ComPilot Privacy Policy

Effective as of 01/10/2024

Who we are

“Data controllers” are the people or organisations that determine the purposes for which, and the manner in which, any Personal Data is processed, and make independent decisions in relation to the Personal Data and/or who/which otherwise control that Personal Data.

For the purposes of the EU GDPR (the ‘’GDPR’’), The company is the data controller with regard to the Personal Data described in this Privacy Policy. The company’s mission is to empower compliance professionals and businesses to navigate global regulations with ease, offering intelligent, adaptive solutions that turn compliance into a strategic advantage. It specializes in automating Anti-Money Laundering (AML) processes, Know-Your-Customer (KYC), Know-Your-Business (KYB), and Know-Your-Transaction (KYT) checks. ComPilot's platform integrates tools like wallet screening, fraud detection, and customizable compliance workflows, designed to ensure regulatory compliance within the cryptocurrency ecosystem. With privacy-preserving KYC solutions and real-time analytics, ComPilot helps businesses streamline compliance tasks, reduce manual effort, and adapt to evolving regulations.

The company has outsourced the function of the Data Protection Officer to XpertDPO Ltd.

Our Data Protection Officer can be contacted as follows:

Phone: +353 1 678 8997
Email: DPO@compilot.ai
Postal Address:
XpertDPO Ltd.,
6 Mount Street Upper,
Dublin, D02 FV44, Ireland

Purpose and Scope of this Policy

The purpose of this Privacy Policy is to provide you, as our data subject, with a statement regarding the Data Protection and Privacy practices and obligations of the Company and an explanation of your rights under applicable data protection laws.

This Privacy Policy applies to our business practices, including the use of our website, accessible at https://copilot.ai, and the services we provide. While the Company is established in France and falls under the jurisdiction of Commission Nationale de l’Informatique et des Libertés (CNIL), this policy also addresses our obligations under the EU GDPR.

We may collect and process Personal Data related to your use of our services and platform. Please note that external websites linked from our platform have independent privacy policies, for which we are not responsible.

Laws that apply to us:

The Company complies with the following data protection and privacy laws:

General Data Protection Regulation (EU) 2016/679.
French Act No. 2018-493 of 20 June 2018 and related regulations.
Privacy and Electronic Communications Regulations (PECR) 2003, implementing the EU ePrivacy Directive (Directive 2002/58/EC) on privacy and electronic communications, also known as the ePrivacy Directive (ePD).

This ensures our services adhere to EU data protection requirements.

Why and how do we ensure compliance?

Data protection and privacy laws grant individuals rights concerning the use of their Personal Data. As an organisation, the Company is legally bound by the EU GDPR to comply with these laws when collecting, storing, and using Personal Data.

Beyond legal obligations, we ensure compliance to maintain your trust and protect our reputation. We demonstrate accountability through written policies, privacy-by-design principles in our systems, regular internal audits, and prompt action when non-compliance is identified. We also keep detailed records of our data processing activities to ensure transparency and control.

Who must comply?

All representatives of the Company, including employees, contractors, and third-party service providers, must comply with our Data Protection Policies and Procedures when processing Personal Data on our behalf. This ensures that everyone handling Personal Data is aware of their responsibilities under applicable data protection laws.

What Are the Data Protection Principles and Rules?

We adhere to the following principles outlined in data protection law:

Lawfulness, fairness, and transparency: Personal Data must be processed lawfully, fairly, and transparently.
Purpose limitation: Personal Data must be collected for specified, legitimate purposes and not further processed in an incompatible manner.
Data minimisation: Personal Data must be relevant and limited to what is necessary for the purposes for which it is processed.
Accuracy: Personal Data must be accurate and, where necessary, updated.
Retention: Personal Data must not be retained longer than necessary.
Integrity and confidentiality: Personal Data must be processed securely.
Accountability: We must not only comply with these principles but also demonstrate compliance through documented policies, audits, and records of decisions.

What is personal data?

Personal Data is any information that can directly or indirectly identify you, such as your name, email address, or IP address, collected by the Company. It does not include anonymised data where your identity has been completely removed.

Any Personal Data you provide is handled with strict security measures, including encryption and access controls, in accordance with the French Act No. 2018-493 of 20 June 2018, EU GDPR. This ensures your data is treated with the highest levels of confidentiality and protection.

What personal data do we process?

