Privacy Policy

cmply Ltd. ("cmply," "we," "us," or "our") is the data controller responsible for the personal data processed in connection with the cmply platform (the "Platform"). We are incorporated under the laws of the Republic of Bulgaria.

For data protection inquiries, please contact our Data Protection Officer at: dpo@cmply.pro

This Privacy Policy applies to all users of the Platform, including visitors to our website (cmply.pro), registered account holders, and demo users.

We collect the following categories of personal data:

Account and Identity Data

• Full name and email address (provided at registration)
• Organization / company name
• Country of incorporation
• Account credentials (password stored as an Argon2id hash — we cannot retrieve your password)
• User role within your organization

Usage and Activity Data

• Blockchain addresses submitted to the Platform for analysis
• Search history, saved addresses, notes, and internal records you create
• Platform usage patterns, features accessed, and session duration
• IP address, browser type, operating system, and device identifiers (collected automatically)
• Log data including timestamps, request paths, and response codes

Payment Data

• Billing contact information (name, address, email)
• Payment method details are processed directly by our payment processor and are not stored on our servers

Communication Data

• Emails, support tickets, and other communications you send to us

Data We Do Not Collect

• We do not collect or store government-issued identification documents
• We do not perform biometric processing
• We do not intentionally collect data from children under 18

We process your personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b)): Processing your account data, delivering the Services, managing billing, and providing customer support;
• Legitimate interests (Art. 6(1)(f)): Platform security and abuse prevention, fraud detection, service improvement, and internal analytics. Our legitimate interests do not override your fundamental rights;
• Legal obligation (Art. 6(1)(c)): Compliance with applicable laws including tax, accounting, and anti-money laundering obligations that apply to our business;
• Consent (Art. 6(1)(a)): Where we send optional marketing communications. You may withdraw consent at any time.

• Service delivery: Authenticating you, providing address intelligence, storing your records, and operating all Platform features;
• Account management: Processing registrations, subscription changes, billing, and support requests;
• Platform security: Detecting unauthorized access, preventing fraud, enforcing our Terms of Service, and maintaining system integrity;
• Service improvement: Analyzing aggregate usage patterns to improve Platform features and performance;
• Legal compliance: Maintaining records required by applicable law, responding to lawful requests from authorities;
• Communications: Sending transactional emails (account confirmations, password resets, billing notices) and, with your consent, product updates.

We do not use your data for automated decision-making that produces legal or similarly significant effects on you without human review.

We do not sell, rent, or trade your personal data. We share data only as described below:

Infrastructure and Hosting

• Supabase / PostgreSQL: Cloud database hosting (EU region); your account and usage data is stored here;
• Vercel / Cloudflare: Application hosting and content delivery;
• Cloudflare R2: File storage for any uploaded documents.

Intelligence Data Providers

• Arkham Intelligence: Blockchain address data, entity attribution, and transaction intelligence. Wallet addresses you submit are sent to Arkham's API for analysis. Arkham's own privacy policy governs their processing of this data;
• Moralis / other blockchain RPC providers: Real-time on-chain data queries.

Payment Processing

• Payment card data is processed by our payment provider under PCI-DSS standards. We do not store raw card numbers.

Legal Requirements

• We may disclose personal data if required to do so by law, court order, or in response to a valid request by a competent authority (e.g., law enforcement, tax authority). We will, where legally permitted, notify you before disclosing your data.

Business Transfers

• In the event of a merger, acquisition, or sale of all or substantially all assets, your data may be transferred to the acquiring entity. We will notify you of any such transfer.

All third-party processors are contractually obligated to process your data only as instructed and to maintain appropriate security measures.

We are based in Bulgaria (EU). Our infrastructure providers may transfer and process data in countries outside the European Economic Area (EEA). Where such transfers occur, we ensure they are protected by appropriate safeguards, including:

• The European Commission's Standard Contractual Clauses (SCCs) as adopted under Implementing Decision (EU) 2021/914;
• Adequacy decisions issued by the European Commission;
• Binding Corporate Rules where applicable.

You may request a copy of the applicable transfer safeguards by contacting us at privacy@cmply.pro.

After the applicable retention period, data is securely deleted or anonymized so it can no longer be associated with you.

If you are located in the European Economic Area, you have the following rights with respect to your personal data:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you;
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data;
• Right to erasure / "right to be forgotten" (Art. 17): You may request deletion of your personal data, subject to exceptions for legal obligations;
• Right to restriction of processing (Art. 18): You may request that we restrict processing of your data in certain circumstances;
• Right to data portability (Art. 20): You may request your data in a structured, machine-readable format;
• Right to object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes;
• Rights related to automated decision-making (Art. 22): You may request human review of any automated decision that significantly affects you;
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@cmply.pro. We will respond within 30 days. We may verify your identity before fulfilling requests. If you are unsatisfied with our response, you have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (cpdp.bg) or your local supervisory authority.

We implement technical and organizational security measures appropriate to the risks involved, including:

• Passwords are hashed using Argon2id with high memory and time cost parameters — we cannot recover your plaintext password;
• All data in transit is encrypted using TLS 1.2 or higher;
• Database access is restricted to authorized services via credential-based authentication;
• Access to production systems is limited to authorized personnel on a need-to-know basis;
• We conduct periodic security reviews and apply security patches promptly.

No system is completely secure. If you discover a security vulnerability, please disclose it responsibly to privacy@cmply.pro. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify you without undue delay.

The Platform uses strictly necessary cookies for session management and authentication. We do not use advertising cookies, cross-site tracking, or behavioral profiling cookies.

• Session cookie: Maintains your authenticated session. Deleted when you log out or the session expires;
• CSRF protection token: Prevents cross-site request forgery attacks.

We do not use Google Analytics, Facebook Pixel, or similar third-party tracking technologies on the authenticated Platform. Our public website may use basic, privacy-respecting analytics that do not identify individual users.

Because we only use strictly necessary cookies, we do not display a cookie consent banner for the authenticated Platform. If we introduce non-essential cookies in the future, we will update this policy and request your consent where required.

The Platform is intended for business use by adults. We do not knowingly collect personal data from individuals under 18 years of age. If you believe we have inadvertently collected such data, please contact us at privacy@cmply.pro and we will promptly delete it.

When you submit a blockchain wallet address for analysis, that address (a public blockchain identifier) is transmitted to our third-party intelligence provider (Arkham Intelligence) for processing. Blockchain addresses are generally pseudonymous — they do not inherently identify a natural person. However, if an address is linked to an identified individual in our or a third-party's systems, such processing may constitute personal data processing under GDPR.

You are responsible for ensuring your submission of wallet addresses for analysis complies with applicable data protection laws, including having a lawful basis where those addresses are or can be linked to identified individuals.

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or prominent notice on the Platform at least 30 days before the changes take effect. The effective date at the top of this page reflects when the current version came into force.

For questions, concerns, or to exercise your privacy rights:

• General privacy inquiries: privacy@cmply.pro
• Data Protection Officer: dpo@cmply.pro

We aim to respond to all requests within 30 days. For complex requests, we may extend this by up to two additional months, in which case we will notify you of the extension and the reason.