Privacy Policy

1. Introduction

Welcome to ClearCompli, a trade name of AvniCloud LLC, an Illinois limited liability company. We are committed to protecting your privacy and ensuring transparency in how we collect, use, and protect your personal data. This Privacy Policy explains our data practices and your rights regarding your personal information.

ClearCompli is a compliance management platform that helps organizations manage their compliance obligations, conduct risk assessments, and maintain audit trails. This policy applies to all users of our platform, including visitors to our website, registered users, and members of customer organizations.

Our privacy practices are built on five core principles:

• Transparency: We are clear about what data we collect and how we use it
• Consent: You have control over your personal data
• Data Minimization: We only collect data necessary for our services
• Purpose Limitation: We use data only for stated purposes
• Accountability: We take responsibility for protecting your data

2. Data Collection

We collect various types of personal data to provide and improve our services:

Contact Information

• Full name
• Email address
• Phone number
• Company name and job title

Account Information

• Username and password (encrypted)
• User role and permissions
• Organization membership
• Account preferences and settings

Usage Data

• Login times and session duration
• Feature usage and interaction patterns
• IP addresses and geolocation data
• Browser type, version, and user agent
• Device information and operating system

Compliance Data

• Framework assessments and control implementations
• Evidence files and documentation
• Audit trails and activity logs
• Risk assessment data

Technical Data

• Cookies and session tokens
• Device identifiers
• API usage logs

3. Collection Methods

We collect personal data through various methods:

Direct Collection

Information you provide directly through:

• Account registration and profile setup
• Demo request forms
• Contact forms and support requests
• Profile updates and preference changes
• Document uploads and evidence submission

Automatic Collection

Information collected automatically through:

• Cookies and similar tracking technologies
• Server logs and analytics tools

Platform Usage

Information generated through your use of the platform:

• Activity logs and audit trails
• Feature interactions and workflows
• System-generated timestamps and metadata

4. Data Processing Purposes

We process your personal data for the following purposes:

Service Delivery

• Account management and authentication
• Compliance tracking and reporting
• Framework assessments and control management
• Document storage and evidence management

Communication

• Customer support and technical assistance
• Service notifications and updates
• Security alerts and important announcements
• Marketing communications (with your consent)

Security and Fraud Prevention

• Authentication and access control
• Fraud detection and prevention
• Security monitoring and incident response
• Audit trail maintenance

Legal Compliance

• Regulatory reporting requirements
• Data retention obligations
• Legal process and law enforcement requests

Business Operations

• Platform analytics and usage insights
• Service improvement and feature development
• Performance monitoring and optimization

Important: We will not process your personal data for purposes incompatible with the original collection purpose without obtaining your explicit consent.

5. Legal Basis for Processing

We process your personal data based on the following legal grounds:

Consent

For marketing communications, optional analytics, and other non-essential processing activities, we rely on your explicit consent. You may withdraw consent at any time.

Contract Performance

Processing necessary to provide our services under our Terms of Service, including account management, compliance tracking, and platform functionality.

Legal Obligation

Processing required to comply with legal and regulatory requirements, such as data retention laws, tax obligations, and law enforcement requests.

Legitimate Interests

Processing necessary for our legitimate business interests, including:

• Fraud prevention and security monitoring
• Service improvement and analytics
• Network and information security

We have carefully balanced these interests against your privacy rights and will only rely on legitimate interests where they do not override your fundamental rights and freedoms.

6. Consent Management

Your consent is important to us. Here's how we manage it:

Freely Given Consent

All consent is freely given and can be withdrawn at any time. You can use essential services without consenting to optional processing activities like marketing communications or analytics cookies.

How to Provide Consent

• Explicit checkboxes during registration
• Cookie preference center
• Email subscription preferences
• In-app consent prompts

How to Withdraw Consent

• Update your account preferences
• Click "unsubscribe" in marketing emails
• Adjust cookie settings in your browser
• Contact us at contact@clearcompli.com

Important: Withdrawing consent does not affect the lawfulness of processing before withdrawal and does not impact essential service communications like account notifications or security alerts.

