Last updated: April 2026
The data controller responsible for data processing on this website is:
KI·SUM·AI - Kisum GmbH
Sonnwendjochstr. 6
81825 München, Germany
Email: info@compliancelint.com
We may collect the following categories of personal data:
203.0.113.x — never the full address), and the user-agent string. Email addresses and full IPs are scrubbed before storage.We process your personal data based on the following legal grounds under GDPR:
Essential cookies (always on). This website uses strictly necessary cookies for authentication (the encrypted cl_session session cookie), CSRF protection, and to remember your cookie-consent decision so we don't prompt you twice. Under ePrivacy Directive Art. 5(3), consent is not required for strictly-necessary cookies. We do not use any advertising cookies, ever.
Analytics (opt-in only). On your first visit you will see a cookie consent banner. We will not load any analytics scripts or set any analytics cookies until you accept. If you accept analytics, we use PostHog (EU instance, eu.posthog.com) to record pageview and page-leave events. We have explicitly disabled PostHog's automatic click / form / URL-change capture (the autocapture feature) and session recording, so the data we collect is limited to which pages you visit and when. For anonymous visitors no person profile is created (person_profiles: ‘identified_only’). You can withdraw consent at any time by clicking “Cookie Preferences” in the footer or in your dashboard settings; once withdrawn, we call posthog.reset() to clear any cached identity.
Consent log. Every consent decision (Accept all / Reject all / Save preferences / Withdraw) is recorded in our consent_log table with a timestamp, the policy version you saw, an anonymous browser identifier, and a salted SHA-256 hash of your IP (we do not store the IP itself). This satisfies the accountability requirement under GDPR Art. 7(1) — the controller must be able to demonstrate that the data subject has consented.
Browser-side error tracking. Sentry (EU instance) captures uncaught exceptions on the dashboard so we can fix bugs. The browser-side SDK is gated on the same cookie-consent decision as PostHog: if you have not accepted analytics, the SDK loads but every event is dropped at the beforeSend stage before leaving your browser. Server-side error tracking continues to run under GDPR Art. 6(1)(f) legitimate interest (security & service reliability) regardless of cookie consent, because server logs do not involve cookies or browser tracking.
We rely on a small set of subprocessors for hosting, error tracking, analytics, transactional email, billing, and authentication. Each is contractually bound under GDPR Art. 28 to process personal data only on our documented instructions.
The current subprocessor list — including each subprocessor's purpose, processing region, and Chapter V GDPR transfer mechanism — is maintained at a stable URL: /legal/sub-processors. We will notify customers in writing of any new subprocessor before it processes personal data.
For international transfers outside the EEA, where applicable we rely on EU Standard Contractual Clauses, the EU–U.S. Data Privacy Framework, and supplementary safeguards as required by Chapter V GDPR.
We collect IP addresses and timestamps when you use our API to detect unauthorized account sharing and protect our service. This data is processed based on our legitimate interest in preventing abuse (Art. 6(1)(f) GDPR).
API usage data (IP address, timestamp, API key prefix) is retained for 30 days and automatically deleted thereafter. We never store your full API key in monitoring logs.
ComplianceLint processes limited error logs, audit logs, and diagnostic metadata to operate, secure, debug, and evidence use of the Service. Application-generated logs are stored primarily on EU-hosted infrastructure operated by KI·SUM·AI - Kisum GmbH and its hosting provider, Hetzner, in Germany. Where applicable, we also use the subprocessors listed in §5 (most relevantly Sentry EU for supplemental error tracking).
What logs may include. Depending on the event, logs may include: timestamp, account or user identifier, workspace identifier, event type, affected feature, a truncated IP prefix (consisting of the first three octets only; the final octet is replaced with zero), user-agent string, request route, error ID, stack-trace metadata, and billing-event identifiers. We do not intentionally log customer source code, secrets, request bodies, uploaded files, or customer production datasets. We apply redaction and minimisation controls designed to prevent sensitive content from being stored in diagnostic logs. Customers should not submit secrets, personal data, or confidential customer information in bug reports, screenshots, issue descriptions, or support messages unless specifically requested through a secure support channel.
