ComplyOS is a service of SevenBelow, LLC (“SevenBelow,” “we,” “us,” or “our”), a California limited liability company. This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with the SevenBelow website (sevenbelow.com), the ComplyOS platform, and related services (collectively, the “Services”).
By using the Services, you agree to this Privacy Policy. If you do not agree, do not use the Services.
1. Summary
| Topic | Summary |
|---|---|
| What we collect | Account info (name, email), platform usage data, content uploaded by your organization, billing metadata |
| Why | Provide the Services, process payments, security, legal compliance, product improvement |
| Sharing | With sub-processors who help operate the Services. We do not sell or share personal information for cross-context behavioral advertising. |
| AI training | We do not use customer data to train AI models. Our AI sub-processors are contractually prohibited from doing so. |
| Your rights | Access, deletion, correction, portability, opt-out (varies by jurisdiction) |
| Contact | privacy@sevenbelow.com |
| Retention | Account: until termination + 30 days; backups: +35 days; platform audit logs: 7 years |
2. Who We Are
SevenBelow, LLC
166 Geary Street, STE 1500 #1585
San Francisco, CA 94108
privacy@sevenbelow.com
ComplyOS is a B2B compliance platform serving organizations and their authorized users (employees, vCISOs, fractional compliance officers, auditors). We currently operate the Services for customers in the United States.
3. Our Roles: Controller and Processor
- We act as a Controller of personal information when we determine the purposes and means of processing — for example, account registration data, billing metadata, marketing communications, and our own employee data.
- We act as a Processor when we process personal information on behalf of a customer organization — for example, content, evidence, policies, risk registers, vendor data, and any personal information contained therein that an authorized user uploads to a customer’s tenant. The customer organization is the Controller of that content. Requests concerning content within a customer’s tenant should be directed to that customer organization. SevenBelow will assist the Controller in fulfilling such requests.
4. Information We Collect
4.1 Information you provide directly
- Account information: name, email address.
- Authentication: password (stored as a one-way hash via Clerk) or SSO identity (via Clerk-supported identity providers).
- Billing information: company name, billing email, tax ID (where applicable). Payment card data is collected and processed directly by Stripe; we do not see or store full card numbers. We retain only Stripe customer ID, last four digits, and card brand.
- Customer content: documents, policies, SOPs, evidence files, risk registers, vendor records, audit artifacts, and other materials uploaded to a tenant. May contain personal information of the customer’s employees, vendors, or other data subjects.
- Support communications: email correspondence sent to support@sevenbelow.com, privacy@sevenbelow.com, dmca@sevenbelow.com, or other channels we offer.
- Waitlist and marketing inquiries: email address and any information you voluntarily provide.
4.2 Information collected automatically
- Device and connection data: IP address, user agent, browser type, operating system, device identifiers, referring URL, language preference.
- Usage data: pages viewed, features used, click events, session duration, error events, and similar product analytics events.
- Cookies and similar technologies: see Section 11.
- Logs: request logs, application logs, security logs, and platform audit logs (records of user actions inside ComplyOS, e.g., document approvals, control state changes, evidence uploads).
4.3 Information from third parties
- Identity providers: if you sign in via SSO, we receive identity assertions (e.g., email, name, organization) from your identity provider through Clerk.
- Payment processor: Stripe provides us with billing status, payment success/failure, and limited card metadata (last four, brand, country).
- CRM / sales tools: we may receive professional contact information from public sources or business contact databases for B2B sales outreach.
4.4 Special categories and prohibited data
The Services are not designed to receive Protected Health Information (PHI) under HIPAA, cardholder data subject to PCI-DSS, classified information, export-controlled technical data, biometric identifiers, or children’s personal information. Customers are contractually prohibited from uploading such data unless and until SevenBelow has executed an applicable agreement (e.g., a Business Associate Agreement) authorizing such use. See Section 14.
