Skip to content
Auditly
InloggenStart gratis

Legal

Privacy Policy

Effective 2026-05-07

We're a compliance scanning service. We try to take our own privacy practices seriously β€” not because it's clever marketing, but because we built the product precisely because most companies don't.

This policy is written in plain language. If anything is unclear, email privacy@auditly.fyi and we'll explain.

1. Who we are

Auditly is operated by Arpit Jain, sole proprietor (個人事ζ₯­δΈ»), based in Japan. We are the data controller for personal data collected through the Service.

For any privacy question or rights request, contact privacy@auditly.fyi. For DPO-related matters, contact dpo@auditly.fyi. We aim to respond within 30 days.

2. What we collect

  • Account data β€” email and password (hashed by our auth provider); plan and billing info if you upgrade.
  • Domains and scan data β€” hostnames you add, ownership verification tokens, and the JSON output of every scan run on domains you have verified.
  • Audit-quiz submissions β€” if you complete the free self-audit and submit your email, we store your answers, score, and email. Deletion on request.
  • Operational logs β€” request logs (IP, route, status code, latency) retained for 30 days for debugging and abuse prevention.

3. What we don't collect

  • We do not embed third-party advertising trackers or session-replay tools.
  • We do not sell your data, ever.
  • We do not retain the raw HTML of pages we scan β€” only the scan findings derived from them.
  • We do not store payment card details. Stripe handles all card data; we only see customer/subscription IDs.

4. Legal basis (GDPR)

  • Contract performance (Art. 6(1)(b)) β€” account, domain, and scan data we need to deliver the Service.
  • Legitimate interest (Art. 6(1)(f)) β€” operational logs, security monitoring, abuse prevention.
  • Consent (Art. 6(1)(a)) β€” audit-quiz email submission, which is opt-in.

5. Sub-processors

These vendors process personal data on our behalf. Each is bound by a data processing agreement and standard contractual clauses where applicable.

  • Supabase (USA) β€” Postgres database + authentication. EU customer data hosted in Supabase's AP-Northeast-2 region.
  • Microsoft Azure (USA) β€” application hosting (Container Apps in East US). Outbound traffic only; no customer data persistence.
  • Cloudflare (USA) β€” DNS hosting and email forwarding (inbound email to @auditly.fyi).
  • Resend (USA) β€” outbound transactional email (welcome, scan completion). Recipient email + message body only.
  • OpenRouter (USA) β€” LLM gateway used to grade privacy policies against our compliance rubric. We send the policy text only β€” not your account or domain identifiers.
  • Stripe (USA, Japan) β€” payment processing if you upgrade. Stripe stores card data; we only see customer + subscription metadata.

6. Your rights

Under GDPR (and analogues like CCPA, UK GDPR, APPI) you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data (right to erasure)
  • Receive your data in a portable format
  • Restrict or object to processing
  • Lodge a complaint with your supervisory authority (EU residents) or relevant DPA

To exercise any of these, email privacy@auditly.fyi. California residents: same email β€” we treat β€œDo Not Sell or Share My Personal Information” requests as effective immediately even though we don't sell data to begin with.

7. Retention

  • Account data β€” until you delete your account, plus 30 days of soft-deletion buffer.
  • Scan results β€” until you delete the corresponding domain.
  • Audit-quiz submissions β€” 24 months, unless you request earlier deletion.
  • Operational logs β€” 30 days, then automatically purged.
  • Stripe billing records β€” 7 years (legal requirement for tax purposes).

8. International transfers

We process data in the United States (Azure East US, Supabase AP-Northeast-2), Japan (Stripe), and globally via Cloudflare's edge network. For transfers outside the EU/UK, we rely on EU Standard Contractual Clauses (2021/914) and our providers' Data Privacy Framework certifications where applicable.

9. Cookies

We use a small number of strictly necessary cookies β€” see our Cookie Policy for the full list and purposes. We do not use any analytics, advertising, or session-replay cookies on the marketing site.

10. Security

Passwords are hashed by our auth provider (bcrypt + per-user salt). API keys are stored as SHA-256 hashes β€” we cannot recover them, only verify them. All connections use TLS 1.2+. Database connections use the Supabase pooler with encryption in transit. We rotate operational credentials on a regular cadence.

In the event of a personal data breach, we will notify our supervisory authority within 72 hours and affected users without undue delay (GDPR Art. 33–34).

11. Children

The Service is not directed at children under 16. If we learn we've collected data from a child, we delete it.

12. Changes

We post material updates here and email all active account holders. The β€œEffective” date at the top reflects the latest revision.