Privacy policy

Last updated 1 May 2026 · Applies to compliance.dazr.eu.

The short version Dazr operates the Dazr Compliance platform. For data your workspace puts into the product, we act as a processor on behalf of your employer (the controller). For the few things we do on our own initiative - running the marketing site, sending you a sign-in code, billing - we act as a controller. This page explains both. The contractual obligations of the processor role are in the DPA.

Who we are

Dazr, based in Italy. The controller contact for personal data we hold about you (as a workspace member, prospect, or visitor) is privacy@dazr.eu.

For personal data processed inside a customer workspace, the controller is the customer organisation that owns the workspace; we are the processor. If you are a workspace member and want to exercise data-subject rights over your workspace data, contact your workspace owner first; we'll route requests we receive to them.

What we process and why

Three buckets, in increasing order of how often we touch them:

1. Marketing site (`dazr.eu/compliance`)

If you read the marketing page, fill the Enterprise contact form, or subscribe to a newsletter, we process the following as controller:

Contact form submissions: name, work email, company, role, team size, frameworks of interest, free-text message. Used to reply to your enquiry and to record the lead in our CRM. Legal basis: pre-contractual measures at your request (GDPR Art. 6(1)(b)) and our legitimate interest in selling our product (Art. 6(1)(f)).
Newsletter: email address, only if you subscribe. Legal basis: consent (Art. 6(1)(a)). Withdraw any time via the unsubscribe link.
Server logs: IP address (truncated and hashed within 24 hours), user-agent, requested URL, response code, timestamp. Used to operate and secure the website. Legal basis: legitimate interest. Retention: 30 days raw, then aggregate counters only.

The marketing site has no analytics pixels, no Google Analytics, no third-party trackers, and no cookies that aren't strictly necessary.

2. Account and billing for the platform

To let you sign in and pay, we process as controller:

Member identity: email address (required), display name (optional), role within the workspace, the time you joined and last logged in. Legal basis: contract performance (Art. 6(1)(b)).
Sign-in codes: a 6-digit one-time code sent to your email. Stored hashed for ten minutes, then deleted. We do not store passwords because there are none.
Session tokens: HMAC-signed JWTs, 30-day TTL, kept only in your browser's local storage. Server-side we keep no session record.
Billing: for Pro and Enterprise customers we hold company legal name, billing email, VAT/tax id, invoice address, and the high-level state of your subscription (active, past_due, canceled, current period end). Card data never touches our servers; the payment processor (see Sub-processors) holds it. Legal basis: contract performance and tax-law obligations (Art. 6(1)(b) and (c)).

3. Workspace content

Everything you put inside your workspace - control tasks, evidence notes and files, risks, incidents, vendors, the compliance profile, public-intake submissions, the activity log - we process as processor on behalf of your workspace's controller. We do not access this content for any purpose other than running the service for you, debugging at your request, or where we are legally compelled to.

The DPA at /legal/dpa sets out the precise scope, the security measures, the sub-processor change procedure, and the standard contractual clauses that activate for any data we transfer outside the EU.

Who can see your workspace data

Other workspace members at the role permission you've been given. Owners and admins can see everything; members can read tasks and complete the ones assigned to them.
Auditors you invite through the time-boxed read-only auditor link. Their access carries an explicit start date and expiry, and an admin can revoke it at any time.
Dazr operations staff, only via the support portal. The support portal is metadata-only by design: it shows workspace IDs, owner emails, tier, member counts, framework status, aggregate task / risk / incident counts, and activity-log event types. It does NOT show task content, evidence, comments, individual risks, individual incidents, or member activity. The privacy boundary is enforced in the API itself, not just the UI.
Sub-processors we use to provide the service. The full list is at /legal/subprocessors.
Authorities, only where we are legally compelled. We will challenge over-broad requests and will notify you unless prohibited by law.

Where data is stored

All application data is stored within the European Union. Production workloads run in EU regions; backups are EU-resident. We do not transfer customer workspace data outside the EU as a default. Where a sub-processor we use is headquartered outside the EU, the standard contractual clauses are in place; the DPA documents which clauses apply per processor.

At the application layer, sensitive payloads are encrypted at rest with AES-256-GCM in addition to the storage provider's own at-rest encryption. Transport is HTTPS only with HSTS preloaded.

How long we keep things

Category	Retention
Marketing-site server logs	30 days raw; 12 months aggregated counters.
Newsletter list	Until you unsubscribe, then deleted within 30 days.
Enterprise lead form submissions	24 months from last contact, then deleted.
One-time sign-in codes	10 minutes (hashed); deleted on first successful use or expiry.
Session tokens	30 days client-side; no server-side record.
Workspace content	For the lifetime of your subscription, plus 30 days grace after closure for export. Customer can request immediate deletion at any time.
Public-intake submissions older than 365 days	Auto-purged by retention cron. The activity log keeps a record that the submission existed and when it was purged.
Activity / audit log	Free and Pro: rolling 200-event window. Enterprise: unbounded for the lifetime of the workspace.
Billing records and invoices	10 years (Italian commercial-law obligation).

Your rights

Under the GDPR you have the right to access, rectify, erase, restrict processing of, object to processing of, and port your personal data, and to lodge a complaint with a supervisory authority. To exercise these:

For data we hold about you as controller (marketing, account, billing): email privacy@dazr.eu. We respond within 30 days.
For data inside a workspace, contact your workspace owner. We will route requests we receive directly to them and assist them to respond.

The supervisory authority for our marketing operations is the Italian Garante per la Protezione dei Dati Personali (garanteprivacy.it). You can also complain to the supervisory authority where you live.

Cookies

The Dazr Compliance portal sets a single first-party cookie to keep you signed in. There are no analytics cookies, no advertising cookies, and no third-party cookies. The marketing site uses no tracking cookies either.

Changes to this policy

If we change anything material, we update the date at the top, post a notice in the portal banner, and email workspace owners. Past versions are available on request.

Contact

Privacy / GDPR matters: privacy@dazr.eu
Security: security@dazr.eu
General: hello@dazr.eu