Privacy Policy
How Auditrax collects, uses, stores and shares personal data — and the rights you have over it. Aligned to the GDPR, the UK GDPR, the Kenya Data Protection Act 2019 and equivalent African data-protection regimes.
Last updated: 2026-06-01 · Version 4.2 · Replaces all prior versions.
1. Scope & controller
This Privacy Policy applies to personal data collected by Auditrax Ltd. (registered in Kenya as the "data controller" for personal data we process on our own behalf — for example, prospect, customer-contact and employee data). When we process personal data inside a customer's Auditrax tenant on their behalf, we act as a data processorand the customer is the controller. That relationship is governed by the Data Processing Addendum (DPA).
2. Personal data we collect
2.1 Data you provide directly
Account-creation data (name, work email, job title, organisation, phone number), billing and procurement contact details, support-ticket content, evidence files you upload, configuration choices you make in product settings, and any data you submit through forms on our website.
2.2 Data we collect automatically
Product telemetry (feature usage, error logs, session metadata), security telemetry (IP address, user-agent, authentication events), and analytics from our public website (page views, referrer, anonymised location at country level).
2.3 Data from third parties
Identity-provider attributes when you sign in via SSO (name, email, groups), enrichment data from publicly available business directories, and reference data from our sub-processors as listed in Section 6.
3. Lawful bases for processing
We rely on one or more of the following lawful bases for each processing activity: contractual necessity (to deliver the platform under our subscription agreement), legitimate interest (to secure our service, prevent fraud and improve product quality), legal obligation (to retain financial records, respond to lawful regulator requests, and meet AML and tax-reporting duties), and consent (for optional marketing emails, optional analytics, and where local law specifically requires it).
4. How we use personal data
- To provide, secure and operate the Auditrax platform and your tenant.
- To authenticate users, manage access, and detect or prevent unauthorised activity.
- To respond to support tickets and customer-success requests.
- To send transactional product notifications (invoices, security alerts, status updates).
- To send marketing communications where you have opted in — with one-click unsubscribe in every email.
- To produce aggregated, anonymised usage statistics that inform product decisions.
- To comply with statutory record-keeping and to defend against legal claims.
5. Data residency
Customer tenant data is hosted in the cloud region you select at provisioning — currently EU (Frankfurt or Dublin), United States (Ohio), or Africa (Cape Town). We never move customer tenant data across regions without written instruction from the controller. Operational metadata (billing records, support tickets, employee data) is processed in the EU and Kenya.
6. Sub-processors
We use a vetted set of sub-processors to operate the platform. Each is bound by GDPR-aligned data-processing terms equivalent to our own DPA. The current list:
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Cloud infrastructure (compute, storage, networking) | Customer-selected |
| Stripe | Card and direct-debit payment processing | EU / US |
| Brevo | Transactional and marketing email delivery | EU |
| OpenAI | LLM inference for AI Insights (zero-retention API) | US (data not used for training) |
| Cloudflare | CDN, DNS, edge security | Global edge |
| Datadog | Operational telemetry and observability | EU |
Customers receive 30 days' advance notice of any new sub-processor and may object on reasonable grounds.
7. International transfers
Where personal data is transferred outside the European Economic Area or the United Kingdom, we rely on the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, supplemented by transfer impact assessments and the technical and organisational measures described in our DPA. Where local law requires additional safeguards (for example, Schrems II supplementary measures), those are documented in the per-customer transfer assessment.
8. Data retention
| Category | Retention |
|---|---|
| Customer tenant data | For the term of the subscription + 30 days, then deleted unless extended in writing. |
| Audit-trail logs (security) | Minimum 7 years (regulator expectation for regulated tenants). |
| Billing & invoice records | 7 years (tax law). |
| Support tickets | 3 years after closure. |
| Marketing contacts | Until you unsubscribe, or 24 months of inactivity, whichever is earlier. |
| Website analytics | 14 months, aggregated thereafter. |
9. Your rights
Subject to applicable law, you have the right to access, rectify, delete, port and restrict processing of your personal data, and to object to processing based on legitimate interest. You also have the right to lodge a complaint with your supervisory authority (for example, the Office of the Data Protection Commissioner in Kenya, or your EU national DPA). Submit rights requests to privacy@auditrax.io. We respond within 30 days (extendable to 60 days for complex requests, with notice).
10. Cookie policy
Our website uses a minimal set of cookies. Strictly necessary cookies (session, CSRF, SSO state) are set without consent because the site does not work without them. Functional cookies (theme preference, language) are set on first interaction. Analytics cookies are set only after explicit consent via our cookie banner and are revocable at any time from the "Cookie preferences" link in the footer. We do not use third-party advertising cookies.
11. Security
Defence-in-depth controls including TLS 1.3 in transit, AES-256 at rest with envelope encryption, HSM-backed key management, zero-trust access architecture, SSO with WebAuthn / FIDO2, role-based and attribute-based access control, continuous vulnerability scanning, 24/7 SOC monitoring, and SOC 2 Type II and ISO 27001 certified controls. Full detail on our Security page.
12. Children
Auditrax is a B2B platform sold only to enterprise customers. It is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16.
13. Changes to this policy
We will post material changes to this Privacy Policy on this page and, for current customers, notify the named contact on the subscription agreement at least 30 days before changes take effect. The version number and last-updated date at the top of this page always reflect the live version.
14. Contact
Data Protection Officer: dpo@auditrax.io. General privacy enquiries: privacy@auditrax.io. Postal: Auditrax Ltd., Westlands, Nairobi, Kenya.
Questions?
For any privacy or data-protection question not answered above, write to privacy@auditrax.io — we respond within five business days.