AuditPath
PrivacyTermsSecurityGet started
Back to home

Legal

Privacy Policy

We take your privacy seriously. This policy explains what data we collect, why we collect it, and how we protect it.

Last updated: March 10, 2026

Overview

AuditPath ("we", "our", "us") operates the compliance management platform available at auditpath.io. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our service.

By using AuditPath, you agree to the collection and use of information in accordance with this policy. We comply with the General Data Protection Regulation (GDPR), India's Digital Personal Data Protection Act (DPDP Act, 2023), and other applicable data protection laws.

Data We Collect

Account & Profile Data

  • Name and email address when you register
  • Organisation name and billing information
  • Profile settings and preferences
  • Role and permissions within your organisation

Usage & Activity Data

  • Pages visited, features used, and actions taken within the platform
  • IP address, browser type, device information, and operating system
  • Session duration and interaction patterns
  • Error logs and performance data

Compliance & Evidence Data

  • Documents, policies, and evidence files you upload
  • AWS configuration data collected via your connected IAM role
  • Control statuses, notes, and audit trail entries
  • Auditor portal access logs

How We Use Data

We use the data we collect to:

  • Provide, operate, and improve the AuditPath platform
  • Process your compliance evidence and generate audit-ready reports
  • Send transactional emails (email verification, password reset, team invites)
  • Respond to support requests and resolve technical issues
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations and enforce our Terms of Service
  • Analyse aggregate usage patterns to improve the product (never individual profiling)

We do not sell your personal data to third parties. We do not use your data for advertising or marketing purposes without your explicit consent.

Data Sharing

We share data only in the following circumstances:

Service Providers

  • Amazon Web Services (AWS) — cloud infrastructure, storage, and email delivery
  • Vercel — frontend hosting, edge delivery, and cookie-free analytics
  • PostHog — product analytics and session replay (EU/US cloud; no data sold to third parties)
  • These providers process data only on our instructions and under strict data processing agreements

A Data Processing Agreement (DPA) is available on request. Contact legal@auditpath.io to request a copy.

Within Your Organisation

  • Data you upload is accessible to members of your organisation based on their assigned role
  • Auditor portal links give read-only access to the specific auditor you invite

Legal Requirements

We may disclose your information if required to do so by law or in response to a valid request from a public authority.

Data Retention

We retain your data for as long as your account is active. When you delete your account:

  • Account and profile data is deleted within 30 days
  • Evidence files are removed from storage within 30 days
  • Audit log entries are retained for 90 days for security purposes, then permanently deleted
  • Backups are purged within 90 days of account deletion

You may request deletion of your data at any time by contacting us at privacy@auditpath.io.

Your Rights

Under applicable data protection laws, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Portability — receive your data in a structured, machine-readable format
  • Restriction — limit how we process your data in certain circumstances
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@auditpath.io. We will respond within 30 days.

Cookies

AuditPath uses minimal cookies. We use a sessionActive cookie to maintain your authenticated session. This is a strictly necessary cookie — the platform cannot function without it.

We do not use Google Analytics or advertising cookies. We use Vercel Analytics (cookie-free, privacy-first page-view analytics) and PostHog (product analytics and session replay) to understand how customers use the product. PostHog is configured to mask all form inputs. No personal data is sold to third parties. You can opt out of PostHog session replay by contacting us at privacy@auditpath.io.

Security

We implement industry-standard security measures to protect your data, including TLS encryption in transit, AES-256 encryption at rest, row-level database isolation per organisation, and regular security reviews. For full details, see our Security page.

International Transfers

AuditPath operates primarily on AWS infrastructure in the Asia Pacific (Mumbai) region (ap-south-1), keeping your data within India where possible. If data is transferred outside India or the EEA, we ensure adequate protections are in place in accordance with applicable law.

Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

  • Email: privacy@auditpath.io
  • Support: support@auditpath.io
  • Website: auditpath.io

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.