Does Audulate make me GDPR compliant?

Audulate gives you the tools, evidence, and guidance to achieve and demonstrate GDPR compliance — but compliance itself is your responsibility. We make it dramatically easier by surfacing gaps, automating workflows, and generating audit-ready evidence.

How long does setup take?

Most teams are up and running in under 5 minutes. Add your website URL, invite your team, and optionally connect your GitHub repository — the platform starts scanning immediately. For best results, add page hints under Settings → Websites to tell the scanner exactly where your privacy policy, cookie policy, and DSR pages live. No code changes required.

Do you store my website data?

We store scan results, findings, and evidence records in our EU-hosted database. We do not store full copies of your web pages. Scan data is retained according to your plan's retention window and is deleted when you close your account.

What happens when a regulation changes?

Our Regulation Watcher monitors official sources — EDPB, ICO, FTC, HHS, IAPP, and PCI SSC. When a relevant change occurs, we update our rule engine and notify affected tenants with a plain-language summary and recommended actions. NIST sources will be added when SOC 2 scanning ships.

Can I use this without a dedicated DPO?

Absolutely. Audulate is designed to be usable by developers, product managers, and founders — not just legal experts. The AI layer explains every finding in plain language and provides step-by-step remediation guidance.

Is my data processed in the EU?

Yes. All data is stored and processed in EU-based infrastructure. We do not transfer personal data outside the EU/UK. Our own compliance posture is available on request.

How does GitHub PR scanning work?

You install our GitHub App on your repository. On every pull request, we analyse the diff for GDPR-relevant patterns: PII leaks, insecure logging, hardcoded secrets, and missing consent checks. Findings are posted as PR comments so developers can fix issues before merging.

Do you support mobile apps (iOS / Android)?

Yes, for the parts that matter most today. Your mobile source code (Swift, Kotlin, React Native, Flutter) goes through the same PR scanner as your backend — PII leaks, insecure logging, hardcoded secrets, missing consent gating. Your privacy policy is analysed via the URL on your App Store / Play Store listing (Art. 13/14 completeness, DSR contact, ICO registration). And the GDPR operating system — RoPA, DSRs, vendor DPAs, breach response, cookies & consent — is framework-agnostic, so it works the same whether you ship a website or an app. What is not yet supported: static analysis of the compiled .apk / .ipa, and scraping of App Store Data Safety / Privacy Nutrition Labels — both on our roadmap. Tell us if you need them and we will prioritise.

How often does the scanner run?

Free plans run manual scans only — you trigger them yourself. Growth plans include weekly automatic scans (every Monday at 09:00 UTC). Enterprise plans scan daily. You can always trigger a manual scan on any plan. Scan history and findings are retained for 30 days (Free), 60 days (Growth), or 2 years (Enterprise).

What support is included?

Free plans get community support via our documentation and GitHub Discussions. Growth plans include email support with a 24-hour SLA. Enterprise plans get a dedicated Customer Success Manager and a contractual SLA.

Privacy Policy | Audulate

Jump to section

1. Data controller 2. Data we collect 3. How we use your data 4. Legal bases 5. Data sharing 6. Retention periods 7. International transfers 8. Your rights 9. Cookies & tracking 10. Security 11. Children 12. Policy changes 13. Contact & complaints

1. Data controller

Audulate Ltd (“Audulate”, “we”, “us”, “our”) is the data controller for personal data processed through this website (audulate.com) and the Audulate platform (app.audulate.com).

Audulate Ltd is incorporated in England and Wales (Company No. 14XXXXXX). Our registered office is at 12 Finsbury Square, London, EC2A 1AR, United Kingdom.

When you use Audulate to scan your websites and process your compliance data, Audulate acts as a data processor on your behalf and you are the controller. That relationship is governed by our Data Processing Agreement (DPA), available on request.

2. Data we collect

2.1 Data you provide directly

Account data — full name, work email address, company name, and job title. Passwords are handled by our authentication provider (Supabase Auth) and stored as bcrypt hashes; we never see or store plaintext passwords.
Profile data — optional profile picture, timezone, and communication preferences.
Billing data — billing name, company, and address. Payment card details are processed and stored by Stripe; we never see or store raw card numbers or CVVs.
Communications — messages sent via our contact form, support tickets, and any feedback you submit. If you subscribe to our newsletter, we store your email address for that purpose.
Compliance workspace data — URLs you add for scanning, GitHub repository connections, GDPR module data (RoPA entries, DSR records, DPIA assessments, vendor details, breach records), and any notes or evidence you upload.
Infrastructure connections — when you connect a cloud account (AWS, Google Cloud, or Azure) for infrastructure scanning, you provide access credentials. These are encrypted before storage (see Security measures) — we retain only a short key hint (the last few characters of the access key ID) in readable form, alongside the provider and default scan region.
Site ownership attestation — to scan a website you confirm you own it or are authorised to scan it. We record that confirmation (the acting user, timestamp and IP address) and a verification token, and we perform DNS/HTTP look-ups against the domain you ask us to verify. This is kept as audit evidence of authorisation and is not used for any other purpose.

