Privacy Policy

1. Data Controller

Prevision UG (haftungsbeschränkt)
Korseifener Straße 39
51597 Morsbach, Germany
Email: info@komplify.de
Phone: +49 (0) 2294 9964780

The data controller within the meaning of the General Data Protection Regulation (GDPR) is the entity named above.

A Data Protection Officer has not been appointed, as the requirements under Art. 37 GDPR in conjunction with Section 38 BDSG (German Federal Data Protection Act) are not met.

2. Overview of Processing Activities

Komplify is a SaaS platform for automated website accessibility testing in accordance with the German Accessibility Strengthening Act (BFSG) and the Web Content Accessibility Guidelines (WCAG) 2.2 AA. Below, we inform you comprehensively about the nature, scope, and purpose of the collection and processing of personal data when using our website and services.

3. Data Collected and Purposes of Processing

3.1 Account Data (Registration and Login)

When registering and using your account, we process:

• Email address — for account identification, sending verification codes, scan notifications, and account-related communication
• Password — stored exclusively by AWS Cognito as a cryptographic hash. Komplify never has access to your plaintext password.
• Cognito User ID — a technical identifier automatically generated during registration

Legal basis: Art. 6(1)(b) GDPR (contract performance).

3.2 Third-Party Login (Social Login)

You can alternatively sign in via Google or Microsoft. The following data is transmitted from the respective provider to us:

• Email address
• Provider user ID (technical identifier)

We never receive your Google or Microsoft password. Authentication is performed via the standardized OAuth 2.0 protocol. No additional profile information (name, profile picture, etc.) is retrieved or stored.

Please note that Google and Microsoft, as independent data controllers, may process their own data during OAuth authentication (e.g., logging of the login process). For more information, see the respective providers' privacy policies:

• Google Privacy Policy
• Microsoft Privacy Statement

Legal basis: Art. 6(1)(b) GDPR (contract performance).

3.3 Scan Data

When you perform an accessibility scan, we process:

• Domain URL — the website address you provide
• Scan results — detected accessibility violations (rule ID, severity, description, affected HTML element, CSS selector, WCAG criteria)
• Page scores — automatically calculated accessibility ratings
• Content hash — a cryptographic hash (SHA-256) of the accessibility-relevant DOM structure for detecting changes in subsequent scans
• Content signals — technical characteristics of the scanned page (e.g., whether audio, video, or forms are present), without personal content

The scanner does not collect any personal data from the scanned websites. No form contents, user inputs, cookies, or login credentials of the target site are read.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

3.4 AI-Powered Fix Suggestions

You can optionally request AI-generated fix suggestions for individual accessibility violations. The following data is sent to the AI model (Claude by Anthropic, provided via AWS Bedrock in the eu-central-1 region):

• Rule ID and description of the violation
• The affected HTML element (maximum 2,000 characters)
• CSS selector and page URL

No personal data is sent to the AI model. Processing takes place exclusively in the AWS region eu-central-1 (Frankfurt). The generated fix suggestions are stored in your database.

Use of this feature is voluntary and must be triggered individually for each violation.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

3.5 Free Scan (Without Registration)

For the use of the free scan without registration, we process:

• IP address — is immediately and irreversibly hashed using SHA-256. The hash is used solely for rate limiting (max. 3 scans per IP within 24 hours). The raw IP address is never stored.
• Website URL — the address to be tested
• Email address (optional) — if you voluntarily provide it to receive the scan report by email. In this case, you will receive a maximum of two follow-up emails (after 24 and 72 hours).

All free scan data is automatically deleted after 24 hours.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in abuse prevention through rate limiting) for IP hash processing; Art. 6(1)(b) GDPR (pre-contractual measures) for the scan; Art. 6(1)(a) GDPR (consent) for the voluntary provision of the email address. You may withdraw your consent to receive emails at any time by sending an email to info@komplify.de. Free scan data is automatically deleted after 24 hours regardless.

