cmpliancethe agentic workforce

Legal

Privacy policy

Last updated: 28 May 2026

1. Who we are and how to reach us

cmpliance.ai is operated by paterhn GmbH ("paterhn", "we", "us", "our"), registered in Zug, Switzerland.

Controller for website, account, and business-contact data

paterhn GmbH Gotthardstrasse 26 6300 Zug Switzerland cmp@cmpliance.ai

2. What this policy covers

This policy explains how we process personal data in two roles.

Controller role. We act as controller for data about website visitors, subscribers, business contacts, account users, billing contacts, and people who contact us directly.

Processor role. We act as processor when customers submit personal data about their own clients, counterparties, beneficial owners, directors, signatories, employees, or other third parties for use in the Service. In that case, the customer is the controller and we process the data on the customer's instructions under the applicable customer agreement and Data Processing Agreement.

If your data was submitted to cmpliance.ai by one of our customers, please contact that customer first. They decide why and how that data is processed.

3. Data we collect as controller

Website visitors

When you visit cmpliance.ai, we may process:

  • IP address and approximate location derived from it
  • Browser and device information
  • Pages visited and time of visit
  • Referrer URL
  • Security and diagnostic logs

Purpose: operate, secure, troubleshoot, and improve the website. Legal basis: legitimate interests in operating and protecting the website.

Enquiries and contact forms

When you contact us, we process:

  • Name
  • Email address
  • Company name
  • Role or job title, if provided
  • Message content
  • Follow-up communication history

Purpose: respond to enquiries, manage business relationships, and follow up on requests. Legal basis: steps prior to entering a contract and legitimate interests in business communication.

Account users and subscribers

When an account is created or a person subscribes to communications, we may process:

  • Name and email address
  • Company and role
  • Account identifiers
  • Authentication and access metadata
  • Billing or subscription contact details
  • Communication preferences

Purpose: provide accounts, administer subscriptions, send service communications, and manage billing. Legal basis: performance of a contract, legal obligations, legitimate interests, and consent for optional marketing communications.

Platform usage data

When authorised users use the platform, we may process:

  • Login and session metadata
  • Feature usage and workflow activity
  • API call metadata
  • Error, audit, and security logs
  • Billing-relevant usage records

Purpose: operate, secure, support, audit, bill, and improve the Service. Legal basis: performance of a contract and legitimate interests in operating a reliable and secure service.

4. Customer-submitted data

Customers may submit personal data to the Service for compliance workflows. Depending on the customer's use case, this may include:

  • Business contact and account-user data
  • Company and counterparty information
  • Beneficial-owner, director, signatory, and related-party information
  • Identity, registry, ownership, and verification data
  • Screening, sanctions, PEP, adverse-media, risk, or diligence signals
  • Uploaded documents and extracted facts
  • Workflow decisions, reviewer notes, audit logs, and evidence records

Some customer-submitted data may include sensitive data, special-category data, or criminal-offence-related data if the customer chooses to submit it or configures workflows that require it. Customers are responsible for having the required legal basis, notices, and safeguards for that processing.

We process customer-submitted personal data as processor under the applicable customer agreement and DPA.

Synthetic, sandbox, pre-production, or evaluation workspaces are intended for synthetic or non-production data unless a written customer agreement and applicable data-processing terms expressly permit real production personal data or regulated KYC/AML data.

5. AI-assisted processing and automated decision-making

cmpliance.ai provides decision-support outputs. The Service may assist with extraction, classification, summarisation, risk analysis, evidence organisation, and workflow preparation.

Customers remain responsible for configuring appropriate human review and for deciding whether and how outputs are used. cmpliance.ai should not be used as the sole basis for legal, regulatory, financial, onboarding, rejection, employment, credit, or similarly significant decisions without appropriate human review and customer-controlled safeguards.

We do not use Customer Data to train public or foundation AI models.

6. Cookies

We use cookies and similar technologies on cmpliance.ai. See our Cookies Policy for the current list, purposes, and choices.

7. Who we share data with

We do not sell personal data.

We share personal data only where needed for the purposes described in this policy, including with:

  • Infrastructure, hosting, database, storage, workflow, and security providers
  • Authentication, email, payment, analytics, and customer-support providers where used
  • AI or model providers where required to provide configured Service features
  • Professional advisers under confidentiality obligations
  • Authorities, courts, or regulators where required by law

A public summary is available on the Subprocessors page. Specific processing details may vary by plan, region, feature, and signed customer agreement.

8. International transfers

We design our service architecture around Switzerland and the European Economic Area where practical for the relevant processing activity.

Some providers or support operations may involve processing or access from other countries. Where personal data is transferred to a country without an adequacy decision, we use appropriate safeguards such as Standard Contractual Clauses or equivalent protections under applicable Swiss and EU data protection law.

If we appoint an EU representative, data protection officer, or other formal privacy representative, we will publish the relevant contact details in this policy or provide them through the applicable customer agreement. A privacy contact address is not, by itself, a data protection officer appointment.

9. Data security

We apply technical and organisational measures appropriate to the nature of the data and the risk of processing. These measures include access controls, encryption in transit, cloud-provider encryption at rest where applicable, logging, monitoring, backup controls, vulnerability management, and internal access restrictions.

For details, see our Security page and Technical and Organisational Measures.

10. Retention

We retain personal data only for as long as needed for the purposes described in this policy, unless a longer retention period is required by law, contract, security, audit, dispute, or regulatory obligations.

Typical retention periods:

  • Enquiry data: up to 24 months after last contact
  • Account data: for the account term and a limited period after closure
  • Billing records: as required by Swiss accounting and tax law
  • Usage, audit, and security logs: according to operational, security, and customer-agreement requirements
  • Customer Data: according to the applicable customer agreement and DPA

Backup deletion may follow normal backup rotation schedules.

11. Your rights

Under GDPR and the Swiss nFADP, you may have rights to:

  • Access your personal data
  • Correct inaccurate or incomplete data
  • Request deletion
  • Restrict processing
  • Receive data portability where applicable
  • Object to processing based on legitimate interests
  • Withdraw consent where processing is based on consent

To exercise rights for data we control, contact cmp@cmpliance.ai.

If your data was submitted by one of our customers, please contact that customer first. We will assist the customer where required by the applicable DPA.

You may also complain to a competent supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC).

12. Children

cmpliance.ai is a business-to-business service and is not directed to children. We do not knowingly collect personal data from children.

13. Changes to this policy

We may update this policy from time to time. We will publish the updated version with a new "Last updated" date. For material changes affecting active customers, we will provide notice where required by the applicable customer agreement.

14. Contact

cmp@cmpliance.ai paterhn GmbH, Gotthardstrasse 26, 6300 Zug, Switzerland