Privacy Policy

1. Information We Collect

1.1 Account and Project Data

• Project Identifiers: Each project is assigned a unique UUID. This identifier is used to associate API keys and log entries with your project.
• API Keys: When you generate an API key, we store a SHA-256 hash of the key along with a short prefix (first 8 characters) for identification purposes. We do not store your full API key after initial generation.

1.2 Log Entry Data

When you submit log entries through our API, we store the data you provide, which may include:

• Agent name
• Action type
• Actor identifier
• Arbitrary payload object (contents determined entirely by you)
• A SHA-256 cryptographic hash of the log entry for tamper-proof verification
• Timestamp of submission

You control what data enters your log payloads. We do not require or request that you include personally identifiable information (PII) in log entries. If you choose to include PII in your payloads, you are responsible for ensuring you have the appropriate legal basis to do so.

1.3 Usage Data

We collect aggregate usage counts (number of API calls, log entries created) to enforce plan limits and for billing purposes.

1.4 Billing Information

Payments are processed by Stripe, Inc. When you subscribe to a paid plan, Stripe collects and processes your payment information directly. We never receive, store, or have access to your full credit card numbers. We receive from Stripe only the information necessary to manage your subscription: a customer identifier, subscription status, plan type, and billing email.

1.5 Cookies

Our website uses session cookies strictly necessary for the functioning of the site. We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: Storing, hashing, and serving your audit log entries through the API.
• Billing: Processing subscriptions and managing plan limits.
• Abuse Prevention: Monitoring usage patterns to prevent abuse, enforce rate limits, and maintain service integrity.
• Service Improvement: Understanding aggregate usage patterns to improve the reliability and performance of Auditbase.

We do not sell, rent, or trade your data to third parties for marketing or advertising purposes.

3. Data Retention

Log entry data is retained according to your subscription plan:

Upon expiration of the applicable retention period, log entries are automatically and permanently deleted from our systems. Project metadata (project UUID, usage counts) is retained for the duration of your account and deleted upon account termination.

4. Third-Party Service Providers

We use the following third-party services to operate Auditbase:

These providers process data on our behalf and are contractually obligated to protect your information in accordance with applicable data protection laws.

5. Your Rights

5.1 Right to Access

You may access your log data at any time through the API using GET /v1/logs with your API key. This provides real-time, programmatic access to all log entries within your retention window.

5.2 Right to Erasure

You may delete all data associated with a project by calling DELETE /v1/project/{project_id}. This permanently removes all log entries, project metadata, and associated API key hashes for that project.

5.3 Right to Data Portability

You may export your log data at any time using the API. All data is returned in structured JSON format, which can be readily transferred to another service.

5.4 Right to Restrict Processing

If you wish to restrict the processing of your data, you may stop sending log entries or delete your project. We process data only as necessary to provide the service.

6. GDPR Compliance

For users in the European Economic Area (EEA), United Kingdom, or Switzerland:

• Lawful Basis: We process personal data on the basis of contract performance (Article 6(1)(b) GDPR) — processing is necessary to provide the Auditbase service you have requested.
• Data Location: Depending on your configuration, data may be processed in the EU (Supabase EU region) or the United States. Where data is transferred outside the EEA, appropriate safeguards are in place, including EU Standard Contractual Clauses.
• Data Processing Agreement: A Data Processing Agreement (DPA) is available upon request for customers who require one. See our DPA page or contact us at legal@auditbase.dev.
• Data Protection Officer: For GDPR-related inquiries, contact legal@auditbase.dev.

7. Data Security

We implement industry-standard security measures to protect your data:

• TLS 1.2 or higher for all data in transit
• AES-256 encryption for data at rest
• API keys stored as SHA-256 hashes (full keys are never stored)
• Access controls and logging on all internal systems

8. Children's Privacy

Auditbase is a developer tool and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated with at least 30 days' notice via email or a notice on our website. Your continued use of the service after the effective date of changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Email: legal@auditbase.dev
Website: https://auditbase.dev

Auditbase is operated by Renesis Tech.