Privacy Policy

1. Information We Collect

We collect information you provide directly to us, such as when you create an account, use our services, or contact us for support. This includes:

Account Information

• Name and email address
• Company profile details you provide during onboarding, including infrastructure configuration (cloud providers, identity systems, deployment tools), security practices (access controls, incident response, encryption), business continuity parameters (recovery objectives, backup frequency), and organizational structure (team size, work model, contractor usage). This information is used to customize your AI-powered compliance guidance.
• Job title and role

Compliance Data

• Policies, risk assessments, and vendor information you create within the platform
• Evidence files you upload to the Evidence Vault
• AI chat conversations related to compliance guidance
• We maintain detailed audit trails of changes to your compliance data — including who made changes, when, and what was modified — to support your audit readiness.

Access Review Data

• Application inventory records (application names, owners, user counts)
• Access review schedules and completion records
• Privileged access designations

Action Item Data

• Remediation tasks and action plans
• Owner assignments, due dates, and priority levels
• Recurrence schedules and status history

Control & Exception Data

• Control matrix mappings and evidence coverage records
• Control exception records including deviation descriptions and root cause analysis
• Exception approval decisions and audit period associations

Audit Artifact Data

• System descriptions, management assertions, and audit reports
• Versioned changelog entries and approval records
• Audit period definitions and associated documentation

Vendor Assessment Responses

• Third-party vendor responses to security assessment questionnaires
• Assessment template configurations and risk level classifications
• OTP access records for vendor respondents

Company Insights

• Persistent context stored by the AI assistant about your company (such as infrastructure details, team structure, and compliance goals)
• Insight categorizations (infrastructure, security, compliance, people, vendors, applications, policy preferences, business context)

Help Feedback

• Help feedback ratings and optional comments you submit when rating AI responses. A brief excerpt of the AI response may be stored alongside your feedback to improve our service.

Payment Information

• Billing details processed securely by Stripe (via Clerk Billing). We never store credit card numbers on our servers.

Automatically Collected Information

• Browser type, device type, and operating system
• IP address and approximate geographic location
• Pages visited, time spent, and interaction patterns (only with analytics consent)

Information We Collect from Third Parties

Vendor Respondent Data

Our customers may invite vendor respondents to complete security assessment questionnaires on the SimpleAudit platform. When a vendor respondent participates in an assessment, we collect:

• Name and email address (provided by the inviting customer)
• Assessment questionnaire responses
• Access timestamps and session activity
• OTP verification codes (stored as hashed values only)

This data is collected solely for the purpose of completing security assessments on behalf of our customers. Assessment data is retained for the duration of the inviting customer's account.

Vendor respondents may contact us at privacy@simpleaudit.io regarding their data.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Power AI-assisted compliance guidance customized to your company
• Process transactions and send related information
• Send technical notices, updates, and support messages
• Respond to your comments, questions, and requests
• Monitor and analyze trends, usage, and activities (with consent)
• Measure advertising effectiveness and optimize ad campaigns (with marketing consent)
• Detect, investigate, and prevent security incidents
• Send automated compliance reminders, such as policy review due date notifications and access review schedules, to help you maintain your compliance posture

Compliance data you create within the platform — such as policies, risk assessments, vendor information, and company profile details — may be processed by our AI service to provide personalized compliance guidance. This processing occurs in real-time during your AI chat sessions. Your data is not stored by the AI service beyond the duration of a single request.

We do not use your compliance data (policies, risk assessments, evidence) to train AI models. Your data is used solely to provide you with compliance guidance within your account.

3. Data Retention

We retain your data for the following periods:

• Account data: Retained for the duration of your account plus 30 days after deletion
• Compliance data (policies, risks, vendors): Retained for the duration of your account. Deleted within 30 days of account closure.
• Evidence Vault files: Retained for the duration of your account. Permanently deleted within 30 days of account closure.
• AI chat history: Stored on our servers for up to 1 year to support conversation continuity. You may request deletion of your chat history by contacting privacy@simpleaudit.io. Chat data is permanently deleted within 30 days of account closure.
• Billing records: Retained for 7 years as required by tax law
• Analytics data: Aggregated data retained indefinitely. Individual session data retained for 14 months (Google Analytics default).
• Security logs: Retained for 1 year for incident investigation
• Company insights: Retained for the duration of your account. Deleted within 30 days of account closure.
• AI usage data: Per-request tracking including the feature used, AI model, token consumption, and estimated cost. Used to enforce usage limits and provide usage reporting. Monthly aggregates reset each calendar month. Historical usage records retained for 12 months.
• Webhook event logs: Retained for 90 days for debugging and audit trail.
• Access review records: Retained for the duration of your account. Deleted within 30 days of account closure.
• Action items and tasks: Retained for the duration of your account. Archived items retained for audit trail purposes.
• Control exceptions: Retained for the duration of your account plus any active audit period.
• Audit artifacts: Retained for the duration of your account. Versioned history preserved for audit trail.

