Artful Audit

Privacy Policy

DRAFT — requires review by a qualified UK solicitor / data-protection adviser before publication. Effective date: {{EFFECTIVE_DATE}}.

This policy explains how {{LEGAL_ENTITY}} ("Artful Audit", "we") collects, uses, and protects personal data when you use the Artful Audit service. We are the data controller for the personal data described here. ICO registration: {{ICO_REG}}.

Contact for privacy matters: privacy@artfulaudit.com.

1. What we collect

  • Account data: name, email address, password (stored hashed by our authentication provider).
  • Uploaded documents: the documents you submit for audit. These may themselves contain personal data about you or third parties, and occasionally special-category data (for example, in medical, legal, or policy drafts).
  • Audit data: the reports we generate, and basic metadata (document type, length, tier, status, timestamps).
  • Payment data: handled by Stripe. We receive confirmation of payment and limited billing metadata; we do not store full card numbers.
  • Usage data: basic analytics events needed to operate and improve the service.

2. Why we use it, and our lawful basis

  • To provide the audit you purchased — performance of a contract.
  • To manage your account and deliver reports — performance of a contract.
  • To take payment — performance of a contract / legal obligation (accounting).
  • To secure the service and prevent misuse, and for basic analytics — legitimate interests.
  • Any non-essential analytics or marketing — consent, which you can withdraw.

We do not use your uploaded documents to train AI models, and our AI provider is contractually prohibited from doing so.

3. Who processes your data (sub-processors)

We use carefully selected third parties to run the service. The current list, their roles, and the safeguards for any transfers outside the UK/EU, is published at sub-processors.md. In summary they cover hosting and storage, the AI analysis engine, authentication, payments, the database, and transactional email.

4. International transfers

Some sub-processors process data outside the UK and EU (for example, in the United States). Where they do, the transfer is protected by appropriate safeguards: Standard Contractual Clauses, the UK International Data Transfer Addendum, or an applicable adequacy decision, together with a signed data processing agreement. We pin data residency to UK/EU regions where the provider offers it.

5. Retention and deletion

We keep uploaded documents and generated reports for {{RETENTION_PERIOD}}, after which they are deleted automatically. Account and billing records are kept as long as required for the service and for legal/accounting obligations. You can request deletion of a document or report at any time from your account; we delete the stored file and any derived copies.

6. Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict, or object to the processing of your personal data, and the right to data portability. To exercise any of these, contact privacy@artfulaudit.com. You can also complain to the Information Commissioner's Office (ICO) at ico.org.uk, though we ask that you contact us first so we can help.

7. Special-category data in your documents

Your documents may contain sensitive information. You are responsible for ensuring you have the right to upload them. We handle every document the same way regardless of content: private, access-controlled storage, automated processing only, no model training, and deletion on the schedule above.

8. Security

We use encryption in transit and at rest, access controls, two-factor authentication on production systems, and data minimisation. No system is perfectly secure, but we take appropriate technical and organisational measures to protect your data, and we will notify affected users and the ICO of a qualifying personal-data breach within the time limits the law requires (within 72 hours of becoming aware, where applicable).

9. Cookies

We use only the cookies needed to run the service (for example, to keep you signed in) and, with your consent, basic analytics. We do not use advertising cookies.

10. Changes

We may update this policy. Material changes will be notified through the service or by email, and the effective date above will change.