2.2 Data we collect automatically

Log data — IP address, browser type and version, operating system, referring URL, pages visited, time and duration of visits.
Usage analytics — features used, scans triggered, reports generated, and other product interaction events. Captured via our own server-side logs only — no cookies, no cross-site tracking, no third-party analytics services.
Device data — screen resolution and language settings used to optimise the interface.
Audit logs — a record of all actions taken in your account (who did what, when) for security and compliance purposes.

2.3 Data from third-party integrations

GitHub — when you install the Audulate GitHub App, we receive repository metadata, pull request diffs, and file contents for the purposes of compliance scanning. We do not store full repository contents; brief code snippets may appear in finding evidence to illustrate the issue.
Stripe — we receive subscription status, plan type, and payment event webhooks. No raw payment data is stored on our infrastructure.
Cloud infrastructure (AWS, Google Cloud, Azure) — when you connect a cloud provider, we use your stored credentials to read infrastructure configuration and security settings (for example storage, network, IAM, encryption and logging configuration) in order to run the compliance checks you trigger. We store the resulting findings, scores and evidence; we do not copy or store the contents of your data stores, databases, or workloads.

3. How we use your data

Purpose	Data used	Legal basis
Provide and operate the platform	Account, workspace, integration data	Contract (Art. 6(1)(b))
Process payments and manage subscriptions	Billing data, Stripe webhooks	Contract (Art. 6(1)(b))
Send transactional emails (receipts, alerts, DSR notifications)	Email address	Contract (Art. 6(1)(b))
Run AI-powered compliance summaries and remediation guidance	Scan results, findings (anonymised where possible)	Contract (Art. 6(1)(b))
Improve the product and fix bugs	Usage analytics, error logs	Legitimate interests (Art. 6(1)(f))
Detect and prevent fraud, abuse, and security incidents	Log data, audit logs, IP addresses	Legitimate interests (Art. 6(1)(f))
Comply with legal obligations (VAT, accounting records)	Billing data	Legal obligation (Art. 6(1)(c))
Send marketing emails and product updates	Email address	Consent (Art. 6(1)(a)) — withdraw at any time
Respond to support requests	Communications data	Legitimate interests (Art. 6(1)(f))

4. Legal bases for processing

Under UK GDPR and EU GDPR (Article 6), we rely on the following legal bases:

Contract performance (Art. 6(1)(b)) — processing necessary to provide the service you have signed up for, including account management, scanning, and billing.
Legitimate interests (Art. 6(1)(f)) — processing for purposes such as fraud prevention, security monitoring, product analytics, and improving service quality. We have conducted legitimate interests assessments (LIAs) and determined our interests are not overridden by your rights in these contexts.
Legal obligation (Art. 6(1)(c)) — where processing is required to comply with applicable law (e.g., retaining financial records for HMRC purposes).
Consent (Art. 6(1)(a)) — for optional activities such as marketing communications. You may withdraw consent at any time by clicking “Unsubscribe” in any marketing email or by emailing privacy@audulate.com.

5. Data sharing and sub-processors

We do not sell, rent, or trade your personal data. We share data only with the sub-processors listed below, all of whom are bound by GDPR-compliant data processing agreements:

Sub-processor	Purpose	Location
Stripe	Payment processing and subscription management	USA (EU SCCs in place)
Supabase	Authentication, primary database, and storage — account, workspace, and compliance data	EU (Frankfurt)
Upstash / Redis	Job queue and caching	EU
OpenAI	AI-powered compliance checks (privacy-policy completeness, cookie-banner quality)	USA (EU SCCs in place)
Anthropic (Claude AI)	AI-powered compliance summaries and remediation guidance	USA (EU SCCs in place)
Vercel	Hosting for the web application and static landing site	EU edge nodes
Railway / Render	Worker service hosting for background job processing	EU
Resend	Transactional email delivery	EU
GitHub (Microsoft)	Source code repository; PR scanning integration	USA (EU SCCs in place)

We may also disclose personal data to law enforcement or regulatory bodies where required by applicable law, or to protect the safety, rights, or property of Audulate, our users, or the public.

6. Data retention periods

Data category	Retention period	Reason
Account data	Duration of account + 3 years after closure	Legal disputes, audit
Scan results & findings	Per plan retention window (90 days – 3 years)	Service provision
Evidence files (PDFs, screenshots)	Per plan retention window	Service provision
Infrastructure connection credentials	Until you disconnect the integration or delete the account	Service provision
Billing records	7 years from transaction	HMRC / VAT obligations
Audit logs	2 years	Security & fraud detection
Support communications	3 years from last interaction	Service quality
Marketing consent records	Until consent is withdrawn + 1 year	Compliance with consent obligations
Server access logs	90 days	Security monitoring

6.1 Account deletion & the 30-day grace period

The account owner can request deletion of the workspace and all of its data at any time from Settings → Danger zone (a typed confirmation is required). When a deletion request is submitted:

The requesting account is immediately signed out of every device and session, and a confirmation email stating the exact deletion date is sent to the workspace owner and administrators.
A 30-day grace period begins. The data is retained but the account is pending erasure. We send a reminder email before the grace period ends.
Signing in again at any point during the 30 days automatically cancels the deletion and retains all data — no further action is needed, and a cancellation confirmation email is sent. This is intentionally fail-safe: any sign of account activity stops the erasure.
If no one signs in for the full 30 days, the workspace and all associated personal data (scans, findings, reports, data-subject requests, cookies, data inventory, integrations and audit logs) are permanently and irreversibly erased, and member identities that belong to no other workspace are deleted from our authentication provider. Erased data cannot be recovered.

