Last updated: 5 May 2026
This privacy policy describes how Complira (a service operated by Franck Trouillez) ("we") collects, uses, and protects personal data in accordance with the General Data Protection Regulation (GDPR) and Belgian privacy legislation.
Complira acts as the data controller for personal data collected through the platform. For any questions regarding data processing, you can contact us at support@complira.be.
We collect the following categories of personal data: - Account data: name, email address, password (hashed) - Organization data: company name, VAT number, sector - Usage data: login activity, platform actions - Payment data: processed by our payment provider Stripe and not stored by us
We process your data for the following purposes: - Providing and improving our services - Account management and authentication - Billing and payment processing - Communication regarding your account and our services - Compliance with legal obligations
The processing of your personal data is based on: - Performance of a contract (Article 6(1)(b) GDPR) - Legal obligation (Article 6(1)(c) GDPR) - Legitimate interest (Article 6(1)(f) GDPR) for product improvement and security
We retain personal data only as long as necessary for the purposes described in this policy: - Account profile data: retained for the duration of your account. When you delete your organization from the organization settings, all account data is hard-deleted immediately. - Assessment content (responses, evidence, comments): retained for the duration of your subscription. When you delete your organization from the organization settings, this data is hard-deleted immediately. Export your data before deleting if you wish to retain it. - Billing and tax records: retained for 7 years to comply with Belgian accounting law (Art. III.86 Code de droit économique). - Audit logs: retained for 3 years from the date of the recorded action, then automatically deleted. - Anonymous traffic logs: retained for 90 days, then automatically deleted. - Encrypted database backups: retained on a 7-day daily, 28-day weekly, and 365-day monthly cycle. After account deletion, personal data may persist in encrypted backups until expiry of the longest backup window. Backups are not used for any purpose other than disaster recovery and are decryptable only by Complira's operations team.
Under the GDPR, you have the right to: - Access your personal data - Request rectification or deletion - Request restriction of processing - Object to processing - Data portability - Lodge a complaint with the Data Protection Authority (DPA) You have the right to lodge a complaint with your local data-protection supervisory authority. The competent authority for Complira is the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit), rue de la Presse 35, 1000 Brussels - contact@apd-gba.be.
We take the following technical and organizational measures to protect personal data: - Encryption in transit: TLS 1.2+ for all web traffic; STARTTLS with peer-certificate verification for outbound email. - Encryption at rest: sensitive database columns are encrypted at the field level; database backups are encrypted before being written to object storage. - Hosting in the European Union: all application data is hosted within the EU. The only personal data leaving the EEA is what is required to deliver the Service via our payment and error-monitoring providers - see complira.be/subprocessors for the canonical list, including the legal transfer safeguards in place. - Access control: role-based authorization (admin / member / auditor); passwords are hashed with a modern algorithm and cannot be retrieved, only reset. - Audit logging: material actions on personal and assessment data are recorded in an append-only audit trail with a 3-year retention. - Vulnerability management: dependencies and application code are scanned for known security issues before each release. - Backups: nightly encrypted database snapshots stored in EU object storage on a 7-day daily / 28-day weekly / 365-day monthly retention cycle. We do not currently hold ISO 27001 or SOC 2 certification. We do not use third-party analytics, advertising trackers, or content delivery networks that proxy customer traffic.
Complira uses only functional cookies necessary for the operation of the platform. We do not use tracking cookies or third-party cookies for advertising purposes.
We log anonymous traffic data about visits to our public website to understand which marketing channels work. We record a masked IP address (only the first three octets, so the address cannot be traced back to an individual device), the user agent string, the HTTP referrer, UTM campaign parameters, and the landing page URL. This data is stored in our own PostgreSQL database and is not sent to any third-party analytics or advertising provider. Traffic logs are retained for 90 days and then automatically deleted. Your existing rights under the GDPR (access, export, deletion) continue to apply to any personal data we hold about you.
We may update this privacy policy from time to time. Changes will be posted on this page with an updated date. In case of significant changes, we will notify you by email.