1. Information We Collect

Account & Organization Information

When you register for ComplyIQ, we collect:

• Your name, email address, and password
• Organization name, subdomain, state, and contact information
• Billing information (processed securely by Stripe — we do not store card numbers)
• Your role and permissions within your organization

Compliance & Assessment Data

As you use ComplyIQ to manage compliance, we store:

• Assessment responses, control answers, and compliance scores
• Evidence files you upload (documents, images, PDFs)
• Notes and annotations associated with controls
• Generated PDF audit reports
• Student records entered into the SPED/IDEA module (where applicable)

Usage & Technical Data

We automatically collect certain technical information when you use ComplyIQ:

• IP address, browser type, and operating system
• Pages visited, features used, and session duration
• Error logs and performance data

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the ComplyIQ platform
• Process billing and manage your subscription
• Generate compliance reports and audit documentation
• Send transactional emails (account confirmations, billing receipts)
• Respond to support requests
• Monitor for security threats and prevent unauthorized access
• Comply with legal obligations

We do not sell your data to third parties. We do not use your compliance data or student records for advertising purposes.

3. Data Isolation & Multi-Tenancy

ComplyIQ is a multi-tenant platform. Each organization's data is logically isolated using organization IDs and subdomain-based access controls. Users can only access data belonging to their own organization. Evidence files are stored in organization-specific directories and are not accessible by other tenants.

Superadmin access is limited to ByteMechanix staff for platform administration and support purposes only.

4. Student Data & FERPA

For K-12 customers, ComplyIQ may process student personally identifiable information (PII) entered into the SPED/IDEA module. We operate as a school official under FERPA with a legitimate educational interest in processing this data solely to provide the contracted service.

• Student data is never used for advertising or sold to third parties
• Student data is stored only as long as your subscription is active
• Upon account termination, student data is deleted within 30 days
• We do not share student data with any third parties except as required by law

5. HIPAA

If your organization uses ComplyIQ to manage HIPAA compliance documentation, please note that ComplyIQ is a compliance management tool, not a covered entity or business associate under HIPAA by default. If your use case requires a Business Associate Agreement (BAA), please contact us at ej@bytemechanix.co.

6. Data Security

We implement industry-standard security measures to protect your data:

• All data is transmitted over HTTPS/TLS encryption
• Evidence files are stored in organization-isolated directories with access controls
• Passwords are hashed using bcrypt — we never store plaintext passwords
• All servers are hardened with fail2ban, SSH key authentication, and firewall rules
• Access logs are maintained for all authentication events

If you discover a security vulnerability, please report it responsibly to ej@bytemechanix.co.

7. Data Retention

We retain your data for as long as your account is active. Upon cancellation:

• Account and organization data is retained for 30 days, then deleted
• Evidence files are deleted within 30 days of account termination
• Billing records are retained for 7 years as required by law
• You may request immediate deletion by contacting us

8. Third-Party Services

ComplyIQ uses the following third-party services:

• Stripe — Payment processing. stripe.com/privacy
• Vultr — Cloud infrastructure hosting in US-based data centers
• Let's Encrypt — SSL certificate issuance

We do not use Google Analytics, Facebook Pixel, or any third-party advertising trackers.

9. Cookies

ComplyIQ uses session cookies to maintain your login state. We do not use tracking or advertising cookies. Session cookies are scoped to your organization's subdomain and expire when you log out or close your browser.

10. Your Rights

You may have the right to access, correct, delete, or export your personal information. To exercise any of these rights, contact us at ej@bytemechanix.co.

11. Children's Privacy

ComplyIQ is not directed to children under 13. Student data entered by school administrators into the SPED/IDEA module is handled in accordance with FERPA and COPPA as described in Section 4.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active subscribers of material changes via email at least 14 days before they take effect.

13. Contact Us