We may collect and process the following categories of Personal Data:

Personal Details:
- Name, title, email address, physical address, phone numbers, and date of birth.
Professional Data:
- Commercial or professional information, such as company/university name, address, job title, and contact details.
Financial Data:
- Payment information, such as credit card details (handled securely).
Social Media Data:
- 1Data from social media platforms (e.g., profile information, comments, direct messages, and activity).
Technical Data:
- IP address, operating system, browser type/version, time zone, location, and usage data (via Cookies and similar tools).
Communication Data:
- Any data shared through email, text, or other electronic communications.

Special Category Data

We do not collect or process Special Category Data as defined under the EU GDPR. This includes data concerning health, racial or ethnic origin, political opinions, religious beliefs, or data regarding a person’s sex life or sexual orientation.

Children’s Data

Our services are not directed at children under the age of 18. We do not knowingly collect data from children or provide services to them.

Criminal Convictions / Offence Data

The Company may process information related to criminal convictions and offences as part of its regulatory compliance services, including Anti-Money Laundering (AML) and Know-Your-Customer (KYC) checks. This data is processed in accordance with applicable laws and is strictly limited to ensuring compliance with regulatory obligations.

Aggregated Data

We collect statistical and analytical information, such as demographic and usage data, on an aggregated basis from all visitors to our website. This information is not considered personal data because it does not directly or indirectly identify you. However, if we combine Aggregated Data with any of your personal data in a way that could identify you, we treat the combined data as personal data and apply the same protections outlined in this Privacy Policy.

How and why we use your data

Below is a consolidated table of activities detailing how and why we use your personal data, as well as the legal bases for processing it. This table provides an overview of our data processing practices. If you require more specific information or have any queries regarding the use of your personal data, please contact our Data Protection Officer (DPO) at the details provided in this Privacy Policy.

This statement ensures transparency while providing a point of contact for any further details or inquiries.

Purpose	Why we use your Data	Legal Basis for Processing
To contact and communicate with you	To respond to inquiries and keep you informed about services	Performance of a contract, legitimate interests
To process and deliver our services to you	To provide you with information and fulfill service requests	Performance of a contract
To receive payments for our services	To manage financial transactions related to the services	Performance of a contract, legal obligation
To receive feedback	To improve our services and user experience	Legitimate interests
To understand the use of our website	To monitor website performance and user behaviour for improvements	Legitimate interests
To administer and protect our website and business	To ensure proper operation, including troubleshooting, testing, and maintenance	Legitimate interests, legal obligation
For compliance with relevant legislation	To ensure compliance with laws applicable to our operations	Legal obligation
For marketing and promotional purposes in connection with the services	To promote services and engage with potential customers	Consent, legitimate interests
To meet specific legal obligations to maintain audit documentation	To comply with statutory audit requirements	Legal obligation
For the management and administration of the company	To manage business operations, now and in the future	Legitimate interests

Legal Bases for using your data

We use your personal data for the purposes outlined above. In doing so we rely on a number of separate and overlapping legal bases to lawfully process your personal data. These may include:

Where necessary to perform our contract with you

Where you have consented to the processing
Where necessary for statutory obligations
Where necessary for us to comply with a legal obligation, or to establish, exercise or defend legal claims
For the purposes of our legitimate interests, provided that those interests are not overridden by your interests or fundamental rights and freedoms

How long do we keep your data

We will retain your personal data only as long as necessary to fulfill the purposes for which it was collected, including to meet legal, accounting, or reporting obligations. To determine retention periods, we consider the type and sensitivity of the data, the risk of harm from unauthorised use, and any applicable legal requirements.

We have a Retention Policy and Schedule in place to ensure data is securely destroyed when no longer needed. In some cases, by law, we are required to retain basic information (e.g., contact, identity, and transaction data) for up to six years for tax purposes.

You may also request deletion of your data under certain circumstances. In cases where data is anonymized, it may be used indefinitely for research or statistical purposes. If you have any questions about our retention periods, please contact us at DPO@nexera.id.

Third Parties and Disclosures of your Personal Data

We require all third parties to respect the security of your personal data and comply with data protection laws. Third-party service providers are not permitted to use your personal data for their own purposes and may only process it for specified purposes under our instructions.

When you provide us with your personal data, we will also request your consent to share it with relevant third parties.

The Company conducts due diligence and maintains contracts with all suppliers and third parties. Any payment transactions are encrypted using secure encryption technology to protect your data.