7. Data Minimization

We are committed to collecting only the personal data that is adequate, relevant, and limited to what is necessary for our stated purposes.

Our Commitment

• Optional data fields are clearly marked during collection
• You are not required to provide more data than necessary for the requested service
• We conduct periodic reviews of our data collection practices
• We regularly audit and delete unnecessary personal data

Technical Measures

• Automated data deletion after retention periods
• Purpose-based access controls
• Data anonymization where possible

8. Your Privacy Rights

You have the following rights regarding your personal data:

Right to Access

You can request a copy of the personal data we hold about you.

Right to Rectification

You can request correction of inaccurate or incomplete personal data.

Right to Deletion ("Right to be Forgotten")

You can request deletion of your personal data, subject to legal retention requirements.

Right to Data Portability

You can request a copy of your data in a portable, machine-readable format.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

You can withdraw consent for processing activities that require consent.

How to Exercise Your Rights

To exercise any of these rights, contact us at contact@clearcompli.com. We will respond to verifiable requests within forty-five (45) days of receipt, consistent with applicable US state privacy laws. Where permitted by law, we may extend this period by an additional forty-five (45) days with prior written notice explaining the reason for the extension.

Identity Verification: To protect your privacy, we will verify your identity before fulfilling data requests. We may require your email address, account details, or government-issued ID for sensitive requests.

9. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected:

Account Data

Retained for the duration of your active account and for three (3) years following account closure or termination, unless a longer retention period is required by applicable law or regulation.

Compliance Data

Retained for a minimum of seven (7) years from the date of collection or last update, consistent with regulatory audit requirements and industry standards applicable to AI governance and compliance records.

Audit Trails

Retained for a minimum of 7 years for compliance and audit purposes.

Marketing Data

Retained until you withdraw consent or unsubscribe from marketing communications.

Deletion Process

After retention periods expire, we securely delete or anonymize personal data. Some data may be retained longer to satisfy legal, regulatory, or contractual obligations.

10. Third-Party Data Sharing

We share personal data with third parties only as necessary to provide our services:

Service Providers

• Cloud infrastructure providers (AWS)
• Email service providers
• Analytics platforms
• Payment processors
• Customer support tools

Our Commitments

• We do not sell your personal data to third parties
• Third-party sharing is limited to necessary purposes only

Legal Disclosures

We may disclose personal data when required by law, legal process, or to protect our rights, property, or safety.

11. Data Security

We implement comprehensive security measures to protect your personal data:

Technical Measures

• Encryption in transit (TLS/SSL)
• Encryption at rest for sensitive data
• Multi-factor authentication (MFA)
• Access controls and authentication mechanisms
• Audit logging and monitoring

Organizational Measures

• Access restrictions based on role and the principle of least privilege
• AWS-specific security controls including AWS WAF (web application firewall), AWS Cognito (identity and access management with encrypted credential storage), and AWS S3 server-side encryption for all stored data
• Annual security awareness training for all personnel with access to personal data
• Third-party vendor security assessments conducted prior to onboarding
• A documented incident response plan with defined breach identification, containment, and notification procedures
• Regular vulnerability assessments of platform infrastructure

Data Breach Notification

In the event of a data breach affecting your personal data, we will notify affected users: (a) within 72 hours of discovery for users whose data is subject to GDPR; (b) within 30 days of discovery for US-based users, consistent with the Illinois Personal Information Protection Act and other applicable state notification laws; and (c) promptly as required by other applicable laws. Breach notifications will include the nature of the incident, categories of data affected, steps taken, and recommended protective actions. Where required, we will also notify relevant supervisory authorities.

