Privacy Policy · Complyn

01 Plain-English summary

Most privacy policies are written by lawyers to protect the company. This one is written to actually inform you. Here's what you really need to know:

We don't sell your data. Not to advertisers, not to data brokers, not to anyone, ever.
We collect only what we need to run our business and deliver assessments. Mostly: contact information you give us, materials you share during an engagement, and basic privacy-respecting website analytics.
Engagement materials are treated as confidential. When you share policies, BAAs, evidence, or other documents with us as part of an assessment, that information lives in our Client Portal and stays there. We do not use it for marketing, profiling, or training AI models.
If you're a HIPAA-covered entity or business associate, we sign a Business Associate Agreement with you before handling any Protected Health Information.
You can ask us anything about your data, what we have, what we do with it, or to delete it. Email [email protected].

If anything below contradicts this summary, the summary wins. We meant what we said up here.

02 Information we collect

Information you give us directly

When you fill out a form on our website (contact, schedule an assessment, Advisory inquiry, etc.), we collect what you provide. That typically includes:

Name, email address, business name
Basic details about your business (industry, approximate employee count)
What's prompting your inquiry
Anything you write in the message field

Information we receive during an engagement

If you become a Complyn client, the work of an assessment involves you sharing materials with us so we can evaluate them. Depending on the engagement, that can include:

Written policies, procedures, and internal documentation
Business Associate Agreements, service-provider agreements, and vendor inventories
Evidence of compliance (training records, access reviews, incident logs)
System inventories, network diagrams, and configuration documents
Notes from interviews with your team during discovery
For HIPAA engagements only: Protected Health Information (PHI), when it appears in policies or evidence you share with us under a signed BAA

This material is treated as confidential. It lives in our Client Portal, accessible only to you, your team members you authorize, and the Complyn team working on your engagement.

Information we collect automatically

When you visit complyn.com, our hosting and analytics providers record limited technical information:

IP address (used to prevent abuse; not used to identify individual visitors)
Browser type, device type, operating system
Pages you visit and roughly how long you stay
How you got to our site (referring page, if any)

Our analytics provider is Cloudflare Web Analytics, which is privacy-respecting and does not use cookies, fingerprinting, or cross-site tracking.

03 How we use it

We use the information we collect to:

Respond to your inquiries. If you fill out a form, we use your contact information to reply, propose a scope, or schedule a discovery call.
Deliver assessments and advisory work. For clients, we use the materials you share to conduct the engagement we've been hired to perform.
Communicate about active engagements. Scoping documents, reports, follow-up messages, invoices.
Operate and improve our website. Basic analytics help us understand which pages are useful and which aren't.
Comply with the law. Tax records, contracts, legal subpoenas if we ever receive one.

We do not build advertising profiles, target you with ads, train AI models on your information, or sell your information to third parties.

04 Protected health information

If you're a HIPAA-covered entity or business associate engaging us for a HIPAA Security Risk Analysis or related work, we may receive Protected Health Information (PHI) during the engagement, typically embedded in policies, evidence files, or sample documentation you share with us.

Before any engagement involving PHI begins:

We sign a Business Associate Agreement (BAA) with you that meets the requirements of the HIPAA Privacy and Security Rules
That BAA governs our handling, use, retention, and disclosure of any PHI we receive
The BAA's terms take precedence over the more general terms of this policy where PHI is concerned

Where this policy and an executed BAA differ on PHI handling, the BAA controls.

05 When we share it

We share the minimum necessary information with a small number of vendors who help us operate. Each is contractually bound to handle your information only on our instructions and to maintain reasonable security.

Vendor	What they handle	Notes
Cloudflare	Website hosting, security, privacy-first web analytics	Standard processor; no personal identifiers in analytics
Resend	Transactional emails (form confirmations, internal notifications)	Standard processor
Stripe	Payment processing for client invoices	PCI-compliant; we do not see or store full card numbers
Assembly	Complyn Client Portal (where engagement materials, reports, and messaging live)	HIPAA-compliant; signed BAA in place
Proton	Team email and video meetings (Proton Mail, Proton Meet)	End-to-end and zero-access encrypted by default

We will also share information if legally compelled, for example, if we receive a valid subpoena or court order. We push back on overly broad requests and will notify you when permitted by law.

What we never do: We do not transfer, sell, share, or disclose your data to any external organization for marketing, advertising, data brokering, or AI model training. The only data sharing we do is with the operational sub-processors listed in the table above, who handle data on our behalf to deliver our services and are contractually prohibited from using it for any other purpose.

06 Data sharing limits

This section reinforces and adds to what we say in "When we share it" above:

Customer data is not shared with third parties for promotional or marketing purposes.
Mobile opt-in and consent are never shared with anyone for any purpose. Any information sharing that may be mentioned elsewhere in this policy explicitly excludes mobile opt-in data.

07 How we protect it

Compliance is what we do for a living, so we hold ourselves to the standards we recommend to our clients. We protect your information with:

Encryption in transit and at rest across all systems holding your data
End-to-end encrypted email and video meetings via Proton
Multi-factor authentication on every internal system
Least-privilege access, so the Complyn team only sees what's needed for the engagement they're staffed on
A HIPAA-compliant Client Portal vendor (Assembly) with a signed BAA for client engagement materials
Vendor security review for every tool we use
Our own documented information security program, reviewed at least annually

No system is perfectly secure. If we ever experience a security incident affecting your information, we will notify you promptly with details about what happened, what's affected, and what we're doing about it. If PHI is involved, notification will also follow the requirements of the executed BAA and applicable law.

08 How long we keep it

We keep information only as long as we need it for the purpose we collected it:

Form submissions from non-clients: twenty-four months, then deleted
Engagement materials and reports: retained in the Complyn Client Portal for three years following the end of the engagement, then archived or deleted in line with the engagement agreement
Protected Health Information: handled per the executed Business Associate Agreement, which generally requires retention for at least six years
Signed agreements and tax records: seven years (required for tax, audit, and contractual purposes)
Website analytics: twelve months
Email logs: twelve months

You can ask us to delete your information sooner. See "Your rights" below.

09 Your rights

Depending on where you live, you may have specific legal rights regarding your personal information. Regardless of jurisdiction, we extend these rights to everyone we deal with:

Access. Ask what information we have about you, and we'll tell you.
Correction. Ask us to fix anything inaccurate.
Deletion. Ask us to delete your information (subject to legal and contractual retention requirements).
Portability. Ask for a copy of your information in a machine-readable format.
Opt-out. Unsubscribe from any communications at any time.
Complain. If we mess something up, tell us, and we'll make it right.

To exercise any of these rights, email [email protected]. A real person will respond, usually within one business day.

10 Cookies & tracking

complyn.com uses minimal cookies and tracking:

Essential cookies. Needed to make the site work (security, session state). These can't be turned off.
Privacy-respecting analytics. We use Cloudflare Web Analytics, which does not use cookies, fingerprinting, or cross-site tracking. It tells us how many people visit which pages, nothing more.

We do not use advertising cookies, retargeting pixels, social-media tracking pixels, or third-party advertising networks.

11 Children's privacy

Our services are designed for businesses, not for children. We do not knowingly collect information from anyone under 13 years old. If you believe a child has provided us with information, please contact us at [email protected] and we will delete it.

12 Changes to this policy

If we update this privacy policy, we'll update the "Last Updated" date at the top of the page. For material changes (anything that meaningfully affects your rights or how we use your data), we will notify active clients directly and post a notice on the website.

If you don't agree with changes to the policy, you can stop using our website and request deletion of your information at any time.

13 Complyn messaging terms and conditions

How you opt in. We send SMS only to people who have given us their phone number and verbally agreed to receive messages from us during a call or conversation with our team. We record consent at the time it is given. Mobile opt-in data is never shared with anyone for any purpose.
What kinds of messages we send. By opting in, you agree to receive SMS messages from Complyn, including appointment reminders, scheduling confirmations, engagement status updates, document requests, and customer support messages. We do not send marketing or promotional SMS.
How to opt out. You can opt out of SMS messages at any time by replying STOP or UNSUBSCRIBE to any message you receive from us. You can also text STOP to (208) 980-9400 directly. After we receive your opt-out message, we will send one final SMS confirming you have been unsubscribed, and you will not receive further SMS messages from us. If you want to opt back in, contact us and we'll restart your messages.
How to get help. For help with the SMS program, reply HELP to any message, text HELP to (208) 980-9400, or contact us directly at [email protected].
Message delivery. Carriers are not liable for delayed or undelivered messages.
Message frequency and rates. Message and data rates may apply for any messages sent to you from us and to us from you. Message frequency varies based on communication needs. If you have any questions about your text plan or data plan, contact your wireless provider.
Sender contact information. The sender of these SMS messages is Complyn LLC. If you have questions about this SMS program or this policy, contact Complyn at [email protected], by phone at (208) 980-9400, or by mail at PO Box 445, Rigby, ID 83442. For other privacy questions not specific to SMS, please read the rest of this privacy policy.

Privacy Policy.