Third Parties we may disclose your data to

We may share your personal data with the following categories of third parties:

Service Providers: Acting as processors, based in Europe, who provide IT, development, and system administration services.
Technical Providers: Entities that interact with us to deliver our services.
Professional Advisers: Lawyers, bankers, auditors, and insurers, acting as processors or controllers, providing legal, banking, insurance, and accounting services in the EU.
Regulators and Authorities: Based in the EU, requiring reports of processing activities in specific cases.

International Transfers

In compliance with the GDPR, any transfers of personal data outside the European Economic Area (EEA) are subject to strict safeguards. When personal data is transferred internationally, we ensure that appropriate transfer mechanisms are in place, such as the use of Standard Contractual Clauses (SCCs), adequacy decisions like the EU-US Data Privacy Framework (DPF), or binding corporate rules to guarantee that data remains protected to GDPR standards.

Currently, all data is hosted within the EU. However, we use Google Analytics, which may involve data transfers to the US. These transfers are covered by the EU-US DPF and appropriate safeguards.

Security features/data location

The Company uses strict procedures and security measures, including encryption and access controls, to protect your personal data from unauthorized access, loss, or misuse. Our data is stored within the EU. If we engage a data processor or controller outside these regions, we ensure that Standard Contractual Clauses (SCCs) and Transfer Impact Assessments (TIAs) are in place to safeguard your data.

We have procedures to respond to data breaches and will notify you and the relevant authorities if required. Access to your data is restricted to authorized personnel, contractors, and third parties on a need-to-know basis, strictly under contract.

Information on Consent

Where consent is identified as the lawful basis for processing your Personal Data, you are giving us permission to process your data for the specific purposes outlined in this Privacy Policy.

You have the right to withdraw your consent at any time by clearly indicating your decision, either through a statement or affirmative action. To withdraw consent or if you have any questions, contact our Data Protection Officer using the details provided below.

Please note, withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

Your Rights

Depending on the legal basis for processing your Personal Data, you have the following rights under data protection law:
Access: Request information and a copy of the Personal Data we hold about you.
Correction: Request that incomplete or inaccurate data be corrected.
Erasure: Request deletion of Personal Data when there is no lawful basis for processing.
Objection: Object to processing based on legitimate interests or direct marketing.
Automated Decision-Making: Object to automated decisions, including profiling.
Restriction: Request suspension of processing under certain circumstances.
Data Portability: Request transfer of your Personal Data in a structured electronic format to you or another entity.
For further assistance, please contact our Data Protection Officer.

How do you exercise your rights?

We have appointed a Data Protection Officer to monitor compliance with our data protection obligations and with this policy and our related policies. If you have any questions about this policy or about our data protection compliance, please contact the Data Protection Officer.

If you wish to exercise your rights please contact our Data Protection Officer who will respond to the request within one calendar month.

Our Data Protection Officer can be contacted as follows:

XpertDPO

Telephone: + 353 1 678 8997

Email: DPO@nexera.id

Post: 6 Mount Street Upper, Dublin, D02 FV44, Ireland

Your Right to Lodge a Complaint

You as the Data Subject have the right to complain at any time to a supervisory authority in relation to any issues related to our processing of your Personal Data. We would like to hear from you first if you have a complaint about how we use your data so that we may rectify the issue.

As our organisation is located in France, and since we conduct our data processing here, we are regulated for data protection purposes by La Commission Nationale de l'Informatique et des Libertés (CNIL).

You can contact La Commission Nationale de l'Informatique et des Libertés (CNIL) regarding complaints or data protection issues, the usual contact details are:

Mailing address: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France

Phone: +33 (0)1 53 73 22 22

Website contact form: CNIL Contact Form

These details are used for filing complaints or inquiries regarding data privacy and GDPR-related issues.

Updates

Our practices as described in this Privacy Policy may be changed, but any changes will be posted, and changes will only apply to activities and information on a going forward, not retroactive basis.

You are encouraged to review this Privacy Policy periodically to make sure that you understand how any personal information you provide will be used.

We may also email you in certain circumstances to let you know if and when we update this Privacy Policy to ensure you are informed.

Any changes to this Privacy Policy will be posted on this website so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any time we decide to use Personal Data in a manner significantly different from that stated in this Privacy Policy, or otherwise disclosed to you at the time it was collected, we will notify you by email, and you will have a choice as to whether or not we use your Personal Data in the new manner.