3.6 Notification Email Addresses

You can add additional email addresses per domain to be notified when a scan is completed. These email addresses are used exclusively for sending scan result notifications and can be removed by you at any time.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

3.7 Payment Data

Payment processing is handled entirely by Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.

Komplify transmits to Stripe only your email address and an internal user ID. Credit card or bank details are never routed through or stored on our servers.

Stripe processes your payment data as an independent data controller. Stripe may process payment data outside the EU and relies on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. For more information, see Stripe's Privacy Policy.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

3.8 PDF Reports

The generated accessibility reports (PDF, BFSG declaration, CSV export) contain exclusively technical scan results (domain URL, scores, violations, WCAG criteria). They do not contain personal data.

Reports are stored encrypted (AES-256) in AWS S3 in the eu-central-1 region. Access is provided via time-limited URLs (15-minute validity).

Legal basis: Art. 6(1)(b) GDPR (contract performance).

4. Cookies

Komplify uses technically necessary cookies and — only with your explicit consent via our cookie banner — optional analytics cookies:

The accessToken and refreshToken cookies are marked as httpOnly and cannot be read by JavaScript. They are transmitted only over encrypted HTTPS connections (Secure flag) and are protected against cross-site attacks (SameSite=Strict).

The sidebar_state cookie stores a purely functional user preference (sidebar expanded or collapsed) and contains no personal data.

4.1 Web Analytics (Google Analytics 4)

We use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics is only activated after your explicit consent via our cookie banner. Without your consent, no analytics cookies are set and no data is transmitted to Google.

When consent is given, Google Analytics collects:

• Page views and navigation paths
• Approximate location (country/region, no precise IP geolocation)
• Device information (browser, operating system, screen size)
• Session duration and interactions

Google Analytics 4 does not use full IP addresses by default. IP addresses are anonymized before storage.

Google may transfer collected data to the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework (European Commission adequacy decision of July 10, 2023).

You may withdraw your consent at any time by changing your cookie preferences via the "Cookie Settings" link in the website footer. After withdrawal, no further data is transmitted to Google Analytics. Previously collected data is subject to Google's retention policies (14 months by default).

For more information, see Google's Privacy Policy.

We do not use advertising cookies or profiling. No services such as Facebook Pixel or comparable advertising tracking tools are used.

Legal basis for authentication cookies: Section 25(2)(2) TDDDG (German Telecommunications Digital Services Data Protection Act) — storage is strictly necessary for the provider to deliver a service explicitly requested by the user (login, dashboard usage). No consent is required. Additionally: Art. 6(1)(b) GDPR (contract performance).

Legal basis for sidebar cookie: The cookie stores a setting explicitly made by the user (expanding/collapsing the sidebar) and serves to provide the display state requested by the user (Section 25(2)(2) TDDDG). Additionally: Art. 6(1)(f) GDPR — our legitimate interest consists in user-friendly presentation of the application by preserving the user's chosen sidebar setting between visits.

Legal basis for analytics cookies (Google Analytics): Section 25(1) TDDDG — analytics cookies are only stored after the user's prior consent via our cookie banner. Art. 6(1)(a) GDPR (consent). Consent may be withdrawn at any time with effect for the future.

5. Web Fonts

This website uses the "Inter" typeface (Google Font). The font files are downloaded during the build process and served from our own server (self-hosted via Next.js). When visiting our website, no connection to Google servers is established. No data is transmitted to Google.

6. Content Delivery Network (CDN)

Our static website content (HTML, CSS, JavaScript, images) is delivered via Amazon CloudFront. CloudFront is a globally distributed CDN and may cache content at edge locations outside the EU.

When delivering static content via CloudFront, no personal data is processed — these are exclusively publicly accessible, non-personal files. The user's IP address is technically processed by CloudFront for the duration of the connection but is not stored or logged (CloudFront access logs are disabled).

All API requests that may contain personal data are processed exclusively via the AWS region eu-central-1 (Frankfurt) and are not routed through CloudFront edge locations.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and performant website delivery).

