Privacy Policy

AuditOak ("AuditOak," "we," "us") respects your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the choices available to you when you use auditoak.com (the "Website") and app.auditoak.com (the "Platform").

AuditOak is a multi-framework GRC platform for compliance teams. Because our customers upload evidence and organizational data to the Platform, we treat privacy and security as core product requirements, not afterthoughts.

Website and contact inquiries. When you submit our contact form, request templates, or email us, we may collect your name, work email, company name, job title, and any information you choose to include in your message.

Platform accounts. When you register for or use the Platform, we collect account details such as name, email address, organization name, role, authentication credentials, and usage logs related to your activity in the product.

Customer content.The Platform allows you to upload evidence files, control notes, comments, and other materials ("Customer Content") as part of your compliance program. Customer Content may contain personal data about your employees, contractors, or end users. You control what is uploaded and are responsible for having a lawful basis to process that data.

Technical data. We automatically collect standard log and device information such as IP address, browser type, pages viewed, and timestamps to operate, secure, and improve our services.

• Provide, maintain, and improve the Website and Platform
• Respond to sales, support, and security inquiries
• Authenticate users and enforce access controls
• Send service-related communications about your account or product updates
• Monitor for abuse, fraud, and security incidents
• Comply with legal obligations and respond to lawful requests

We do not sell personal data. We do not use Customer Content to train public AI models.

Where GDPR applies, we process personal data on one or more of the following bases: performance of a contract, legitimate interests (such as securing our services and responding to inquiries), compliance with legal obligations, and consent where required (for example, certain marketing communications).

We share personal data with service providers that help us operate the Website and Platform, such as cloud hosting, email delivery, analytics, and payment processing. These providers act on our instructions and are subject to contractual confidentiality and security obligations. See our Subprocessor list.

We may also disclose information if required by law, to protect rights and safety, or in connection with a merger, acquisition, or asset sale, subject to appropriate safeguards.

We retain account and Customer Content for as long as your organization maintains an active Platform subscription or as needed to provide the service. You may request deletion of your account subject to applicable law and legitimate business needs such as backup retention and audit logs.

Website inquiry data is retained for a period reasonable to respond to your request and maintain business records, typically up to twenty-four months unless a longer period is required by law.

We implement administrative, technical, and organizational measures designed to protect personal data, including encryption in transit, access controls, audit logging, and least-privilege permissions. No method of transmission or storage is completely secure. Learn more on our Security page.

Depending on your location, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to or withdraw consent for certain processing. You may also have the right to lodge a complaint with a supervisory authority.

To exercise your rights, contact contact@auditoak.com. We will respond within the timeframe required by applicable law.

AuditOak may process and store information in the United States and other countries where we or our subprocessors operate. Where required, we use appropriate safeguards such as Standard Contractual Clauses for transfers of personal data from the EEA, UK, or Switzerland.

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. Material changes may be communicated by email or in-product notice where appropriate.