Complii Privacy Policy

1. Who We Are

ControlBox Corp. operates the Complii compliance platform. Depending on the context of processing, ControlBox may act as:

• a data processor on behalf of customers using Complii
• a data controller for account, billing, and service administration data

2. Information We Collect

We may collect and process the following categories of data:

• account and profile data (name, business email, role, company details)
• authentication and security data (login events, device and IP metadata)
• customer-submitted compliance data processed through the platform
• transactional and operational data generated by platform usage
• support communications and ticketing records
• website usage and analytics data

3. How We Use Information

We use personal data for legitimate business and compliance purposes, including:

• providing and maintaining the Complii platform
• processing sanctions, watchlist, and risk-screening workflows
• securing accounts and detecting misuse or fraud
• operating customer support and service communications
• improving service performance, reliability, and features
• meeting legal, regulatory, and contractual obligations

4. Legal Bases for Processing (GDPR)

Where GDPR applies, processing is based on one or more of the following:

• performance of a contract
• legitimate interests in operating and securing the service
• compliance with legal obligations
• consent, where specifically required

Customers are responsible for ensuring an appropriate lawful basis when submitting personal data to the platform for screening and compliance operations.

5. Customer Data Processing Role

For data that customers submit to Complii for compliance workflows, ControlBox generally acts as a data processor under customer instructions.

Processing terms for such data are governed by applicable contractual terms, including the Data Processing Agreement (DPA).

6. Data Sharing and Disclosure

We do not sell personal data. We may disclose data only as necessary to:

• trusted service providers and subprocessors supporting platform operations
• comply with applicable law, regulation, or lawful authority request
• protect rights, security, and integrity of ControlBox, customers, and third parties
• support business transfers where legally permitted and properly safeguarded

Service providers are contractually required to protect data and process it only for authorized purposes.

7. International Data Transfers

Data may be processed in countries different from the data subject’s country of residence. Where required, ControlBox implements lawful transfer mechanisms and safeguards, including Standard Contractual Clauses (SCCs) where appropriate.

8. Data Retention

We retain personal data for as long as necessary for service delivery, contract performance, security, dispute resolution, and legal compliance.

Retention periods vary based on data type, legal requirements, and operational needs. Upon valid request and where applicable, data is deleted or anonymized in accordance with contractual and legal obligations.

9. Security Measures

ControlBox applies commercially reasonable technical and organizational measures to protect personal data, including access controls, encryption in transit, monitoring, and secure infrastructure practices.

No method of transmission or storage is completely secure. We continuously review and improve safeguards according to risk and operational requirements.

10. Data Subject Rights

Where applicable law provides, individuals may have rights including:

• access to personal data
• rectification of inaccurate data
• deletion (right to be forgotten), subject to legal limits
• restriction or objection to certain processing
• data portability
• withdrawal of consent where processing is consent-based

Requests may be submitted using the contact details below. If ControlBox processes data as a processor, we may direct requests to the relevant customer controller.

11. Cookies and Analytics

The website and public pages may use cookies or similar technologies for essential functionality, security, and analytics.

Where required by law, we provide notice and obtain consent before placing non-essential cookies.

12. Children’s Data

Complii services are intended for business use and are not directed to children. We do not knowingly collect personal data from children in connection with consumer-facing services.

13. Changes to This Privacy Policy

ControlBox may update this Privacy Policy from time to time to reflect legal, technical, or operational changes.

Updated versions will be posted on the website or platform with an updated effective date where applicable.

14. Contact

For privacy or data protection questions, please contact: