Privacy Policy

VISTE FORGE SRL ("Complair", "we", "us") is the data controller for personal data collected through our marketing website and, for Customer Data processed in the Service, a data processor acting on behalf of our customers.

This Policy applies to personal data processed when you visit complair.eu, sign up for an account, or use the Complair workspace. It does not cover third-party sites we may link to.

Where Complair processes personal data on behalf of a Customer (for example, the AI-system inventory entered by a Customer's users), the Customer is the controller and we are the processor. In those cases, please refer to the Customer's own privacy notice; the terms of our Data Processing Agreement govern our processing.

Account data

• Full name, email address, hashed password, role in the workspace
• Company name, country, and preferred currency
• Onboarding responses (company size, industry, AI maturity)

Workspace content

• AI-system inventory entries, classifications and rationales
• Checklist items and their state (not started, in progress, complete, verified)
• Generated documents, vendor questionnaire responses, audit logs
• Assistant conversations (prompts + responses), retained for your history

Billing data

• Plan, subscription status, billing cadence, invoice history
• Payment details are handled directly by Stripe — we never see card numbers; we store a Stripe customer ID and plan metadata only

Technical data

• IP address, user-agent, session cookies
• Access timestamps, error events, minimal performance telemetry

We do not ask for or intentionally collect special-category personal data (Article 9 GDPR). Do not upload such data to your workspace without contacting us first.

• Provide, operate and maintain the Service
• Authenticate users, manage workspace access, enforce role permissions
• Bill subscriptions, issue invoices, prevent payment fraud
• Send service emails (invitations, password resets, billing notifications)
• Provide customer support and respond to your requests
• Investigate abuse, debug errors, improve stability and performance
• Comply with legal obligations (tax, accounting, lawful requests)

We do not sell personal data, and we do not use Customer Data to train machine-learning models.

Where we rely on legitimate interest, we have assessed that our interest does not override your fundamental rights and freedoms. You have the right to object (see section 11).

We share personal data with the subprocessors listed below. Each is bound by a written data-processing agreement under Article 28 GDPR and appropriate safeguards.

We otherwise only disclose personal data when legally required, to protect our rights, or with your explicit consent.

Application data is stored on servers in Frankfurt, Germany (European Union). Some subprocessors (notably Anthropic and Resend) are located in the United States. For those transfers we rely on the European Commission's Standard Contractual Clauses (Module 3, processor-to-processor) and apply supplementary technical measures such as encryption in transit and at rest, plus data minimisation.

A copy of the SCCs is available on request at privacy@complair.eu.

• Account & workspace data — for the lifetime of your subscription. On termination, data is retained for 30 days to allow export, then permanently deleted.
• Invoices & billing records — 10 years, to comply with Romanian accounting law (Law 82/1991).
• Audit logs — 2 years, for security and compliance evidence.
• Application error logs — 30 days.
• Backups — encrypted, rotated out of cold storage within 35 days.

• TLS 1.2+ in transit; AES-256 at rest
• Bcrypt-hashed passwords; session tokens scoped to workspace
• Role-based access control (Pundit policies) and multi-tenant isolation at the database layer
• Least-privilege access for Complair personnel, audited quarterly
• Centralised logging, anomaly alerts, and routine dependency scanning
• Regular encrypted backups with tested restore procedures

If we confirm a personal data breach affecting you, we will notify the competent supervisory authority within 72 hours where required, and notify you without undue delay.

For a detailed overview of our security posture, see our Security page.

Under the GDPR and equivalent laws you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase your data ("right to be forgotten"), subject to legal retention obligations
• Restrict or object to processing based on legitimate interest
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent at any time, without affecting prior processing
• Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we do not make such decisions)

Email privacy@complair.eu to exercise a right. We respond within one month. If your data lives in a workspace where your employer is the controller, we will route the request to them.

We use a minimal set of first-party cookies strictly necessary for the Service: a session cookie, a CSRF token, and a currency preference cookie (complair_currency) for anonymous pricing-page visitors. No third-party advertising or cross-site tracking cookies are set.

If we add optional analytics in the future, we will ask for your consent first through a compliant cookie banner.

Complair is a business tool not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe we hold data about a minor, please contact us and we will delete it.

We update this Policy as the Service evolves. Material changes are announced by email or in-app banner at least 30 days before taking effect. The "Last updated" date at the top reflects the most recent revision.

Privacy questions, rights requests, or complaints: privacy@complair.eu.

You also have the right to lodge a complaint with a supervisory authority — for us, that is the Romanian National Supervisory Authority for Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal — ANSPDCP) at dataprotection.ro — or the authority of your EU country of residence.