AuditXA ("we," "us," or "our") operates the website at auditxa.com and provides a browser-based network security auditing tool for firewall and VPN configuration analysis.
For the purposes of data protection law, including the EU General Data Protection Regulation (GDPR) and the UK GDPR, we are the data controller of the personal data described in this policy.
Contact for privacy matters:
Email: [email protected]
Address: [Your Company Name], [Your Address], [City, Country]
| Data | Why we collect it | How long kept |
|---|---|---|
| Email address | To create and manage your account; to send one-time login codes (MFA); to notify you of subscription changes | Until you delete your account + 30 days |
| One-time login codes (OTP) | Stored as a one-way cryptographic hash (not the code itself) to verify your identity at login. Never stored in plain text. | Automatically deleted after use or after 1 hour, whichever is sooner |
| Subscription status and plan | To determine whether you have an active subscription and which features to enable | Until you delete your account + 7 years (tax/legal requirement) |
| Payment provider customer ID | To link your subscription to your account and process billing events | Duration of subscription + 7 years |
| Login timestamps and IP address | Security logging β to detect suspicious access patterns and protect your account | 90 days, then automatically deleted |
| Audit activity log | Records which audit tool you used and your audit score (not the config content) for your audit history feature | Until you clear your history or delete your account |
| Rate limit records | To prevent abuse of the login system (max 5 OTP requests per 15 minutes per IP) | 24 hours, then automatically deleted |
This is the most important part of this policy for our users.
Your firewall and VPN configuration files are processed entirely within your web browser. They are never uploaded to, transmitted to, or stored on our servers.
When you paste or upload a configuration file:
You can verify this yourself by opening your browser's developer tools (F12 β Network tab) and observing that no configuration content is transmitted when you run an audit.
If you are in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases under Article 6 of the GDPR:
Processing your email address and subscription data to provide the service you have subscribed to, send you login codes, and manage your account.
Security logging (IP address, login timestamps, rate limiting) to protect our service and your account from unauthorised access. Our legitimate interest is the security of the platform; this does not override your rights.
Retaining subscription and billing records for 7 years to comply with financial and tax regulations.
Where we send you optional communications (such as product updates or newsletters), we will ask for your explicit consent and you may withdraw it at any time.
We use the data we collect strictly to:
We do not: sell your data, share it for advertising purposes, use it for profiling or automated decision-making, or process it for any purpose beyond what is described in this policy.
We share your data with the following third-party service providers only to the extent necessary to operate the service:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase supabase.com |
Database hosting β stores account and subscription data | Email, subscription status, OTP hashes, login logs | AWS us-east-1 (USA) or EU region depending on your project settings |
| Resend resend.com |
Transactional email β sends your one-time login codes | Your email address and the one-time code | USA |
| Stripe stripe.com | |||
| PayPal paypal.com |
Payment processing and subscription management | Email address, subscription data. Payment details are processed exclusively by Stripe or PayPal β we never see or store your card or PayPal credentials. | USA |
| Vercel vercel.com |
Web hosting and serverless API functions | IP addresses in server logs (standard web server logs, retained per Vercel's policy) | USA / globally distributed CDN |
All third-party providers are contractually required to handle your data securely and only for the purposes we specify. We do not share your data with any other parties except where required by law.
We may disclose your data if required to do so by law, court order, or government authority, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
We keep your data only for as long as necessary for the purposes described in this policy:
When data reaches its retention limit, it is permanently deleted from our database. Backups containing the data are also purged within 30 days of the live deletion.
We implement industry-standard technical and organisational measures to protect your personal data:
No method of transmission or storage is 100% secure. If you become aware of any security vulnerability in our service, please report it responsibly to [email protected].
We use no advertising cookies, no analytics cookies, and no third-party tracking of any kind.
sessionStorage (not a cookie, but similar) β we store your login session token in your browser's sessionStorage. This is automatically cleared when you close your browser tab. It is never sent to third parties. This is strictly necessary for the service to function.
Our hosting provider (Vercel) and font provider (Google Fonts) may set standard infrastructure cookies as part of CDN delivery. These are outside our control but do not track you for advertising purposes.
Depending on your location, you have the following rights regarding your personal data. To exercise any of these rights, email us at [email protected]. We will respond within 30 days (EEA/UK: within 1 calendar month as required by GDPR).
You can request a copy of all personal data we hold about you.
You can ask us to correct inaccurate or incomplete data we hold about you.
You can ask us to delete your personal data ("right to be forgotten"), subject to our legal retention obligations.
You can ask us to restrict processing of your data in certain circumstances (e.g. while a dispute is resolved).
You can request your data in a structured, machine-readable format (JSON or CSV).
You can object to processing based on legitimate interests. We will stop unless we have compelling grounds.
We do not make any automated decisions that significantly affect you. No profiling is performed.
You have the right to lodge a complaint with your national data protection authority (e.g. ICO in the UK, your local EU supervisory authority).
Email [email protected] with the subject line "Delete my account" from your registered email address. We will delete your account data within 30 days and confirm when done. Billing records required by law (7 years) will be retained but isolated from the main account database.
AuditXA is a professional tool intended exclusively for adults (18 years or older) working in IT, network security, or related fields. We do not knowingly collect personal data from anyone under the age of 18.
If you believe a person under 18 has provided us with personal data, please contact us at [email protected] and we will delete that data promptly.
Our service providers are primarily based in the United States. If you are located in the European Economic Area (EEA) or the United Kingdom, your personal data may be transferred to and processed in the USA.
We ensure such transfers comply with applicable data protection law through the following safeguards:
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you specific rights regarding your personal information.
We collect: Identifiers (email address, IP address). We do not collect: financial information (handled exclusively by Stripe or PayPal), biometric data, geolocation, internet activity beyond login logs, or sensitive personal information.
To exercise your California rights, email [email protected]. We will respond within 45 days.
We do not sell or share your personal information for advertising purposes. No opt-out is necessary, but we honor this right regardless.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.
When we make material changes (changes that significantly affect your rights or how we process your data), we will:
We encourage you to review this policy periodically. Your continued use of AuditXA after the effective date of any changes constitutes acceptance of the updated policy.
Previous versions of this policy are available on request by emailing [email protected].
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: