Legal
Privacy Policy
Last updated: March 26, 2026 · Effective: March 26, 2026
1. Who We Are
AuditGen ("AuditGen", "we", "us", or "our") is an AI-powered compliance automation platform that scans software codebases for audit-readiness gaps under regulations such as California SB 942, the EU AI Act, and the Colorado AI Act. Our service is operated by the AuditGen team.
Questions? Email us at brandon@auditgen.tech.
2. What Data We Collect
We collect the following categories of information:
Account & Contact Information
- Email address (required to use the scanning service and receive results)
- Name and company (optional, when provided during outreach or account creation)
Repository & Codebase Data
- GitHub repository URL (public repos only for free scans)
- Code files read during scanning — analyzed in-memory to detect compliance gaps; we do not permanently store your source code
- Scan metadata: repository name, scan timestamp, detected issues, risk scores
Usage & Technical Data
- IP address, browser type, and device information via server logs
- Pages visited and interactions on auditgen.tech
- Anonymous visitor ID stored in localStorage for analytics (no personally identifiable information)
Billing Data
- Payment processing is handled by Stripe. We receive only a customer ID and subscription status — we never store full card numbers, CVV, or bank account details.
3. Codebase Access & Permissions
Free Scan (public repos): We access your repository via the GitHub API using a read-only token. We read only the files needed to evaluate compliance gaps. We do not clone, store, or redistribute your source code.
For paid plans that connect private repositories via GitHub OAuth, we request the minimum necessary read-only scope (repo read access). Your OAuth token is encrypted at rest using AES-256-GCM. You may revoke access at any time from your GitHub Settings → Applications.
Scanned code is processed ephemerally — we do not store raw source files beyond the duration of the analysis. Scan results (issue counts, file paths, gap descriptions) are retained so you can revisit your reports.
4. How We Use Your Data
- To deliver scan results — running the compliance analysis and returning your report
- To communicate with you — sending scan completion emails, product updates, and responses to support requests
- To improve our service — aggregated, anonymized usage patterns help us improve detection accuracy
- To prevent abuse — rate-limiting (1 free scan per day, 3 per email) and fraud prevention
- To fulfill legal obligations — responding to lawful requests from regulators or courts
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
5. Data Sharing
We share data only with trusted sub-processors required to operate the service:
- Anthropic — AI analysis of code (Claude API). Code is processed per Anthropic's API terms; not used to train models.
- GitHub — Repository access via their API
- Stripe — Payment processing
- Render / Neon — Hosting and database infrastructure
- Zoho Mail — Transactional email delivery
All sub-processors are contractually bound to protect your data and use it only for the services they provide to us.
6. Data Retention
- Source code: Not retained beyond the scan session
- Scan results & reports: Retained for 12 months from the scan date, or until you request deletion
- Account data: Retained while your account is active and for 30 days after deletion request
- Email logs: Retained for 90 days for deliverability auditing
7. GDPR & Your Rights (EU/EEA Residents)
If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — request deletion of your data
- Right to restriction — limit how we process your data in certain circumstances
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, withdraw it at any time
Our legal basis for processing is: contract performance (delivering the scan service you requested) and legitimate interests (improving service quality, preventing abuse). For marketing emails, we rely on consent.
To exercise any of these rights, email brandon@auditgen.tech. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
8. Cookies & Tracking
AuditGen uses minimal tracking:
- localStorage analytics ID — a random UUID stored locally in your browser to count unique visitors. Contains no personal information and is never linked to your email or identity.
- Session cookies — used for authentication when logged into paid plans. Expire at session end or 7 days, whichever is sooner.
We do not use third-party advertising trackers, Facebook Pixel, Google Analytics, or cross-site tracking cookies.
9. Data Security
We implement industry-standard security measures including:
- TLS 1.2+ for all data in transit
- AES-256-GCM encryption for OAuth tokens at rest
- Parameterized database queries to prevent SQL injection
- Access controls limiting data access to authorized personnel only
No method of transmission over the internet is 100% secure. If you discover a vulnerability, please responsibly disclose it to brandon@auditgen.tech.
10. International Transfers
AuditGen is operated from the United States. If you are located in the EU/EEA, your data may be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) as our transfer mechanism where required by GDPR.
11. Children's Privacy
AuditGen is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has submitted data to us, contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated by email to registered users or by a prominent notice on our website at least 14 days before they take effect. The "Last updated" date at the top of this page reflects when changes were made.