5. How We Use Information
We use personal information for the following purposes and lawful bases:
| Purpose | Lawful Basis (GDPR / equivalent) |
|---|---|
| Provide, operate, secure, and maintain the Services | Performance of contract |
| Authenticate users, manage access, prevent abuse | Legitimate interests; legal obligation |
| Process billing and collect payments | Performance of contract |
| Communicate about the Services (transactional emails, security alerts, policy updates) | Performance of contract; legitimate interests |
| Provide customer support | Performance of contract; legitimate interests |
| Improve the Services through analytics and product research | Legitimate interests |
| Detect, investigate, and respond to security incidents and abuse | Legitimate interests; legal obligation |
| Maintain platform audit logs to support customers’ compliance programs and our own SOC 2 / ISO 27001 obligations | Legitimate interests; legal obligation |
| Comply with legal, regulatory, and contractual obligations | Legal obligation |
| Send marketing communications (only if you have opted in) | Consent |
We do not use customer content to train, fine-tune, or improve any AI or machine learning model, and we contractually require our AI sub-processors not to do so.
6. Sub-processors and Service Providers
We engage sub-processors to operate the Services. A current list is maintained at /legal/subprocessors. We require each sub-processor to maintain appropriate technical and organizational measures, to process personal information only as instructed, and to refrain from using customer content for AI model training.
7. How We Share Information
We share personal information only as follows:
- With sub-processors described in Section 6 to operate the Services.
- With your organization if you are an end user accessing ComplyOS through a customer organization, including with administrators of that organization.
- In a corporate transaction (merger, acquisition, financing, asset sale, or similar). We will provide notice and require the recipient to honor this Privacy Policy.
- For legal reasons when we believe disclosure is required or appropriate to comply with applicable law, legal process, or government requests; to enforce our agreements; to protect the rights, property, safety, or security of SevenBelow, our customers, or others; or to detect and prevent fraud or abuse.
- With your consent for any other purpose disclosed at the time of collection.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not deploy advertising pixels (such as Meta Pixel, LinkedIn Insight Tag, or Google Ads remarketing tags) on the Services as of the Effective Date. If this changes, we will update this Privacy Policy and provide opt-out mechanisms required by applicable law.
8. International Data Transfers
The Services are hosted in the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States and other jurisdictions where we or our sub-processors operate.
For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on appropriate safeguards including the European Commission’s Standard Contractual Clauses or the UK International Data Transfer Addendum, as applicable, in our agreements with sub-processors.
We do not currently market the Services to or solicit customers from the European Economic Area or the United Kingdom. Visitors from those regions who voluntarily provide personal information (for example, by joining our waitlist) are nevertheless afforded the rights described in Section 10.
9. Data Retention
| Data Type | Retention |
|---|---|
| Account information (active) | Duration of customer relationship |
| Account information (after termination) | 30-day data export window, then deleted from active systems |
| Customer content (after termination) | 30-day export window, then deleted from active systems |
| Backups | Up to 35 days rolling, after which superseded by overwrite |
| Request logs (web/API access logs) | 14 months |
| Security logs | 12 months |
| Platform audit logs | 7 years (to support customer compliance obligations and SevenBelow’s own audit requirements) |
| Marketing list (cold leads) | 24 months from last engagement, then deleted |
| Marketing list (newsletter subscribers) | Until you unsubscribe |
| Support communications | 3 years from resolution |
| Billing records | 7 years (tax and accounting requirements) |
We may retain certain information longer where required to comply with legal obligations, resolve disputes, enforce agreements, or as otherwise permitted by law.
10. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Right to know / access the personal information we hold about you.
- Right to delete your personal information, subject to lawful exceptions (for example, audit logs retained for compliance obligations).
- Right to correct inaccurate personal information.
- Right to data portability.
- Right to opt out of marketing communications.
- Right to non-discrimination for exercising your privacy rights (California).
- Right to opt out of “sale” or “sharing” of personal information (California). We do not sell or share personal information.
- Right to limit use of sensitive personal information (California). We do not use sensitive personal information beyond what is necessary to provide the Services.
- Right to object to or restrict processing (EEA, UK).
- Right to lodge a complaint with a supervisory authority (EEA, UK) or your state attorney general.
