Privacy Policy
Last updated: 22 May 2026
Complikit ("we", "us", "our") is committed to protecting the privacy and personal data of visitors to complikit.tech (the "Site") and users of our services. This Privacy Policy explains what personal data we collect, how we use it, the legal bases for processing, and your rights under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Ukrainian Law on Personal Data Protection.
1. Data Controller
The data controller responsible for your personal data is:
Complikit
Operated by Ihor Kravchenko, based in Kyiv, Ukraine, registered as an individual entrepreneur (ФОП) under the law of Ukraine.
Contact: hello@complikit.tech
For users in the EU, EEA, and UK, you also have the right to contact your national Data Protection Authority directly (see Section 7).
2. Personal data we collect
We collect personal data in the following ways:
2.1 Data you provide directly
When you fill in forms on our Site (such as the ESG Checklist request form or the VSME Assessment form), we collect:
- First name and last name
- Email address
- Company name
- Country, industry, company size (in the assessment form)
- Information about your ESG situation (such as whether a bank, corporate buyer, tender, or investor is asking for ESG documentation)
- Free-text responses to assessment questions
2.2 Data collected automatically
When you visit our Site, we automatically collect, subject to your cookie consent:
- IP address (anonymized by Google Analytics)
- Browser type, operating system, device type
- Referring URL, pages visited, time spent on pages, click patterns
- Approximate geographic location (city/country level)
- Session recordings and heatmaps (via Microsoft Clarity) — capturing mouse movements, clicks, and scrolls to help us improve the user experience. Form fields and sensitive content are automatically masked. Loaded only with analytics consent.
- Advertising identifiers from Google Ads and LinkedIn (only with marketing consent)
3. Purposes and legal bases
We process your personal data for the following purposes, on the following legal bases under Article 6 GDPR:
| Purpose | Data | Legal basis |
|---|---|---|
| Respond to checklist or assessment requests; deliver ESG documentation | Name, email, company, assessment answers | Performance of a contract / pre-contractual steps (Art. 6(1)(b)) |
| Send follow-up emails about our services | Name, email, company | Legitimate interest in business communication (Art. 6(1)(f)); you may opt out at any time |
| Analyze Site usage and improve user experience | Analytics data (anonymized) | Consent (Art. 6(1)(a)) — via cookie banner |
| Measure advertising effectiveness on Google Ads and LinkedIn | Advertising identifiers, click data | Consent (Art. 6(1)(a)) — via cookie banner |
| Comply with legal obligations (tax, fraud prevention, regulatory requests) | All categories as required | Legal obligation (Art. 6(1)(c)) |
4. Sharing with third parties
We do not sell your personal data. We share it only with the following categories of recipients, acting either as our processors or as independent controllers:
| Recipient | Role | Purpose |
|---|---|---|
| Google LLC (USA) | Independent controller / processor | Analytics (Google Analytics 4); advertising (Google Ads) |
| Microsoft Corporation (USA) | Processor | Session recordings and heatmaps (Microsoft Clarity) — for UX analysis only, not advertising. Personal data in forms is automatically masked before transmission. |
| LinkedIn Ireland UC | Independent controller | Advertising measurement (Insight Tag) |
| Web hosting provider | Processor | Hosting our Site and form data |
| Email service providers | Processor | Delivering form submissions to our team |
| Regulators, courts, law enforcement | Independent recipients | Where required by law |
5. International transfers
Some of our service providers are based outside the European Economic Area (EEA) and the UK, primarily in the United States. When we transfer personal data outside the EEA/UK, we rely on appropriate safeguards under Articles 44–49 GDPR, including:
- EU-US Data Privacy Framework (DPF): for Google LLC, which is certified under the DPF.
- Standard Contractual Clauses (SCCs): approved by the European Commission, for other US-based providers.
- Adequacy decisions: where applicable.
You may request a copy of these safeguards by contacting us at hello@complikit.tech.
6. Data retention
We retain personal data only as long as necessary for the purposes for which it was collected:
- Form submission data (name, email, company, assessment answers): retained for up to 24 months after last interaction, unless you request earlier deletion or unless we are required by law to retain it longer.
- Marketing communications consent: until you withdraw consent or 24 months of inactivity.
- Analytics data: 14 months (Google Analytics default), then automatically deleted.
- Cookie consent records: 365 days, then re-requested.
- Tax and accounting records (if applicable): as required by applicable law (typically 5–10 years).
7. Your rights
Under GDPR and equivalent laws, you have the following rights:
- Right of access (Art. 15): to obtain confirmation of whether we process your data and a copy of that data.
- Right to rectification (Art. 16): to correct inaccurate or incomplete data.
- Right to erasure (Art. 17): to request deletion of your data, subject to legal retention obligations.
- Right to restriction (Art. 18): to request that we limit processing in certain circumstances.
- Right to data portability (Art. 20): to receive your data in a structured, machine-readable format.
- Right to object (Art. 21): to object to processing based on legitimate interest or direct marketing.
- Right to withdraw consent (Art. 7): at any time, without affecting processing already carried out.
- Right to lodge a complaint: with a Data Protection Authority. In Ukraine: the Office of the Ukrainian Parliament Commissioner for Human Rights. In the EU: your local DPA (full list at edpb.europa.eu). In the UK: the Information Commissioner's Office (ico.org.uk).
To exercise any of these rights, contact us at hello@complikit.tech. We will respond within one month, as required by Article 12(3) GDPR.
8. Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:
- HTTPS encryption for all data transmitted to and from our Site
- Access controls limiting who within Complikit can access personal data
- Regular review of our security practices
- Selection of service providers with appropriate security certifications (e.g. ISO 27001, SOC 2)
No method of transmission over the Internet or method of electronic storage is 100% secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay, as required by Articles 33–34 GDPR.
9. Cookies
Detailed information on the cookies and similar technologies we use is available in our Cookie Policy. You can manage your cookie preferences at any time via the cookie icon in the bottom-left corner of our Site.
10. Children's data
Our Site and services are intended for businesses and adults. We do not knowingly collect personal data from anyone under the age of 16. If you become aware that a child has provided us with personal data, please contact us, and we will take steps to delete it.
11. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you by email or via a notice on our Site. Continued use of our Site after such changes constitutes acceptance of the updated Policy.
12. Contact
For all privacy-related questions, requests, or complaints:
Email: hello@complikit.tech
We aim to respond to all privacy inquiries within 5 business days, and to formal data subject requests within one month as required by GDPR.