active, unless deleted earlier by authorised users or required longer for legal, accounting, security, audit or dispute-resolution reasons. After termination, data may be deleted, anonymised or archived according to the applicable agreement, backup cycles and legal obligations. Logs and diagnostic data are retained for a limited period appropriate to security, support and operational needs.

10. Security

C.O.M.P.A.S.S. uses technical and organisational measures intended to protect account and workspace data, including access controls, role separation, authentication controls, logging and infrastructure security practices. No online service can guarantee absolute security, so users must protect their credentials and report suspected compromise promptly.

11. Cookies and similar technologies

C.O.M.P.A.S.S. currently uses functional cookies that are necessary for login sessions, security, CSRF protection and service operation. These cookies are not used for advertising or cross-site tracking. More details are available in the Cookie Policy.

12. Personal data breaches

If Unknown Data becomes aware of a personal data breach affecting customer workspace data, it will take reasonable steps to investigate, contain and remediate the incident. Where Unknown Data acts as processor, it will notify the relevant customer organisation in accordance with the applicable agreement so the organisation can assess any regulatory or data subject notification obligations. Where Unknown Data acts as controller, it will assess whether notification to a supervisory authority or affected individuals is required by law.

13. Automated decision-making

C.O.M.P.A.S.S. supports compliance workflows and may generate classifications, summaries or obligations based on information entered by users. These outputs are intended to support human governance decisions. The service is not intended to make decisions based solely on automated processing that produce legal or similarly significant effects for individuals.

14. Your rights

Depending on applicable law, users may have rights to request access, rectification, erasure, restriction, portability, objection to processing and withdrawal of consent where processing is based on consent. These rights may be limited in some cases, for example where retention is required by law, security obligations, accounting duties or establishment, exercise or defence of legal claims. Requests about organisation workspace content should normally be directed first to the relevant organisation administrator. Requests can also be submitted to Unknown Data using the contact details below.

15. Complaints

Users may have the right to lodge a complaint with a competent data protection authority, especially in the EU member state where they live, work or where they believe an infringement occurred. Unknown Data encourages users to contact the organisation administrator or Unknown Data first so concerns can be reviewed and addressed.

16. Changes to this policy

Unknown Data may update this policy when the service, legal requirements, subprocessors or operating practices change. Material changes should be communicated through the application, customer contact channels or other appropriate means.

17. Contact

For privacy questions, data protection requests or security concerns, contact Unknown Data through the support or administrative contact channel agreed with your organisation. If no dedicated channel has been agreed, use your normal Unknown Data contact person.