After erasure, only records we are legally required to keep (e.g. billing/VAT records, and audit evidence of the deletion itself) are retained for the periods stated in the table above; these contain the minimum data necessary and are not used for any other purpose.

7. International data transfers

The majority of your data is stored and processed within the EU/EEA. Where sub-processors are based outside the EU (notably Stripe, OpenAI, Anthropic, and GitHub, which are based in the USA), transfers are protected by:

Standard Contractual Clauses (SCCs) — approved by the European Commission under Article 46(2)(c) GDPR.
UK International Data Transfer Agreements (IDTAs) — for transfers subject to UK GDPR.

We do not transfer data to countries without an adequacy decision or appropriate safeguards in place. Copies of our transfer impact assessments are available to Enterprise customers on request.

8. Your rights under GDPR

Under UK GDPR and EU GDPR (Articles 15–22), you have the following rights:

Right of access (Art. 15) — request a copy of the personal data we hold about you and information about how we use it.
Right to rectification (Art. 16) — request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17) — request deletion of your personal data where there is no legitimate reason for us to continue processing it.
Right to restrict processing (Art. 18) — request that we limit processing while a dispute about accuracy or lawfulness is resolved.
Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON) to transfer to another provider.
Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing (which will always be honoured immediately).
Rights related to automated decision-making (Art. 22) — Audulate does not make decisions that produce significant legal effects using fully automated processing.

To exercise any right, email privacy@audulate.com or use the data export and account deletion options in your account settings. We will respond within 30 days. Where a request is complex or numerous, we may extend this by a further two months with notice.

We will not charge a fee for reasonable requests. If requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse.

9. Cookies and tracking technologies

9.1 Landing site (audulate.com)

Our landing website uses no third-party tracking cookies and runs no third-party analytics, advertising, or fingerprinting scripts. We store a single theme preference in localStorage (not transmitted to our servers).

9.2 Application (app.audulate.com)

We use the following essential cookies in the application:

Cookie	Purpose	Duration
sb-access-token	Supabase authentication session	Session
sb-refresh-token	Supabase session refresh	7 days

These cookies are strictly necessary for the service to function and do not require consent under PECR.

10. Security measures

We implement the following technical and organisational measures to protect your data:

Encryption in transit — all data transferred over TLS 1.2 or higher (HTTPS enforced everywhere).
Encryption at rest — database volumes encrypted using AES-256.
Connected-credential storage — credentials for connected cloud accounts (AWS, Google Cloud, Azure) are additionally encrypted at the application layer with AES-256-GCM before being written to the database. Only a short, non-sensitive key hint is stored in readable form, and the credentials are used solely to run the scans you initiate.
Password storage — passwords are handled by our authentication provider (Supabase Auth), which stores them as bcrypt hashes; plaintext passwords are never seen or stored by Audulate.
Multi-tenant isolation — strict row-level security (RLS) policies in PostgreSQL ensure one tenant can never access another's data.
Access controls — internal access to production systems is restricted by role and logged in our audit system.
Penetration testing — we commission independent third-party penetration tests on an annual cadence and remediate findings within agreed SLAs.
Vulnerability management — we monitor dependency vulnerability advisories from our package registries and prioritise critical security updates.
Incident response — we maintain a documented incident response plan. Breaches affecting your rights will be notified to you and the relevant supervisory authority within 72 hours (Art. 33/34 GDPR).

Despite these measures, no system is 100% secure. If you discover a security vulnerability, please report it responsibly to security@audulate.com.

11. Children's privacy

Audulate is a business-to-business service intended for organisations and their employees. We do not knowingly collect personal data from individuals under the age of 16. If you believe a child has provided us with personal data, please contact us immediately at privacy@audulate.com and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the “Last updated” date at the top of this page.
Display an in-app banner notifying you of the change.
For significant changes affecting your rights, send an email notification at least 30 days before the change takes effect.

Your continued use of Audulate after a policy update constitutes acceptance of the revised policy.

13. Contact & supervisory authority

For any privacy-related questions, requests, or complaints:

Data Protection Officer

Audulate Ltd, 12 Finsbury Square, London, EC2A 1AR

dpo@audulate.com

You also have the right to lodge a complaint with a supervisory authority. In the UK: the Information Commissioner's Office (ICO). In the EU: the supervisory authority in your country of residence or the Irish Data Protection Commission (DPC) if your complaint relates to a cross-border processing activity.

We would always prefer the opportunity to address your concern directly before you approach a supervisory authority, but you are entitled to contact the authority at any time.