Privacy Policy
Last updated: 2026-06-05
What Auditley is
Auditley is a compliance preparation platform that helps early-stage companies prepare for SOC 2 audits. This Privacy Policy explains what data we collect, how we store and use it, and your rights as a customer.
What we collect
- Account information: your name, email address, and company name provided at signup.
- Workspace content: evidence files you upload, notes you write, AI chat transcripts, and policy drafts. This is the data you are explicitly asking the platform to store on your behalf.
- Billing information: Stripe handles all payment details. We never see or store your card number. We store your Stripe customer ID and subscription ID so we can match billing events to your workspace.
- Operational logs: server logs including IP address, timestamp, and route, used for security monitoring and debugging. Retained for 30 days.
How we store it
All workspace data is stored in a Supabase Postgres database with row-level security policies that scope every read and write to your workspace. Even our own staff queries go through these policies.
Evidence files are stored in a private Supabase Storage bucket. The only way to access them is via short-lived signed URLs generated for authenticated members of your workspace.
Backups are taken nightly, encrypted at rest, and retained for 14 days.
Workspace data is retained for the duration of your active subscription and deleted within 30 days of cancellation.
What we never do
- We never train AI on your data. Your policy drafts, evidence files, chat transcripts, and notes are sent to the Anthropic API only to generate the response you requested. They are excluded from any training corpus under Anthropic's enterprise terms.
- We never sell your data, share it with advertisers, or provide it to third parties beyond the operational subprocessors listed below.
Subprocessors
| Service | Purpose |
|---|---|
| Supabase | Database, storage, and authentication |
| Stripe | Payment processing |
| Anthropic | AI model inference |
| Resend | Transactional and magic-link email |
| Vercel | Platform hosting |
Cookies
We use essential cookies only, for authentication and session management. We do not use advertising, analytics, or tracking cookies.
Your rights
- Export: request a full export of your workspace data at any time by emailing hello@auditley.com. We will provide it as JSON within 7 days.
- Deletion: your workspace data is deleted within 30 days of cancellation. Request immediate deletion by emailing hello@auditley.com.
- Access: your dashboard is the canonical view of everything we hold about your workspace. You can see all stored data by logging in at any time.
Changes to this policy
If we make material changes to this Privacy Policy we will notify you by email at least 30 days before the changes take effect. Continued use of the platform after that date constitutes acceptance of the updated policy.
Governing law
This Privacy Policy is governed by the laws of the Province of British Columbia, Canada.
Contact
For any privacy question or data request, email hello@auditley.com.