Legal basis (Art. 13(1)(c) GDPR). We process error logs under Art. 6(1)(f) GDPR (legitimate interest in service security, integrity, and operational reliability). We process audit logs under Art. 6(1)(c) GDPR (compliance with legal obligations under § 257 HGB, § 147 AO, and EU AI Act audit-trail requirements) combined with Art. 6(1)(f) GDPR for IT-security purposes. You may object to processing based on legitimate interest under Art. 21 GDPR; we will assess your objection against the overriding legitimate interest of system security.
Retention. Error logs are retained in active systems for up to 90 days, unless a shorter retention period is configured for self-hosted deployments. Audit logs are retained in active systems for up to 365 days where needed for account security, access review, customer-requested evidence exports, incident investigation, billing integrity, fraud prevention, compliance documentation, or legal claims. Audit logs are supporting evidence only and do not replace the customer's own legal, security, or compliance records.
Right to erasure — statutory exceptions. When you exercise your right to erasure under Art. 17 GDPR, we delete error_logs and the personal-identifier components of audit_logs tied to your user ID from active application databases in the same transaction as the account deletion. Where audit log entries form part of statutory commercial or tax records — in particular billing events that fall under § 257 HGB (commercial books and records, 6 years), § 147 AO (tax records, 10 years), and § 14b UStG (invoices, 10 years) — we retain those entries in pseudonymised form for the statutory retention period as permitted by Art. 17(3)(b) GDPR. After the statutory period elapses, those entries are deleted by the same daily sweep. Backup copies and immutable security records expire according to our backup and security-retention schedules and are not used for ordinary production access.
Sources. Log data may be collected from your use of ComplianceLint, your browser or API client, your workspace administrators, customer support communications, GitHub issue submissions, MCP bug-report bundles, transactional email systems, and payment or billing providers where relevant.
Encryption at rest. Application data (the SQLite database holding your account, repositories, scans, findings, evidence references, audit logs, and consent records) is stored on a LUKS2-encrypted ext4 volume on our Hetzner server (cipher AES-XTS-Plain64, 512-bit key). The master passphrase is held only by the founder and is not auto-loaded at boot, so a recovered or decommissioned disk would yield only ciphertext. Encryption in transit is provided by HTTPS (TLS 1.2+ via Caddy).
Access. Logs are accessible only to authorised personnel with a need to know for operations, security, support, billing, compliance, or incident response. Access is protected by authentication, role-based access controls, and internal access-review procedures.
Automated decision-making (Art. 22 GDPR). We do not use error logs or audit logs to make decisions based solely on automated processing that produce legal or similarly significant effects on individuals within the meaning of Art. 22 GDPR. The ComplianceLint scanner produces automated compliance assessments of your software project; these are produced by deterministic rule engines (not machine-learning models), are advisory and informational, do not replace human review by your compliance, legal, or product teams, and are accompanied by full source citations to EUR-Lex so each finding can be verified and overridden. You retain the right under Art. 22(3) GDPR to obtain human intervention, express your point of view, and contest any assessment by emailing support@compliancelint.dev.
Supervisory authority. You may lodge a complaint with the competent data protection supervisory authority. For KI·SUM·AI - Kisum GmbH (registered in Munich), the competent authority is generally the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, www.lda.bayern.de, unless another supervisory authority is competent.
Data Processing Agreement. Customers acting as data controller are covered by our pre-executed Data Processing Agreement (Art. 28 GDPR) available at /legal/dpa — this DPA is deemed accepted by the customer on signup. A counter-signed PDF copy can be requested by emailing info@compliancelint.com.
Under GDPR, you have the following rights:
To exercise these rights, contact us at info@compliancelint.com.
For any privacy-related questions, please contact us at: info@compliancelint.com