When data is marked for deletion, it is removed from active use immediately and permanently purged from our systems within 30 days.

4. Third-Party Sub-Processors

We use the following third-party services to operate SimpleAudit™. Each processes data only as necessary to provide their service:

Enterprise customers may request a Data Processing Agreement (DPA) by contacting privacy@simpleaudit.io.

5. Data Residency

The Service is available only to users in the United States. Your data is stored in Microsoft Azure US regions (East US and Central US).

Our third-party processors (Clerk, Stripe, Google Analytics) may process limited data in other locations in accordance with their own privacy policies. AI processing through Azure AI Foundry may occur in regions outside the United States.

6. Cookies & Tracking Technologies

We use cookies and similar technologies categorized as follows:

Necessary Cookies (Always Active)

• __clerk_session: Clerk authentication session token
• __client_uat: Clerk client state for seamless authentication
• cookie_consent: Records your cookie consent preference

Analytics Cookies (Consent Required)

• _ga, _ga_*: Google Analytics 4 measurement cookies for page views and feature usage

Marketing Cookies (Consent Required)

• _gcl_au: Google Ads conversion linker cookie for attributing conversions to ad clicks
• _gcl_aw: Stores Google Ads click information (GCLID) when a user arrives via an ad
• _gac_*: Contains campaign information for Google Ads conversion measurement

When you sign up after clicking a Google Ad, we use Google Ads Enhanced Conversions to improve attribution accuracy. This sends a hashed (SHA-256) version of your email address to Google so they can match the conversion across devices. Google handles the hashing automatically and does not receive your plaintext email for advertising purposes.

We also process purchase conversion events server-side using the Google Analytics Measurement Protocol to measure advertising effectiveness. This uses your GA4 client identifier, transaction identifier, subscription tier, billing period, and price.

You can manage your cookie preferences at any time using the Cookie Settings link in our site footer. We implement Google Consent Mode v2, which ensures no tracking occurs on public pages until you provide explicit consent. On authenticated pages (the portal and onboarding), analytics and conversion tracking are enabled under your acceptance of our Terms of Service (section 22). You may withdraw this consent at any time via the Cookie Settings link in our footer.

7. Data Security

We implement industry-standard security measures to protect your data:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for data at rest (Azure managed keys)
• Azure Virtual Network isolation for application services
• Timing-safe secret comparison to prevent side-channel attacks
• Zod schema validation on all API inputs to prevent injection
• Clerk-managed authentication with webhook signature verification
• Regular security reviews and dependency audits

As a SOC 2 compliance product, we hold ourselves to the same standards we help our customers achieve. We regularly review our own security practices against SOC 2 Trust Services Criteria.

8. Your Data Rights

You have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Correction: Request correction of inaccurate or incomplete personal data
• Right to Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Right to Portability: Request your data in a structured, machine-readable format

To exercise any of these rights, contact us at privacy@simpleaudit.io. We will respond within 30 calendar days. We may ask for identity verification before processing your request to protect your data.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Categories of Personal Information Collected

• Identifiers (name, email, IP address)
• Commercial information (billing history, subscription tier)
• Internet activity (pages visited, feature usage — with consent only)
• Advertising identifiers (Google Ads click IDs, conversion data — with marketing consent only)
• Professional information (job title, company name)

Your CCPA Rights

• Right to Know: You can request what personal information we have collected, the sources, the business purpose, and the categories of third parties we share it with.
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions (legal obligations, security, completing transactions). This includes analytics data collected by Google Analytics — upon request, we will process deletion through Google Analytics' User Deletion API.
• Right to Correct: You can request correction of inaccurate personal information we hold about you.
• Right to Opt-Out: You can opt out of the sale of your personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

We do not sell your personal information.However, when you grant marketing consent, we share limited data (hashed email, conversion events) with Google Ads for advertising measurement. Under the CCPA, this disclosure of personal information to a third party for cross-context behavioral advertising purposes may constitute “sharing” as defined in Cal. Civ. Code § 1798.140(ah). This data is used solely to measure whether our ads led to signups.

Your Right to Opt Out of Sharing:You may opt out of this sharing at any time by adjusting your cookie preferences via the “Cookie Settings” link in our website footer, or by using the cookie consent banner when it appears. When you opt out of marketing cookies, we immediately cease sharing your data with Google Ads.

To exercise any of your CCPA rights, contact us at privacy@simpleaudit.io.

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, the data affected, steps we are taking to address it, and recommended actions for you. We will also notify relevant supervisory authorities as required by applicable law.

11. Children's Privacy

SimpleAudit is a business-to-business service designed for use by adults in a professional context. We do not knowingly collect personal information from children under the age of 13. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@simpleaudit.io.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we will also notify you via email. Your continued use of SimpleAudit after any changes constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact our Privacy Contact:

• Email: privacy@simpleaudit.io
• Subject line: Privacy Inquiry
• Response time: Within 30 calendar days