Last updated: May 2026 (v2)
The data controller responsible for data processing on this website is:
KI·SUM·AI - Kisum GmbH
Sonnwendjochstr. 6
81825 München, Germany
Email: info@compliancelint.com
We may collect the following categories of personal data:
203.0.113.x — never the full address), and the user-agent string. Email addresses and full IPs are scrubbed before storage.We process your personal data based on the following legal grounds under GDPR:
Essential cookies (always on). This website uses strictly necessary cookies for authentication (the encrypted cl_session session cookie), CSRF protection, and to remember your cookie-consent decision so we don't prompt you twice. Under ePrivacy Directive Art. 5(3), consent is not required for strictly-necessary cookies. We do not use any advertising cookies, ever.
Analytics (opt-in only). On your first visit you will see a cookie consent banner. Analytics scripts and cookies are not loaded until you accept. If you accept analytics, we use PostHog (EU instance, eu.posthog.com) to record pageview and page-leave events. Automatic click, form and URL-change capture as well as session recording are disabled. For visitors who have accepted analytics, a pseudonymous browser profile (UUID + GeoIP-derived country code) is created to enable reach and retention analytics; no name, email or IP address is stored in this profile. Consent can be withdrawn at any time via “Cookie Preferences” in the footer or in dashboard settings.
Consent log. Every consent decision is recorded with a timestamp, the policy version, a pseudonymous browser identifier and a salted hash of the IP address (not the IP itself), as required by Art. 7(1) GDPR accountability.
Error tracking. Sentry (EU instance) captures uncaught exceptions to enable bug-fixing. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in network and information security, Recital 49). Data minimisation: IP, cookies, headers, performance spans and session replay are not transmitted; email addresses and IP addresses are scrubbed from breadcrumbs and events before transmission.
Optional MCP scanner telemetry (opt-in). The MCP scanner (the BSL source-available CLI tool you install via npx compliancelint init) runs on your own machine and is silent by default: no telemetry leaves your machine unless you explicitly opt in. Opt-in is a single parameter on cl_connect: cl_connect(project_path, enable_telemetry=true). Opt-out is the symmetric enable_telemetry=false (or running cl_disconnect, which also wipes the per-user-machine telemetry config at ~/.compliancelint/sentry.json).
When enabled, the scanner ships only uncaught Python exceptions to a separate Sentry project (kisum-gmbh-2e / compliancelint-mcp, EU instance), with aggressive minimisation: send_default_pii=false (no hostname, username, IP, or environment auto-attached); traces_sample_rate=0 (no performance spans); 25% sampling (one event in four is transmitted); home-directory prefix in stack-trace paths replaced with the literal <home> sentinel; email and IPv4 patterns scrubbed from messages and breadcrumbs; and 12 categories of environmental noise dropped at the source (FileNotFoundError, PermissionError, UnicodeDecodeError, git subprocess CalledProcessError, SSL/TLS errors, KeyboardInterrupt, BrokenPipeError, and filesystem variants) so we only see events that look like actual ComplianceLint defects.
Legal basis: Art. 6(1)(a) GDPR (consent — explicit opt-in via enable_telemetry=true), with Art. 6(1)(f) GDPR as a fallback characterisation (legitimate interest in fixing bugs that affect users, Recital 47). Tier-independent — error tracking is provided to all users regardless of plan, because fixing bugs is our responsibility regardless of which tier you are on.
We rely on a small set of subprocessors for hosting, error tracking, analytics, transactional email, billing, and authentication. Each is contractually bound under GDPR Art. 28 to process personal data only on our documented instructions.
The current subprocessor list — including each subprocessor's purpose, processing region, and Chapter V GDPR transfer mechanism — is maintained at a stable URL: /legal/sub-processors. We will notify customers in writing of any new subprocessor before it processes personal data.
For international transfers outside the EEA, where applicable we rely on EU Standard Contractual Clauses, the EU–U.S. Data Privacy Framework, and supplementary safeguards as required by Chapter V GDPR.
We collect IP addresses and timestamps when you use our API to detect unauthorized account sharing and protect our service. This data is processed based on our legitimate interest in preventing abuse (Art. 6(1)(f) GDPR).
API usage data (IP address, timestamp, API key prefix) is retained for 30 days and automatically deleted thereafter. We never store your full API key in monitoring logs.
ComplianceLint processes limited error logs, audit logs, and diagnostic metadata to operate, secure, debug, and evidence use of the Service. Application-generated logs are stored primarily on EU-hosted infrastructure operated by KI·SUM·AI - Kisum GmbH and its hosting provider, Hetzner, in Germany. Where applicable, we also use the subprocessors listed in §5 (most relevantly Sentry EU for supplemental error tracking).
Log contents. Logs may include: timestamp, account or user identifier, event type, affected feature, a truncated IP prefix (final octet zeroed), user-agent string, request route, error ID, stack-trace metadata and billing-event identifiers. Customer source code, secrets, request bodies, uploaded files and production datasets are not logged.
Legal basis. Error and audit logs are processed under Art. 6(1)(f) GDPR (legitimate interest in service security, integrity, and operational reliability). Insofar as log entries form part of records subject to statutory retention obligations, the corresponding processing is also based on Art. 6(1)(c) GDPR. The applicable statutory retention rules are set out in the Data Processing Agreement at /legal/dpa § 13.
Retention. Error logs: up to 90 days. Audit logs: up to 365 days for security, customer evidence exports, billing integrity and legal claims. Where log entries are subject to statutory retention (commercial / tax law), such entries are stored access-restricted for the statutory period as permitted by Art. 17(3)(b) GDPR and deleted after.
Security. Application data is encrypted at rest on EU-hosted infrastructure (Hetzner DE) and in transit via TLS. Access is restricted to authorised personnel under role-based access control.
Automated decisions. We do not make automated decisions about natural persons that produce legal or similarly significant effects within the meaning of Art. 22 GDPR.
Supervisory authority. You may lodge a complaint with the competent data protection supervisory authority, in particular the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), www.lda.bayern.de.
Data Processing Agreement. Customers acting as data controller are covered by our pre-executed Data Processing Agreement (Art. 28 GDPR) at /legal/dpa, accepted on signup. A counter-signed PDF copy is available on request via info@compliancelint.com.
Under GDPR, you have the following rights:
To exercise these rights, contact us at info@compliancelint.com.
For any privacy-related questions, please contact us at: info@compliancelint.com