This policy explains how Compamin handles account, security, and workspace data, how responsibilities are shared between the service operator and each workspace owner, and what GDPR rights and safeguards apply.
Compamin processes personal data both as a service provider and, depending on the setup, as a processor for the company workspace operator. The organisation operating the public Compamin service acts as controller for website, account, security, and billing-related processing tied to the product itself.
Each customer or workspace owner may separately act as controller for the company records they enter into the platform, including shareholder, board, invitation, and document data. That means the workspace owner is responsible for giving lawful instructions, handling data-subject requests for workspace data, and ensuring uploaded content can legally be processed.
We process account and identity data such as name, email address, password hash, session identifiers, verification status, and authentication metadata needed to secure access.
We also process company workspace data entered by authorised users, which can include company profile details, shareholder records, board meeting materials, invitations, uploaded document metadata, transaction records, and audit-log events that link actions to users and timestamps.
Technical and security data may include IP address, browser details, user agent, device-level session information, and cookie or consent preferences when needed for sign-in, security, and traceability.
We process data to create and maintain user accounts, verify email ownership, authenticate users, maintain company records, support governance workflows, keep audit trails, prevent misuse, and operate the service securely. The usual legal bases are contract performance under Article 6(1)(b), legitimate interests under Article 6(1)(f), and legal-obligation processing under Article 6(1)(c) where retention or compliance duties apply.
Optional analytics or marketing technologies, if enabled in the future, should only be used on the basis of consent under Article 6(1)(a). Those categories remain off unless the visitor makes an affirmative choice.
Personal data may be processed by infrastructure and subprocessor providers used to host the application, deliver email, store data, and secure the service. These recipients are limited to what is necessary to provide the service and should be governed by data processing agreements and confidentiality obligations.
Authorised workspace members will see only the information permitted by their role and the company context they belong to. Internal access should be restricted according to least-privilege principles and reviewed periodically.
If personal data is transferred outside the EEA or the UK, the transfer should rely on an approved safeguard such as an adequacy decision, the EU Standard Contractual Clauses, or another recognised transfer mechanism. The controller operating the workspace remains responsible for documenting those safeguards when required.
Account, audit, and workspace data is retained for as long as the account or customer relationship remains active and for any additional period reasonably necessary to resolve disputes, maintain evidence of decisions, enforce agreements, and satisfy legal, tax, accounting, or security obligations.
Email verification tokens are short-lived and automatically expire. Cookie-preference records are stored for up to 12 months before they should be reviewed or refreshed.
Subject to applicable law, individuals may have the right to request access, rectification, erasure, restriction, objection, portability, and withdrawal of consent where consent is the legal basis. They may also have the right to complain to the competent supervisory authority.
Requests concerning workspace content should normally be handled by the organisation that operates the relevant Compamin workspace, because that organisation determines why the data was entered. Requests about the core Compamin service, website, account verification, or service-level security logs should be directed to the service operator.
Compamin uses password hashing, role-based access control, email verification, session protection, and audit logging to reduce the risk of unauthorised access and to make material changes traceable. Administrative access should be limited and reviewed regularly.
Controllers using Compamin remain responsible for ensuring that uploaded documents, shareholder records, and governance data are accurate, relevant, and lawfully processed. They should also maintain internal retention routines and privacy contact channels for their own workspace users.
The controller should publish a working privacy contact address in customer-facing materials or service agreements. If you operate Compamin for your own company, ensure users can easily see who to contact for privacy requests.
This policy should be reviewed whenever the product adds new processors, analytics, cross-border transfers, or materially different categories of personal data.