Privacy Policy

Auditrail ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our compliance tool service ("Service").

### 2.1 Account Information - Name and email address - Organization affiliation - Authentication credentials (managed by WorkOS) - Profile information you provide ### 2.2 Service Usage Data - Evidence files you upload (PDFs, DOCX, images, text) - URL references and text notes - Control mappings and compliance data - Export packages you generate - Usage patterns and feature interactions ### 2.3 Technical Information - IP address and device information - Browser type and version - Operating system - Log files and error reports - Cookies and similar tracking technologies ### 2.4 Organization Data - Organization name and details - Member lists and roles - Framework preferences - Billing and subscription information

### 3.1 Service Provision - To provide and maintain the Service - To process your requests and transactions - To manage your account and organization - To store and organize your compliance evidence - To generate export packages and reports ### 3.2 Communication - To send service-related notifications - To respond to your inquiries and support requests - To send important updates about the Service - To provide customer support ### 3.3 Service Improvement - To analyze usage patterns and improve the Service - To develop new features and functionality - To detect and prevent fraud or abuse - To ensure security and prevent unauthorized access ### 3.4 Legal Compliance - To comply with legal obligations - To respond to legal requests - To protect our rights and property - To enforce our Terms of Service

### 4.1 Data Storage - Your data is stored in organization-scoped directories - Evidence files: `organizations/{organization_id}/evidence/` - Export packages: `organizations/{organization_id}/exports/` - Database records are filtered by organization_id to ensure tenant isolation ### 4.2 Security Measures - Multi-tenant isolation with zero cross-tenant data access - Organization ID derived from authentication context only - Encrypted data transmission (HTTPS) - Access controls and authentication via WorkOS - Regular security assessments ### 4.3 Data Retention - We retain your data for as long as your account is active - Deleted data may be retained in backups for up to 90 days - We may retain certain data longer if required by law

### 5.1 No Sale of Data We do not sell, rent, or trade your personal information to third parties. ### 5.2 Service Providers We may share information with service providers who assist us in: - Hosting and infrastructure services - Payment processing (Paddle) - Authentication services (WorkOS) - Analytics (only if enabled and with consent) These providers are contractually obligated to protect your information. ### 5.3 Legal Requirements We may disclose information if required by law, court order, or government request. ### 5.4 Business Transfers In the event of a merger, acquisition, or sale, your information may be transferred as part of the transaction.

### 6.1 Access and Correction - You can access and update your account information through the Service - You can request a copy of your data by contacting support ### 6.2 Data Deletion - You can delete your account and data through the Service - You can request deletion of specific data by contacting support - Some data may be retained as required by law or for legitimate business purposes ### 6.3 Data Export - You can export your data through the Service's export functionality - You can request a complete data export by contacting support ### 6.4 Marketing Communications - You can opt out of marketing emails by using the unsubscribe link - Service-related communications are essential and cannot be opted out

### 7.1 Cookies - We use cookies to maintain your session and preferences - Essential cookies are required for the Service to function - Analytics cookies are only used if you consent (see Cookie Policy) ### 7.2 Cookie Control - You can manage cookies through your browser settings - Disabling cookies may affect Service functionality

- Your data may be processed and stored in data centers outside your country - We ensure appropriate safeguards are in place for international transfers - By using the Service, you consent to such transfers

The Service is not intended for individuals under 18 years of age. We do not knowingly collect information from children.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA): - Right to know what personal information is collected - Right to delete personal information - Right to opt out of sale of personal information (we do not sell data) - Right to non-discrimination for exercising your rights

If you are in the European Economic Area (EEA), you have additional rights: - Right of access to your personal data - Right to rectification of inaccurate data - Right to erasure ("right to be forgotten") - Right to restrict processing - Right to data portability - Right to object to processing - Right to withdraw consent To exercise these rights, contact us at privacy@auditrail.eu.

Auditrail is the data controller for personal information processed through the Service. **Contact Information:** - Email: privacy@auditrail.eu - Support: support@auditrail.eu **Data Processing Agreements:** - Data Processing Agreements (DPAs) are available for enterprise customers - Contact privacy@auditrail.eu to request a DPA - A list of subprocessors is available on request

- We may update this Privacy Policy from time to time - Material changes will be communicated via email or Service notification - The "Effective Date" at the top indicates when the policy was last updated - Continued use of the Service after changes constitutes acceptance

For questions about this Privacy Policy or our data practices, contact us at: - Privacy inquiries: privacy@auditrail.eu - General support: support@auditrail.eu - Security concerns: security@auditrail.eu