Privacy Policy

Account information.When you sign up we collect your email and name through Clerk, our authentication provider. If you join or create an organization, we store the organization’s identifier and display name. Clerk handles password storage and session security on our behalf.

Billing information. We do not store credit card numbers. Stripe processes all payments; we retain only your Stripe customer ID and a record of completed top-ups (amount, date, currency).

Audit data. When you run an audit we store the brand name, domain, and prompts you submit, plus the results we get back from the answer engines and basic metadata (timing, cost, which engine returned which result).

Anonymous abuse controls. When you use the free preview on the homepage without signing in, we briefly record your IP address to enforce rate limits (1 free preview per IP per 24 hours). This row is automatically deleted after 24 hours.

Operational data. We log API requests, errors, and webhook events for debugging and reliability.

• To run the audits you request and return results to you.
• To bill you for credits used and provide invoices via Stripe.
• To prevent abuse of the free homepage preview.
• To debug and improve the service.
• To communicate with you about your account or billing (transactional only).

We do not sell your data, share it with advertisers, or use it to train AI models.

To run audits, we forward the prompt you submit (along with our own provider API keys) to:

• OpenAI (ChatGPT)
• Anthropic (post-processing extraction)
• Perplexity AI (Sonar)
• Google (Gemini)
• SerpAPI (proxy for Google AI Overviews)

These providers receive only the prompt text required to fulfill your request. Their privacy policies govern how they handle queries we send. We also rely on Clerk (authentication), Supabase (database), Stripe (payments), and Vercel (hosting) as infrastructure providers.

When you connect a Google account to AuditAE we request four scopes. Each is used only for the feature listed.

• Google Analytics (read-only) — analytics.readonly. We list your GA4 properties so you can pick one per site, then read traffic metrics (sessions, top landing pages) for the property you select. We never write to or delete GA data.
• Search Console (read-only) — webmasters.readonly. We list your verified sites so you can pick one per site, then read query, page, and click data for the site you select. We never write to or delete GSC data.
• Gmail (send-only) — gmail.send. We send messages on your behalf when you explicitly trigger a send action in AuditAE. We cannot read, list, delete, or modify existing mail, drafts, labels, or settings.
• Drive (file-scoped) — drive.file. We can only create and edit files that AuditAE itself created (for example, exported reports). We cannot list, read, or modify any other files in your Drive.

Storage. Your Google OAuth refresh token is stored server-side in our Supabase Postgres database, scoped to a single AuditAE organization. The token is never sent to a browser. You can revoke access at any time from /dashboard/integrations (which deletes our copy of the token) or from your Google Account third-party access page.

Limited Use compliance. AuditAE’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We do not transfer Google user data to third parties except as needed to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale.
• We do not use Google user data to serve advertisements.
• We do not allow humans to read Google user data except with the user’s explicit agreement, for security purposes, to comply with law, or for debugging where the data has been aggregated and anonymized.
• We do not use Google user data to develop, improve, or train generalized or non-personalized AI/ML models.

Account, organization, and audit history are retained for the life of your account. Raw provider responses are kept for 30 days for debugging and then nulled out. Free-preview rows are deleted after 24 hours.

You can request deletion of your account and all associated data at any time by emailing us. We will process the deletion within 30 days.

Depending on where you live (EEA/UK GDPR, California CCPA, and others) you may have rights to access, export, correct, or delete your personal data, and to object to certain processing. To exercise any of these rights, email support@auditae.app. We will not discriminate against you for exercising your rights.

We use essential cookies via Clerk to keep you signed in. We do not use marketing or analytics cookies.

We use TLS in transit, role-scoped database access, and short-lived API keys. No system is fully secure; if we learn of a breach affecting your data we will notify you.

AuditAE is not directed to children under 13 and we do not knowingly collect data from children.

If we change this policy materially we will update the effective date above and notify signed-in users via email.

Questions or requests about this policy: support@auditae.app