To exercise these rights, contact privacy@sevenbelow.com. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before fulfilling certain requests.
If you are an end user accessing ComplyOS through your employer or another organization, that organization is the Controller of content within its tenant. Direct content-related requests to your organization. We will assist the organization in responding.
You may designate an authorized agent to make requests on your behalf, subject to verification.
11. Cookies and Similar Technologies
We use cookies and similar technologies for:
- Strictly necessary purposes: authentication, session management, security, load balancing.
- Analytics: to understand how visitors use the Services and improve them.
We do not use advertising or cross-site tracking cookies as of the Effective Date.
You can manage cookies through your browser settings. Where required by applicable law (for example, in the EEA and UK), we will obtain your consent for non-essential cookies through a cookie banner.
We honor browser-level Global Privacy Control (GPC) signals as opt-out preference signals where applicable. We do not currently respond to “Do Not Track” browser signals because no common industry standard for DNT has been adopted.
12. Security
We implement administrative, technical, and physical safeguards designed to protect personal information, including:
- TLS 1.2 or higher in transit; AES-256 encryption at rest.
- Tenant isolation enforced at the application and database (PostgreSQL row-level security with composite foreign keys) layers.
- Role-based access controls and principle of least privilege.
- Authentication via Clerk, including support for SSO and multi-factor authentication.
- Centralized audit logging.
- Annual third-party penetration testing (commencing prior to general availability).
- Security incident response procedures.
No method of transmission or storage is 100% secure. We cannot guarantee absolute security.
13. Data Breach Notification
If we become aware of a breach of personal information that creates a risk of harm, we will notify affected customers and applicable supervisory authorities within 72 hours of confirming the breach, consistent with GDPR Article 33 timelines, regardless of whether GDPR strictly applies.
14. Prohibited Data — Customer Responsibilities (CUEC)
The Services are not authorized to receive the following data types unless SevenBelow has executed an applicable agreement (e.g., a Business Associate Agreement under HIPAA):
- Protected Health Information (PHI) under HIPAA.
- Cardholder Data subject to PCI-DSS.
- Classified or controlled unclassified information.
- Information subject to U.S. export controls (ITAR, EAR) beyond commercial business information.
- Children’s personal information (see Section 15).
- Biometric identifiers.
Customers are responsible for:
- Classifying data prior to upload.
- Training authorized users on prohibited data types.
- Monitoring uploads to detect and remediate inadvertent disclosure.
- Notifying SevenBelow promptly if prohibited data is uploaded.
These obligations are documented as Complementary User Entity Controls (CUECs) and are also imposed under the Terms of Service.
15. Children’s Privacy
The Services are intended for business use and are not directed to individuals under 18. We do not knowingly collect personal information from individuals under 18. If we learn we have collected such information, we will delete it. If you believe we have collected information from a minor, contact privacy@sevenbelow.com.
16. AI and Machine Learning
ComplyOS uses AI services (currently Anthropic and OpenAI) to power features such as content drafting, analysis, and recommendations. We do not use customer content to train, fine-tune, or improve AI models. We have configured our AI sub-processors so that they do not use customer data for model training.
17. Beta Notice
Until ComplyOS reaches general availability, the Services are provided in beta. During the beta period:
- Features may change, be removed, or contain defects.
- Data loss is possible. We strongly recommend you maintain your own backups of critical content.
- We provide no service-level commitments.
- We are not yet SOC 2 or ISO 27001 certified. Statements about future certifications are forward-looking and not guarantees.
18. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will post the updated policy on sevenbelow.com and update the “Last Updated” date. For material changes, we will provide reasonable advance notice (at least 30 days) by email or in-product notice and, where required, obtain your consent.
19. Contact
Privacy inquiries: privacy@sevenbelow.com
Mail: SevenBelow, LLC, 166 Geary Street, STE 1500 #1585, San Francisco, CA 94108
This Privacy Policy is published as version 1.0 and is subject to ongoing legal review. For questions or concerns, contact privacy@sevenbelow.com.