auditly
Log inStart free

Legal

Privacy Policy

Effective 2026-05-05

We're a compliance scanning service. We try to take our own privacy practices seriously โ€” not because it's clever marketing, but because we built the product precisely because most companies don't.

1. Who we are

auditly (โ€œweโ€, โ€œusโ€) is the data controller for personal data collected through the Service. Contact us at privacy@auditly.local for any question or rights request.

2. What we collect

  • Account data: email and password (hashed) when you sign up; plan and billing info if you upgrade.
  • Domains and scan data: hostnames you add, ownership verification tokens, and the JSON output of every scan you run on your domains.
  • Audit-quiz submissions: if you complete the free self-audit and submit your email, we store your answers, score, and email. You can request deletion at any time.
  • Operational logs: minimal request logs (IP, route, status code, latency) retained for 30 days for debugging and abuse prevention.

3. What we don't collect

  • We do not embed third-party advertising trackers or session-replay tools on this site.
  • We do not sell your data to anyone, ever.
  • We do not retain the raw HTML of pages we scan โ€” only the scan results derived from them.

4. Legal basis (GDPR)

We process account and scan data under the legal basis of contract performance (Article 6(1)(b)). Operational logs are processed under legitimate interest (Article 6(1)(f)) for security and abuse prevention.

5. Sub-processors

The vendors that touch personal data:

  • Supabase (Postgres database + auth) โ€” primary application data.
  • Vercel โ€” hosting for the marketing site and dashboard.
  • Fly.io / Railway โ€” hosting for the scan worker.
  • OpenRouter โ€” LLM gateway for privacy-policy analysis (we send the policy text only).
  • Stripe โ€” payment processing (only if you upgrade).
  • Upstash โ€” Redis-backed job queue.

6. Your rights

Under GDPR and analogous laws (CCPA in California, UK GDPR, etc.) you have rights of access, rectification, erasure, portability, restriction, and objection. To exercise any of these, email privacy@auditly.local. We aim to respond within 30 days, in line with GDPR Article 12.

7. Retention

  • Account data: until you delete your account, plus 30 days of soft-deletion buffer.
  • Scan results: until you delete the corresponding domain.
  • Audit-quiz submissions: 24 months unless you request earlier deletion.
  • Operational logs: 30 days.

8. International transfers

We process data in EU and US regions of our hosting providers. Where data transfers outside the EU/UK, we rely on EU Standard Contractual Clauses (SCCs) and our providers' Data Privacy Framework certifications where applicable.

9. Security

Passwords are hashed via Supabase Auth (bcrypt + per-user salt). API keys are stored as SHA-256 hashes. All connections use TLS. Database connections use the Supabase pooler with encryption in transit. We rotate access credentials regularly.

10. Children

The Service is not directed at children under 16. If we learn we have collected data from a child, we delete it.

11. Changes

We post updates here, and email all account holders for any material change.