Privacy Policy

Multi Vision World is the company behind ComplAI. We are registered and operate in both Pakistan and the United States of America.

ComplAI is a B2B SaaS platform providing governance, risk, and compliance (GRC) management services to enterprise clients. We act as a data processor on behalf of our clients, who are the data controllers for their own organisational data.

We collect the following categories of information:

• Account information: Name, work email address, company name, job title, and country provided when registering or contacting us.
• Platform usage data: Log data, feature usage, session information, and interaction events used to operate and improve the platform.
• Security telemetry: Data ingested from your connected security tools (SIEM, EDR, vulnerability scanners, etc.) via our integration layer, processed solely for GRC purposes within your tenant.
• Communications: Emails, support requests, and other correspondence you send us.
• Website analytics: Standard analytics data (page views, session duration, referral sources) collected via Google Analytics 4 to understand how visitors use our website.

We do not collect sensitive personal data (health information, financial account numbers, government ID numbers) unless explicitly required by a specific client engagement and governed by a separate data processing agreement.

• Delivering and operating the ComplAI platform and managed services
• Responding to enquiries, support requests, and pilot programme communications
• Sending service updates, security notices, and product communications
• Improving platform features and user experience based on usage data
• Complying with legal obligations and regulatory requirements
• Preventing fraud, abuse, and unauthorised access

We do not sell your data to third parties. We do not use your data for advertising.

ComplAI supports flexible deployment models to meet your regulatory and data residency requirements:

• Cloud deployment: Data is hosted in the cloud region specified and agreed with your organisation at the time of deployment. Each client environment is isolated using schema-per-tenant architecture with row-level security, ensuring no cross-tenant data access.
• On-premise deployment: Available for clients who require data to remain entirely within their own infrastructure, particularly recommended for the Continuous Control Monitoring (CCM) module where security telemetry must not leave your environment.
• Regional residency: For clients operating under SAMA CSF, NCA ECC, SBP, ADHICS, or other regional frameworks with data localisation requirements, we configure your deployment in a compliant region by agreement.

Data residency and hosting arrangements are confirmed in writing during the discovery and scoping phase of each engagement.

We do not share your data with third parties except in the following circumstances:

• Sub-processors: We engage trusted sub-processors (such as cloud infrastructure providers) to operate the platform. These are bound by data processing agreements and may only process data as instructed by us.
• Legal requirements: We may disclose information if required by applicable law, court order, or regulatory authority.
• Business transfers: In the event of a merger, acquisition, or asset sale, data may be transferred to the acquiring entity under the same privacy obligations.

A current list of sub-processors is available upon request under NDA.

We retain client data for the duration of the active service agreement. Following termination or expiry of an agreement, data is retained for a period of 90 days to allow for export and transition, after which it is securely deleted unless a longer retention period is required by applicable law or agreed in writing.

Contact form submissions and enquiry data are retained for up to 24 months from the date of last contact.

Analytics and log data are retained for up to 24 months.

We implement appropriate technical and organisational measures to protect your data against unauthorised access, disclosure, alteration, and destruction. These include:

• Encryption of data in transit (TLS 1.2+) and at rest
• Tenant isolation with schema-level and row-level access controls
• Role-based access control and multi-factor authentication for platform access
• Immutable audit logs of all access and actions within client environments
• Regular security reviews and vulnerability assessments

Security documentation is available under NDA during the evaluation process.

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

• The right to access the personal data we hold about you
• The right to request correction of inaccurate data
• The right to request deletion of your data, subject to legal retention obligations
• The right to restrict or object to certain processing activities
• The right to data portability

For enterprise clients, data subject rights requests should be directed to your own organisation as the data controller. Your organisation will then coordinate with us as required.

To exercise any of these rights directly, contact us at info@multivisionworld.com.

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page and notify active clients via email where required. We encourage you to review this policy periodically.

If you have any questions about this Privacy Policy or how we handle your data, please contact us: