Privacy Policy

Last updated: March 2026

Who We Are

ComplyShield is a product of UP2DATE Software SRL, a company registered in Romania. We provide a multi-framework compliance platform for financial institutions. When we refer to "we", "us", or "our" in this policy, we mean UP2DATE Software SRL.

What Data We Collect

We collect the following categories of data:

  • Account information — name, email address, organisation name, and role when you create an account or request a demo.
  • Usage data — login timestamps, pages visited within the platform, and feature usage for product improvement purposes.
  • Compliance data — ICT assets, risk assessments, incidents, vendor information, and compliance records that you enter into the platform. This data belongs to you.
  • Technical data — IP address, browser type, device type, and operating system for security monitoring and troubleshooting.

How We Use Your Data

We use the data we collect for the following purposes:

  • Provide the service — operate and maintain your ComplyShield instance, process your compliance data, and deliver the features you use.
  • Improve the platform — analyse usage patterns (aggregated, never individual compliance data) to improve features, performance, and user experience.
  • Security — monitor for unauthorised access, detect anomalies, and protect the integrity of your data and our infrastructure.
  • Communication — send essential service notifications, security alerts, and (with your consent) product updates.

Data Sharing

We do not sell your data. We only share data with third parties in the following limited circumstances:

  • Sub-processors — infrastructure providers (hosting, email delivery) that help us operate the service. All sub-processors are contractually bound to protect your data.
  • Legal requirements — if required by law, regulation, or legal process (e.g., court order or regulatory request).

Data Retention

We retain your data for as long as your account is active. After account termination, we retain your data for 30 days to allow for reactivation or data export. After that period, all data is permanently deleted from our systems and backups.

Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate personal data.
  • Right to erasure — request deletion of your personal data ("right to be forgotten").
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing of your personal data for specific purposes.

Security Measures

We protect your data with encryption at rest (AES-256) and in transit (TLS 1.3), mandatory two-factor authentication, role-based access control, comprehensive audit logging, and security headers (HSTS, CSP, X-Frame-Options). Each client instance is fully isolated with a dedicated database. For more details, see our Security page.

Contact

For privacy-related inquiries, data subject requests, or questions about this policy, contact us at:

privacy@up2date.ro

UP2DATE Software SRL
Romania, European Union