Skip to content
AuditFront

Privacy Policy

Last updated: 23 February 2026

The short version: Your audit data stays on our EU servers. We don't sell your data. We don't run ads. Google Analytics is only used on the marketing website (www.auditfront.com) - the app you log into (app.auditfront.com) has zero third-party tracking.

1. Who We Are

AuditFront is a SaaS tool for running internal compliance readiness assessments (ISO 27001, SOC 2, Tech DD, and other frameworks). We act as the data controller for your personal data.

Contact: support@auditfront.com
Data Protection: privacy@auditfront.com

2. Data We Collect

2.1 Account Data

When you register (directly or via social login), we collect:

  • Email address
  • Full name (if provided by your identity provider)
  • Authentication provider identifier (Google, Apple, or Microsoft subject ID)

2.2 Audit Data

Data you enter while using the Service - audit questions, answers, scores, evidence attachments, advisory notes, and reports. This data may contain information about third-party organisations you are assessing.

You are the data controller for any personal data contained in your audit content; we process it on your behalf.

2.3 Payment Data

If you subscribe to a paid plan, payment processing is handled entirely by Paddle, our merchant of record. We never see or store your credit card number, bank details, or billing address. Paddle shares with us only your email, subscription status, and transaction IDs so we can activate your plan.

2.4 Usage Data

Inside the app (app.auditfront.com):

  • We collect server-side logs only: timestamps, request paths, response times, and error codes.
  • We collect aggregated performance metrics (e.g. average response time, disk usage) to keep the Service running smoothly.
  • We log login events (email and IP address) for security monitoring.
  • We do not use Google Analytics, tracking pixels, fingerprinting, or any third-party analytics inside the app.

On the marketing website (www.auditfront.com):

  • We use Google Analytics 4 (GA4) with IP anonymisation to understand how visitors find and browse the site.
  • GA4 runs only on www.auditfront.com. It is not loaded on app.auditfront.com or auth.auditfront.com.
  • You can opt out via your browser settings or the Google Analytics Opt-out Add-on.

We do not use advertising cookies, retargeting, or social media tracking anywhere.

3. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)) - processing necessary to provide the Service you signed up for.
  • Legitimate interest (Art. 6(1)(f)) - security monitoring, fraud prevention, and product improvement based on aggregated usage patterns.
  • Legal obligation (Art. 6(1)(c)) - where we are required to retain data by applicable law.

4. How We Use Your Data

  • Provide and maintain the Service
  • Authenticate you via your identity provider
  • Process payments and manage subscriptions (via Paddle)
  • Monitor service health and investigate security incidents
  • Respond to support requests

5. Data Sharing & Sub-processors

We share personal data only with the sub-processors listed on our Sub-processor List. We do not sell personal data. All sub-processors are bound by data processing agreements.

6. Data Retention

  • Account data: retained while your account is active, then deleted within 30 days after account deletion.
  • Audit data: retained while your account is active. You can delete individual audits at any time.
  • Server logs and metrics: retained for up to 30 days, then automatically purged.
  • Payment records: retained as required by tax and accounting regulations (typically 7 years). Managed by Paddle.

7. Your Rights (GDPR Art. 15-22)

You have the right to:

  • Access - request a copy of the personal data we hold about you.
  • Rectification - ask us to correct inaccurate data.
  • Erasure - ask us to delete your personal data ("right to be forgotten").
  • Data portability - receive your data in a structured, machine-readable format.
  • Restriction / Objection - restrict or object to certain processing activities.
  • Complaint - lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at privacy@auditfront.com. We will respond within 30 days.

8. Data Security

All data is encrypted in transit (TLS 1.2+) and at rest. Infrastructure is hosted on a dedicated server in the EU (Hetzner, Germany) - not a shared cloud. Access to production systems is restricted to authorised personnel via SSH key authentication.

9. International Transfers

Your data is processed and stored within the European Union. Where a sub-processor is based outside the EU (e.g. Google LLC for OAuth, Paddle for payments, Resend Inc. for transactional email), transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission. See our Sub-processor List for details.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you at least 14 days in advance by email or through the Service. Continued use of the Service after the changes take effect constitutes acceptance of the revised policy.