12. Accountability and Compliance

We take accountability for data protection seriously:

Governance

• Comprehensive documentation of all data processing activities (Records of Processing Activities / ROPA)
• All employees and contractors with access to personal data receive annual privacy and security awareness training
• We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including new AI-powered features
• Third-party vendors who process personal data on our behalf are subject to contractual data processing obligations and periodic due diligence reviews
• We maintain a documented incident response plan with defined escalation, containment, and notification procedures
• Annual privacy policy reviews

13. Cookies and Tracking

We use cookies and similar tracking technologies to enhance your experience:

Types of Cookies

• Essential Cookies: Required for platform functionality and security
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand usage patterns and improve our service
• Marketing Cookies: Used for targeted advertising (with your consent)

Managing Cookies

You can manage cookie preferences through our cookie preference center (accessible via the cookie settings link in the website footer), or through:

• Your browser settings

For more information, see our Cookie Policy.

Do Not Track Signals

We currently do not respond to Do Not Track (DNT) browser signals. However, we do honor the Global Privacy Control (GPC) opt-out preference signal as required under the California Privacy Rights Act (CPRA). If you transmit a GPC signal, we will treat it as a valid opt-out of the sale or sharing of your personal data. You can also manage tracking preferences through your browser settings or our cookie preference center.

14. International Data Transfers

ClearCompli stores and processes all personal data on AWS cloud infrastructure located in the United States (US-East-1 region). If you are located outside the United States, your personal data will be transferred to and processed in the United States. By using our Services, you consent to this transfer. We implement appropriate safeguards to protect personal data transferred internationally, consistent with applicable law.

Data Storage Locations

Our primary data storage is located in the United States. We use cloud infrastructure with data centers in regions that comply with applicable data protection regulations.

15. Children's Privacy

ClearCompli is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.

If we become aware that we have collected personal data from a child under 18 without parental consent, we will take steps to delete that information as quickly as possible.

If you believe we have collected information from a child, please contact us immediately at contact@clearcompli.com.

16. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Your California Rights

• Right to Know: Request disclosure of personal data collected, used, and shared
• Right to Delete: Request deletion of your personal data
• Right to Correct: Request correction of inaccurate personal data
• Right to Opt-Out: Opt out of the sale or sharing of personal data
• Right to Limit: Limit the use of sensitive personal information
• Right to Non-Discrimination: Exercise rights without discriminatory treatment

Data Sales and Sharing

We do not sell your personal data. We may share data with service providers for business purposes as described in this policy.

Exercising Your Rights

To exercise your California privacy rights:

• Email: contact@clearcompli.com

We will respond to verifiable requests within 45 days (or as required by law).

Authorized Agents

You may designate an authorized agent to make requests on your behalf. We will require proof of authorization and may verify your identity directly.

17. State-Specific Privacy Rights

Residents of certain U.S. states have additional privacy rights under state laws:

Covered States (as of 2026)

The following states have comprehensive privacy laws with similar rights:

• California (CCPA/CPRA)
• Virginia (VCDPA)
• Colorado (CPA)
• Connecticut (CTDPA)
• Utah (UCPA)
• Texas (TDPSA)
• Oregon (OCPA)
• Montana (MCDPA)
• And others

Common State Rights

• Right to access personal data
• Right to correct inaccurate data
• Right to delete personal data
• Right to data portability
• Right to opt out of targeted advertising

To exercise your state-specific rights, contact us at contact@clearcompli.com and specify your state of residence.

18. AI and Automated Decision-Making

We are committed to transparency in our use of artificial intelligence.

Current AI Usage

We currently use AI and automated systems for:

• Risk assessment recommendations
• Content recommendations

Transparency Disclosures

For consequential decisions (e.g., risk scores, compliance recommendations):

• We disclose when AI is used
• Human review is required for decisions

19. Policy Updates

We review and update this Privacy Policy annually or when material changes occur.

Annual Review Mandate

As required by state privacy laws effective in 2026, we conduct annual reviews of our privacy practices and update this policy accordingly.

How We Notify You

When we make material changes to this policy:

• We will send email notifications to registered users
• We will display a prominent notice on our website
• For significant changes, we may require re-acceptance of the policy

Annual Re-Acceptance

We will notify registered users of any material changes to this Privacy Policy by email to the address on file. Continued use of the Services following the effective date of a revised policy constitutes acceptance of the updated terms. If you do not agree to a revised policy, you may close your account before the effective date takes effect.

20. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: