Privacy Policy
Your privacy is fundamental to our mission. This policy explains our commitment to data ownership, minimal data collection, and complete privacy protection in compliance with GDPR and Australian Privacy Act. Also explains how CompliCentral handles Personal Information when you use the CompliCentral platform and related websites, products, and services (Services). This Privacy Policy is designed for B2B SaaS customers, including Australian regulated industries, and reflects CompliCentral’s single-tenant environment and data sovereignty approach.
Last Updated: November 17, 2025
Your Data Ownership
Complete Data Ownership
You retain complete ownership of all data in your CompliCentral tenant. We do not claim ownership rights to your compliance documents, workflows, organisational information, or any other customer content stored in the platform.
Customer Content
Customer content may include onboarding information, training and accreditation records, audit evidence, registers, policies, tasks, workflow data, and related compliance documentation. This content is created, uploaded, or managed by your organisation and remains under your control.
Minimal Account Creation Data
We collect only the minimum information needed to create and maintain your account, such as name, business email address, and subscription details required for service access and billing.
Your Data Roles and Responsibilities
Controller and Processor Roles
CompliCentral customers generally decide what Personal Information is stored in the platform, why it is stored, and how it is used. This typically makes the customer the data controller (or equivalent role under applicable law) for customer content. CompliCentral acts as a data processor for customer content and processes it only to provide and support the Services.
Customer Instructions
We process customer content according to the customer contract and documented customer instructions, including configuration choices and permissions set within the platform.
Customer Responsibilities
Customers are responsible for confirming that collection and use of Personal Information within the platform is lawful, appropriate for their regulated obligations, and supported by required notices and consents.
Your Data Sovereignty
In-Country Data Hosting
All customer content is sovereign and is stored on infrastructure located in the country where the customer's business occurs, unless otherwise agreed in writing.
Single-Tenant Environment
CompliCentral is delivered using a single-tenant positioning approach. Each customer tenant is isolated and access-controlled to reduce the risk of unauthorised access across tenants.
Cross-Border Processing by Exception
If cross-border processing is required due to a customer request or specific operational need, we apply appropriate safeguards and document the approach in contract terms or service schedules.
Your Data Control
Complete Data Management
You have control over the data stored in your tenant. The platform provides tools to manage, update, export, and delete data in accordance with your compliance and operational needs.
Data Collection and Deletion Choices
All decisions about what data enters your tenant and when it should be removed are controlled by your organisation. Where platform features support retention policies or automated cleanup, you can configure them based on your requirements.
Retention Control
Data retention is set by the customer. CompliCentral supports retention management through platform controls and configuration, subject to technical feasibility and your subscription plan.
What We Collect and Why
Customer Content (Processor Processing)
We process Personal Information contained within customer content solely to deliver and secure the Services, provide support, maintain performance, and meet legal obligations.
Account and Billing Information (Controller Processing)
We process limited account and administrative information to manage subscriptions, authentication, billing, and service communications. This may include names, business contact details, billing contacts, and subscription information.
Service Usage and Security Logs
We collect and generate technical, security, and audit logs required to operate the platform and protect customers. These may include IP address, timestamps, login events, access history, system events, and error logs.
Support and Communications
If you contact us, we may process communications and information provided for support, onboarding, training, and service delivery.
How We Use Personal Information
Service Delivery
We use Personal Information to provide the Services, including account access, authentication, feature delivery, and tenant administration.
Security and Risk Management
We use security and audit logs to protect the platform, monitor suspicious activity, detect incidents, and preserve system integrity.
Customer Support
We use support information to troubleshoot issues, respond to requests, and improve service outcomes.
Legal and Regulatory Compliance
We may process information to comply with applicable laws, lawful requests, and regulatory obligations.
B2B Communications
We may send service notices, platform updates, and operational communications. Where permitted, we may also send relevant B2B product updates and offers. You can opt out of non-essential marketing communications.
Data Protection and Backup Services
Encryption and Secure Transmission
Customer content is protected using enterprise-grade encryption, including AES-256 at rest and TLS 1.3 in transit, within an isolated single-tenant environment.
Access Control
Access is restricted, audited, and role-based. Customer administrators control access rights within their tenant. CompliCentral limits internal access to authorised personnel with a legitimate operational need.
Backup Management
We maintain backups as part of the service to support resilience and recovery. Backup retention and recovery approaches may vary based on subscription and hosting region.
Incident Response
We maintain incident response procedures and security monitoring. If a security incident affecting customer content occurs, we will notify customers in accordance with contract terms and applicable law.
Infrastructure Partners and Subprocessors
Infrastructure Partners
We use infrastructure partners (such as cloud hosting, networking, monitoring, and security providers) to operate and secure the platform. These partners provide underlying infrastructure and services that support CompliCentral availability and performance.
Subprocessors
We may use carefully selected subprocessors to support functions such as support tooling, email delivery, billing operations, and error monitoring. Subprocessors are contractually required to protect Personal Information and process it only to provide their services.
No Unauthorised Sharing
We do not share customer content with third parties for advertising or data brokerage purposes. Disclosures are limited to what is necessary to deliver the service, meet legal obligations, or protect rights and safety.
Cookies and Website Analytics
Website Cookies
Our public website may use cookies and similar technologies for essential functionality, security, and performance.
Analytics
We may use privacy-respecting analytics to understand website usage and improve content. Where required by law, we provide cookie controls and consent mechanisms.
Managing Cookies
You can control cookies through your browser settings and, where available, cookie preference tools.
Data Retention
Customer Content Retention
Customer content is retained for the duration of the customer contract and handled after termination according to agreed terms, subject to legal, security, and backup requirements.
Account and Billing Records
Billing and subscription records are retained as required by law and for legitimate business purposes such as financial reporting and dispute resolution.
Security and Audit Logs
Security logs are retained for a defined period to support security monitoring, investigations, compliance expectations, and system integrity.
Your Rights and Requests
Access and Correction
Individuals may have rights to request access to or correction of Personal Information. For customer content, these requests should generally be directed to the customer (as controller). CompliCentral will support customers to respond where required.
Deletion and Restriction
Depending on applicable law, individuals may have rights to request deletion or restriction of processing. For customer content, customers control deletion decisions within their tenant, subject to retention settings and legal obligations.
EU and UK Rights (If Applicable)
Where GDPR applies, individuals may have additional rights including objection and data portability, subject to legal limitations.
Legal Basis (EU and UK Customers)
Lawful Bases
Where EU or UK GDPR applies, we process Personal Information under one or more lawful bases, including contract (service delivery), legitimate interests (security and service improvement), consent (where required for cookies), and legal obligations.
Legal Disclosures and Business Transfers
Legal Requests
We may disclose information where required by law, court order, or lawful government request. Where permitted, we aim to provide notice to affected customers.
Business Transfers
If CompliCentral is involved in a merger, acquisition, restructuring, or asset sale, Personal Information may be transferred as part of the transaction, subject to appropriate safeguards.
Changes to This Policy
Updates
We may update this Privacy Policy from time to time. The latest version will be published on our website with an updated date. Where changes materially affect how we handle Personal Information, we will take reasonable steps to notify customers.
No Data Sharing
Zero Data Sharing
We do not share, sell, trade, or rent any of your data to third parties. Your information remains exclusively within your secure single-tenant environment with no external sharing whatsoever.
Infrastructure Partners
Our infrastructure partners operate under strict no-data-access agreements. They provide hosting and technical services without any access to your compliance data.
Privacy Inquiries
If you have questions about this Privacy Policy, please contact our Data Protection Officer.