7. Hosting and Data Processors

7.1 Amazon Web Services (AWS)

Our platform is hosted entirely on Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg.

All personal data is processed and stored exclusively in the AWS region eu-central-1 (Frankfurt am Main, Germany). The only exception: TLS certificates for CloudFront are technically provisioned in the us-east-1 region — this concerns only cryptographic certificate metadata, not personal data.

The following AWS services are used:

• Amazon Cognito — user management and authentication (storage of email address and password hash)
• Amazon RDS (PostgreSQL) — database for account data, domains, scan results (encrypted, isolated subnet, no public access)
• Amazon S3 — storage of PDF reports (server-side encrypted with AES-256, no public access)
• Amazon SES — sending transactional emails (eu-central-1 region)
• Amazon CloudFront — Content Delivery Network for static content (see Section 6)
• Amazon Bedrock — AI model for optional fix suggestions (eu-central-1 region, model: Claude by Anthropic)
• AWS Lambda, ECS Fargate, Step Functions — serverless compute infrastructure for API and scanner
• Amazon CloudWatch — operational logging with automatic PII redaction (see Section 10)

The basis for data processing by AWS is a Data Processing Agreement pursuant to Art. 28 GDPR (AWS Data Processing Addendum).

7.2 Stripe

Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, processes payment data as an independent data controller. Stripe may transfer payment data to third countries and relies on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. More information: Stripe's Privacy Policy.

7.3 Google (Google Analytics)

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, processes usage data within Google Analytics 4 as a data processor on the basis of a Data Processing Agreement pursuant to Art. 28 GDPR (Google Ads Data Processing Terms).

Google may transfer data to the USA. Google LLC (USA) is certified under the EU-U.S. Data Privacy Framework (European Commission adequacy decision of July 10, 2023). Data processing only occurs after the user's explicit consent (see Section 4.1).

7.4 GitHub

GitHub, Inc. is used exclusively for source code version control and CI/CD. End-user data is not transmitted to GitHub.

8. Email Communication

We send the following types of emails:

• Authentication codes — verification codes for registration, password reset, and email changes (sent via AWS Cognito)
• Scan notifications — result summaries upon completion of a scan, including score history and changes
• Follow-up emails (free scan only) — a maximum of two emails (after 24 and 72 hours), only if you have voluntarily provided your email address

All emails are sent via Amazon SES in the eu-central-1 region. Sending occurs through the verified domain komplify.de (DKIM, SPF, DMARC).

Legal basis: Art. 6(1)(b) GDPR (contract performance) for account-related emails; Art. 6(1)(a) GDPR (consent) for free scan follow-up emails.

9. Data Retention and Deletion

9.1 Account Deletion

You can delete your account at any time via the account settings. Upon account deletion, the following are completely and irreversibly deleted:

• All account data in our database (user, domains, scans, results, violations, manual checks, AI fixes)
• All PDF reports and CSV exports in AWS S3
• Your user account in AWS Cognito
• Active Stripe subscriptions are cancelled

Deletion is immediate and irreversible. No data is retained.

10. Logging and PII Protection

Our operational logs use automatic redaction of personal data. The following fields are automatically removed or masked before logging:

• Email addresses
• Authentication tokens
• Cookies
• Authorization headers
• IP addresses

Logs use only technical identifiers (UUIDs) that do not allow identification of natural persons. Logs are automatically deleted after 30 days.

11. Data Security

We protect your data through the following technical and organizational measures:

• Encryption of all data transfers with TLS 1.2+ (HTTPS)
• Server-side encryption of all stored data (AES-256)
• Database in an isolated, non-publicly-accessible subnet (no internet access)
• httpOnly cookies with Secure and SameSite=Strict flags
• Password hashing via AWS Cognito (industry-standard algorithms)
• Local JWT validation without network calls
• Role-based access control: every database query verifies ownership by the authenticated user (row-level security)
• Automatic PII redaction in all operational logs
• SSRF protection: blocking of private IP ranges, AWS metadata endpoints, and DNS rebinding attacks when scanning external URLs
• HSTS (HTTP Strict Transport Security) with preload

12. Automated Decision-Making

No automated decision-making within the meaning of Art. 22 GDPR takes place. Accessibility scores and scan results are purely informational technical assessments and have no legal or similarly significant effect on you.

The optional AI-powered analysis (see Section 3.4) provides only suggestions and hints that must be manually reviewed and confirmed by you.

13. Transfer to Third Countries

All personal data is processed and stored exclusively in the European Union (AWS region eu-central-1, Frankfurt am Main, Germany).

No transfer of personal data to third countries is made by Komplify. In detail:

• TLS certificates (AWS us-east-1): Concerns only cryptographic metadata, not personal data.
• CloudFront CDN: Delivers only static, non-personal files via edge locations. No storage or logging of personal data.
• Stripe: As an independent data controller, Stripe may process payment data in accordance with its own privacy policy and uses Standard Contractual Clauses (SCCs) for third-country transfers.
• Google Analytics: When consent is given, usage data is transmitted to Google. Google LLC (USA) is certified under the EU-U.S. Data Privacy Framework (European Commission adequacy decision of July 10, 2023). A Data Processing Agreement is in place (see Section 7.3). Data transfer only occurs after explicit consent.
• Google/Microsoft OAuth: When using the social login feature, Google LLC (USA) and Microsoft Corporation (USA) process data as independent data controllers in accordance with their own privacy policies. Both companies are certified under the EU-U.S. Data Privacy Framework. Data transfer only occurs when you actively use the social login feature.

14. Your Rights Under the GDPR

You have the following rights with regard to your personal data:

• Right of access (Art. 15 GDPR) — You may request information about your personal data stored with us.
• Right to rectification (Art. 16 GDPR) — You may request correction of inaccurate data. You can change your email address yourself in the account settings.
• Right to erasure (Art. 17 GDPR) — You may request deletion of your data. Via the account settings, you can independently and completely delete your account including all associated data at any time.
• Right to restriction of processing (Art. 18 GDPR) — You may request restriction of the processing of your data.
• Right to data portability (Art. 20 GDPR) — You may export your data in a structured, commonly used, and machine-readable format (JSON). The export function is available in your account settings.
• Right to object (Art. 21 GDPR) — You may object to the processing of your data based on Art. 6(1)(f) GDPR (legitimate interest) at any time. This applies in particular to IP hash processing for the free scan and the sidebar cookie.
• Right to withdraw consent (Art. 7(3) GDPR) — If you have given consent (e.g., providing your email address for the free scan), you may withdraw it at any time with effect for the future.

To exercise your rights, please contact info@komplify.de. We will process your request without undue delay, and in any case within one month.

15. Obligation to Provide Personal Data

In the context of our business relationship, you must provide the personal data that is necessary for the establishment and performance of the contractual relationship:

• Registration: Providing an email address and password is contractually required. Without this data, no user account can be created.
• Paid plans: Providing payment data via Stripe is required to purchase a subscription. Without payment data, only the free plan can be used.
• Free scan: Providing a website URL is required to perform the scan. Providing an email address is voluntary — without it, you will not receive the report by email, but the scan is still performed.

There is no legal obligation to provide personal data. Non-provision only means that the respective service cannot be used or can only be used in a limited manner.

16. Minors

Komplify is intended exclusively for businesses and commercial users (B2B). Our services are not intended for persons under 16 years of age. We do not knowingly collect personal data from minors.

17. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data (Art. 77 GDPR). The supervisory authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44
40102 Düsseldorf, Germany
www.ldi.nrw.de

18. Changes to This Privacy Policy

We reserve the right to update this privacy policy as needed to adapt it to changed legal requirements or changes to our services. The current version can always be found on this page. Registered users will be notified by email of material changes.

19. Contact

For questions about data protection, please contact:
Prevision UG (haftungsbeschränkt)
Korseifener Straße 39, 51597 Morsbach, Germany
info@komplify.de