Privacy Policy

Last Updated: June 20, 2026

AuditFlo ("AuditFlo," "we," "our," or "us") respects your privacy and is committed to protecting your information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you access or use the AuditFlo platform, website, applications, APIs, and related services (collectively, the "Services").

By using the Services, you acknowledge and agree to the practices described in this Privacy Policy.

---

1. Scope

This Privacy Policy applies to information collected through:

• The AuditFlo website
• The AuditFlo platform
• Customer accounts
• APIs and integrations
• Customer support interactions
• Marketing and communications

This Privacy Policy does not apply to third-party websites, services, or applications that may be connected to AuditFlo.

---

2. Information We Collect

Information You Provide Directly

We may collect information that you voluntarily provide, including:

• Name
• Email address
• Company name
• Job title
• Billing information
• Account credentials
• Support requests
• Communications with AuditFlo

Information Collected Through Integrations

When authorized by you or your organization, AuditFlo may collect information from connected systems, including:

• GitHub
• GitLab
• Bitbucket
• Jira
• Linear
• AWS
• Azure
• Google Cloud
• Okta
• Microsoft Entra ID
• Google Workspace
• Slack
• CI/CD systems
• Ticketing systems
• Source control platforms
• Security tools
• Compliance systems

Examples of information collected through integrations may include:

• User identities
• Access permissions
• Audit logs
• Repository metadata
• Pull request metadata
• Deployment records
• Approval records
• Change management records
• Policy acknowledgements
• Evidence artifacts
• System configuration metadata

AuditFlo collects only the information necessary to provide the Services requested by customers.

Information Collected Automatically

When you use the Services, we may automatically collect:

• IP address
• Browser type
• Device information
• Operating system
• Usage activity
• Log data
• Session information
• Referring URLs
• Performance and diagnostic information

---

3. Cookies and Similar Technologies

AuditFlo uses cookies and similar technologies to:

• Authenticate users
• Maintain sessions
• Improve platform functionality
• Analyze platform usage
• Enhance security
• Remember preferences

You may configure your browser to reject cookies; however, some functionality may be limited.

---

4. How We Use Information

We use collected information to:

• Provide and operate the Services
• Authenticate users
• Manage customer accounts
• Process payments
• Support integrations
• Deliver customer support
• Improve platform functionality
• Detect and prevent fraud
• Monitor security
• Comply with legal obligations
• Communicate service updates
• Send transactional communications

We do not use customer compliance evidence for advertising purposes.

---

5. Customer Data Processing

When organizations use AuditFlo, AuditFlo generally acts as a service provider and data processor on behalf of the customer.

Customers determine:

• What data is collected
• Which integrations are connected
• Which users have access
• How evidence is managed

Customers remain responsible for ensuring their use of AuditFlo complies with applicable privacy and data protection laws.

---

6. Legal Bases for Processing

Where applicable under data protection laws, AuditFlo processes information based on one or more of the following legal grounds:

• Performance of a contract
• Legitimate business interests
• Compliance with legal obligations
• User consent
• Protection of vital interests

---

7. How We Share Information

AuditFlo does not sell personal information.

We may share information with:

Service Providers

Trusted vendors that assist us in operating the Services, including:

• Cloud hosting providers
• Payment processors
• Customer support platforms
• Analytics providers
• Security monitoring providers
• Infrastructure providers

Legal Requirements

We may disclose information when required to:

• Comply with law
• Respond to lawful requests
• Enforce our agreements
• Protect users
• Protect AuditFlo's rights and security

Business Transactions

If AuditFlo participates in a merger, acquisition, financing, reorganization, bankruptcy, or asset sale, information may be transferred as part of that transaction.

---

8. International Data Transfers

Information may be processed and stored in countries where AuditFlo or its service providers operate.

Where required by law, AuditFlo implements appropriate safeguards for international data transfers.

---

9. Data Retention

AuditFlo retains information only for as long as necessary to:

• Provide the Services
• Meet contractual obligations
• Comply with legal requirements
• Resolve disputes
• Enforce agreements

Unless otherwise agreed:

• Customer account data is retained while an account remains active.
• Following termination, data may remain available in read-only mode for up to ninety (90) days.
• After the retention period, data may be permanently deleted from production systems.

Backup systems may retain information for a limited period as part of normal disaster recovery processes.

---

10. Security Measures

AuditFlo maintains administrative, technical, and organizational safeguards designed to protect information, including:

• Encryption in transit
• Encryption at rest where applicable
• Access controls
• Authentication mechanisms
• Logging and monitoring
• Security reviews
• Least-privilege access practices

No system can guarantee absolute security. Users are responsible for protecting account credentials and maintaining appropriate security practices.

---

11. Your Privacy Rights

Depending on your location, you may have rights that include:

• Access to personal information
• Correction of inaccurate information
• Deletion of personal information
• Restriction of processing
• Objection to processing
• Data portability
• Withdrawal of consent where applicable

Requests may be submitted to:

privacy@auditflo.co

We may need to verify identity before fulfilling requests.

---

12. California Privacy Rights

Residents of California may have additional rights under applicable California privacy laws, including rights relating to:

• Access
• Deletion
• Correction
• Information disclosure
• Non-discrimination

AuditFlo does not sell personal information.

---

13. European Economic Area and United Kingdom Rights

Individuals located in the European Economic Area, Switzerland, and the United Kingdom may have additional rights under applicable data protection laws.

Where AuditFlo acts solely as a processor on behalf of a customer, requests regarding customer-controlled data should generally be directed to the relevant customer organization.

---

14. Children's Privacy

AuditFlo is intended for business and professional use.

The Services are not directed toward children under the age of thirteen (13), and AuditFlo does not knowingly collect personal information from children.

If we become aware that such information has been collected, we will take reasonable steps to delete it.

---

15. Third-Party Services

The Services may contain links to or integrations with third-party services.

AuditFlo is not responsible for the privacy practices, content, or security of third-party services.

Users should review the privacy policies of those providers separately.

---

16. Changes to This Privacy Policy

AuditFlo may update this Privacy Policy from time to time.

Material changes will be communicated through the Services, email notifications, or website notices.

Continued use of the Services following the effective date of revised policies constitutes acceptance of those changes.