LEGAL
Privacy Policy
Last updated: [DATE — TO BE CONFIRMED BEFORE LAUNCH] · Version 1.0 DRAFT
⚠ DRAFT — This document is a working draft pending legal review. It must not be considered final or legally binding until reviewed and approved by qualified legal counsel before product launch.
1. Who We Are
MacComply is a Mac compliance and security monitoring platform operated by RedandBlueequalsPurple ("we", "us", "our").
Data Controller
[COMPANY LEGAL NAME] · [REGISTERED ADDRESS] · [COUNTRY]
2. What Data We Collect
2.1 Account Data
- Full name and work email address
- Password (stored as bcrypt hash — never plain text)
- Account creation date and last login timestamp
- Subscription plan and billing info (processed by Stripe)
2.2 Device & Compliance Data
- Device serial number and hardware UUID
- macOS version and system configuration
- Compliance scan results (FileVault, firewall, screen lock, OS updates)
- Agent version and last check-in timestamp
- Device hostname
2.3 Usage Data
- IP address at login
- Browser type and OS (User-Agent)
- Pages visited and timestamps
- Actions taken within the platform
2.4 Data We Do Not Collect
- File contents, emails, or documents from managed devices
- Advertising or cross-site tracking cookies
- We do not sell personal data
3. Legal Basis for Processing (GDPR)
| Purpose | Data | Legal Basis |
|---|
| Providing the service | Account data, device data | Contract (Art. 6(1)(b)) |
| Billing | Email, subscription data | Contract (Art. 6(1)(b)) |
| Security monitoring | IP address, login events | Legitimate interests (Art. 6(1)(f)) |
| Transactional emails | Email address | Contract (Art. 6(1)(b)) |
| Legal obligations | Billing records | Legal obligation (Art. 6(1)(c)) |
4. Data Retention
| Data Type | Retention |
|---|
| Account & device data | Duration of account + 30 days after deletion |
| Security logs | 90 days rolling |
| Billing records | 7 years (legal requirement) |
| Backups | 30 days |
5. Third-Party Processors
| Processor | Purpose | Location |
|---|
| Stripe | Payment processing | USA (EU SCCs) |
| Cloudflare | CDN, DDoS protection | USA (EU SCCs) |
| [EMAIL PROVIDER] | Transactional email | [LOCATION] |
| [HOSTING PROVIDER] | Infrastructure | [LOCATION] |
6. Your Rights (GDPR)
- Access — request a copy of your data
- Rectification — correct inaccurate data
- Erasure — delete your account (available in Settings)
- Portability — receive data in machine-readable format
- Object — object to legitimate interest processing
- Restrict — limit how we use your data
Email [[email protected]] to exercise any right. We respond within 30 days.
7. Security
- TLS 1.2+ encryption in transit, HSTS active
- Passwords hashed with bcrypt
- Database access restricted to application servers
- Per-device authentication secrets
- SSH key-only access to production systems
8. Cookies
We use only one strictly necessary session cookie (HttpOnly, Secure, session-scoped). No advertising or tracking cookies. No consent banner required.
9. Changes
We will notify registered users by email of material changes at least 14 days before they take effect.
10. Contact
Data Protection Contact
[COMPANY LEGAL NAME] · [ADDRESS]