CompliScan

Legal

Privacy Policy

How CompliScan collects, uses, and protects information as Clients certify vendors, Vendors get certified, and documents are read, graded, and renewed.

Last updated: June 13, 2026

Your trust matters to us. This Privacy Policy describes the information CompliScan handles across compliscan.com and the Client and Vendor applications, why we process it, who we share it with, and the choices and rights you have. Because CompliScan is a platform that connects Clients and Vendors, please note where a Client — not CompliScan — controls the data you provide.

01

Introduction

This Privacy Policy explains how CompliScan ("CompliScan," "we," "us," or "our") collects, uses, shares, and protects information in connection with the CompliScan websites (including compliscan.com), applications, and services (together, the "Service").

CompliScan operates a vendor risk-management and certification platform: Clients define the requirements and pricing their Vendors must meet, Vendors submit documents and pay a fee to become certified, and the platform reads, grades, tracks, and renews compliance documents, issues verifiable certificates, and credits rewards. This Policy applies to our marketing site and to the Client and Vendor applications, and should be read together with our Terms of Use.

02

Our Role: Controller & Processor

Our role depends on the data in question:

  • Client-controlled data. For information a Vendor submits to satisfy a particular Client's requirements — documents, form responses, and the data extracted from them — the Client generally decides why and how it is processed and is the "controller." CompliScan acts as a "processor" / service provider on that Client's behalf and handles such data according to the Client's instructions and our agreement.
  • CompliScan-controlled data. For our own account, billing, website, marketing, and security data, CompliScan is the controller.

If you are a Vendor and wish to exercise rights over data you submitted to a Client, please also contact that Client.

03

Information We Collect

  • Account & contact information — names, work email, company name, job title, phone number, and login credentials for Client and Vendor users, plus information you provide when you contact us.
  • Inquiry & marketing information — when you use the rewards calculator lead form on compliscan.com, we collect your name, company, work email, and the number of vendors you report, along with technical metadata (IP address, browser/user-agent, and the referring page).
  • Vendor submissions & documents — documents and information Vendors upload to meet Client requirements, such as certificates of insurance, W-9 and other tax forms, business licenses, SOC 2 reports, cybersecurity questionnaires, safety policies, background-check results, financial questionnaires, references, and responses to custom forms. These may include business and, in some cases, personal information (for example names, contact details, tax identification numbers, ownership information, and details about individuals named in a document).
  • Data extracted from documents — structured fields our document-intelligence pipeline reads and grades from uploads (for example coverage limits, expiration dates, named insured, certificate holders, and identifiers).
  • Payment information — when a Vendor pays a Certification Fee, payment is handled by our third-party payment processor. We receive limited transaction details (such as confirmation, amount, and a card's brand and last digits) but do not collect or store full payment-card numbers.
  • Rewards information — records of Points earned and redeemed and details needed to deliver a reward (such as a redemption email or payout details, and any required tax information).
  • Usage, device & log data — IP address, browser and device type, pages viewed, actions taken, timestamps, and similar diagnostics, including entries in our audit logs.
  • Cookies & similar technologies — as described in the Cookies section below.
04

How We Use Information

We use information to:

  • provide, operate, and maintain the Service — including collecting, reading, grading, tracking, and renewing documents and issuing certificates;
  • create and administer accounts and enforce roles and permissions;
  • process Certification Fee payments and administer the Rewards program;
  • send service and transactional messages — invitations, reminders, renewal notices, reports, and security alerts;
  • respond to inquiries and, where permitted, send marketing about CompliScan (such as following up on a rewards-calculator inquiry);
  • secure, monitor, and improve the Service, prevent fraud and abuse, and maintain audit logs;
  • comply with legal obligations and enforce our Terms.
06

How We Share Information

  • Between Clients and Vendors. The Service exists to share a Vendor's submissions and certification status with the Client that set the requirements, and to share a Client's requirements with the Vendors it invites.
  • Service providers / subprocessors. Cloud hosting, storage, database, and email providers (we use Amazon Web Services, including S3, RDS, DynamoDB, and SES for email), our payment processor, and rewards / gift-card fulfillment providers — each only as needed to provide the Service.
  • Public certificate verification. Issued certificates have a shareable verification page and QR code; anyone with the link can view limited certificate information — such as the organization's name, certification status, and issue and expiry dates — verified live at view time.
  • Legal & safety. When required by law, regulation, or legal process, or to protect the rights, safety, and integrity of the Service and our users.
  • Business transfers. In connection with a merger, acquisition, financing, or sale of assets.

We do not sell your personal information.

07

Payments

Certification Fees and reward payouts are handled by third-party payment providers. Your payment details are processed under those providers' terms and privacy policies. CompliScan does not receive or store full payment-card numbers; we retain only limited transaction metadata needed for records, accounting, and the Rewards ledger.

08

Cookies & Similar Technologies

We use cookies and similar technologies for essential functions — such as keeping you signed in and maintaining your session — and, where applicable, to understand and improve how the Service is used. You can control cookies through your browser settings; disabling essential cookies may prevent parts of the Service from working.

09

Sensitive Documents

Because Vendors may submit sensitive materials — for example tax forms containing identification numbers, background-check results, or financial information — we restrict access to such data, log activity through our audit trail, and process it only to deliver certification, grading, and related services. Vendors should submit only the information a Client requires and that they are authorized to share.

10

Data Retention

We retain information for as long as needed to provide the Service, maintain certification history and audit logs, comply with legal and accounting obligations, resolve disputes, and enforce our agreements. For Client-controlled data, retention also follows the Client's instructions and our agreement. When information is no longer needed, we delete or de-identify it.

11

Security

We use technical and organizational safeguards designed to protect information, including encryption in transit, access controls, role-based permissions, and append-only audit logging. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security.

12

International Data Transfers

The Service is operated in the United States, and our infrastructure is hosted on Amazon Web Services (primarily in the United States). If you access the Service from outside the United States, you understand that your information will be processed in the United States and potentially other locations whose data-protection laws may differ from those of your jurisdiction.

13

Your Rights & Choices

Depending on where you live, you may have rights to access, correct, delete, port, or restrict or object to the processing of your personal information, and to withdraw consent. To exercise these rights, contact us at privacy@compliscan.com. If your information was submitted to a Client (for example as a Vendor), please also contact that Client, who controls that data.

We honor applicable privacy laws, including the GDPR/UK GDPR and the CCPA/CPRA. We do not sell personal information or use it for cross-context behavioral advertising, and we will not discriminate against you for exercising your rights.

14

Marketing Choices

You can opt out of marketing emails at any time by using the unsubscribe link in those messages or by contacting us. Even if you opt out of marketing, we may still send necessary service and transactional messages, such as certification reminders, renewals, and security notices.

15

Children's Privacy

The Service is intended for business use and is not directed to children under 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact us so we can remove it.

16

Third-Party Services & Links

The Service may link to or integrate with third-party services, such as payment, identity, or document providers. We are not responsible for the privacy practices of those third parties, which are governed by their own policies.

17

Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will indicate this by updating the "Last updated" date below and, where appropriate, by providing additional notice. Your continued use of the Service after an update means you accept the revised Policy.

18

Contact Us

Questions about this Policy or your information? Contact us at privacy@compliscan.com.

By using CompliScan you acknowledge that you have read and understood this Privacy Policy.