1. Who We Are

complit. is a compliance consulting firm operated by COMplit Consulting ("[Registered legal name]", "we", "us", or "our"), specialising in high-risk fintech sectors including Cryptocurrency, iGaming, Payments, and Forex. Our website is available at https://complit.me (the "Site").

For the purposes of EU data protection law — in particular the General Data Protection Regulation (EU) 2016/679 ("GDPR") — COMplit Consulting is the data controller of personal data collected through this Site.

To contact us regarding data protection matters, please use the contact form on the Site or email us at the address indicated in Section 13.

2. Data We Collect and How

a) Contact enquiries

When you submit a contact form or send us an enquiry, we collect:

• Your name (if provided)
• Your email address
• The content of your message

b) Technical and server-side data

When you visit the Site, our infrastructure automatically processes certain technical data, including:

• IP address (processed by Cloudflare at the network edge)
• Browser type and version
• Operating system
• Referring URL and pages visited
• Date and time of access

c) Session data

We use a minimal server-side session (stored in Cloudflare KV) to maintain the functional state of your visit, such as your language preference. This session does not identify you personally and contains no sensitive data.

d) Cookies

Please see Section 5 for our full cookie information.

3. Legal Bases for Processing

We process personal data only where we have a lawful basis under Article 6 GDPR:

• Pre-contractual steps / contract performance (Art. 6(1)(b)): responding to your enquiries and providing our services.
• Legitimate interests (Art. 6(1)(f)): ensuring the security and proper functioning of the Site, preventing fraud and abuse, maintaining session continuity, and operating our business.
• Legal obligation (Art. 6(1)(c)): complying with applicable laws, regulatory requirements, and lawful orders from competent authorities.
• Consent (Art. 6(1)(a)): where we explicitly request it — for example, optional marketing communications. You may withdraw consent at any time without affecting prior processing.

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects.

4. How We Use Your Data

• To respond to your enquiries and communicate about our services
• To fulfil pre-contractual and contractual obligations
• To ensure the security, integrity, and availability of the Site (consistent with NIS2 baseline requirements)
• To detect and prevent fraud, abuse, or misuse of the Site
• To comply with applicable legal and regulatory obligations

We do not sell, rent, or share your personal data with third parties for their own marketing or commercial purposes.

5. Cookies and Similar Technologies

We use a strictly minimal set of cookies required for the Site to function. We do not use advertising cookies, tracking pixels, or analytics services such as Google Analytics or Meta Pixel.

Because we place only strictly necessary cookies, a consent banner is not required under the ePrivacy Directive. You may configure or block cookies via your browser settings; however, certain Site functionality may be affected.

6. Third-Party Service Providers

We engage the following sub-processors who may process personal data on our behalf:

We enter into data processing agreements with all sub-processors and require them to implement appropriate technical and organisational security measures.

7. International Data Transfers

Cloudflare, Inc. is headquartered in the United States. Transfers of personal data to Cloudflare are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR, supplemented by Cloudflare's technical and organisational security measures.

We do not transfer personal data to third countries beyond those described above. Where any additional transfer becomes necessary, we will ensure an equivalent level of protection is in place prior to transfer. Copies of applicable SCCs are available on request.

8. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected or as required by law:

• Contact enquiry data: up to 3 years from the date of the enquiry, or for the duration of any resulting engagement plus the applicable statutory limitation period, whichever is longer.
• Server and access logs: up to 90 days, subject to applicable legal retention requirements.
• Session data: for the duration of the browser session; deleted upon session expiry or browser close.

After the applicable retention period, data is securely deleted or irreversibly anonymised.

9. Your Rights Under GDPR

If you are located in the EU/EEA, you have the following rights under GDPR:

• Right of access (Art. 15): obtain confirmation of whether we process your data and receive a copy.
• Right to rectification (Art. 16): have inaccurate or incomplete data corrected.
• Right to erasure (Art. 17): request deletion of your data where there is no overriding legal ground for retention.
• Right to restriction of processing (Art. 18): request that we limit processing in certain circumstances.
• Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interests; we will cease unless we can demonstrate compelling legitimate grounds.
• Right to withdraw consent (Art. 7(3)): where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, contact us via the form on the Site or at the address in Section 13. We will respond within one calendar month (extendable by two further months for complex or numerous requests, with prior notice).

You also have the right to lodge a complaint with your national data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, including:

• TLS encryption for all data in transit (HTTPS enforced site-wide)
• Cloudflare enterprise-grade DDoS protection and Web Application Firewall
• Access controls limiting data access to authorised personnel only
• Periodic review of security practices consistent with NIS2 baseline requirements

No transmission over the internet is 100% secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required by Art. 34 GDPR, notify affected individuals without undue delay.

11. Children's Privacy

This Site is not directed at children under 16 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be signalled by updating the "Last updated" date at the top of this page. We encourage you to review this page periodically. Continued use of the Site after changes are posted constitutes acceptance of the updated Policy.

13. Contact

Data Controller:
COMplit Consulting
[Registered address]
[Jurisdiction]

For data protection enquiries, to exercise your rights, or to report a concern, please use the contact form on the Site or email: privacy@complit.me