GDPR & Data Protection
EU GDPR (Regulation 2016/679) · UK GDPR · CCPA · Last updated: March 2025
1. Our Commitment to Data Protection
AuditFlow is committed to protecting the privacy and personal data of all individuals we interact with. We comply with the EU General Data Protection Regulation (GDPR – Regulation 2016/679), the UK GDPR, and the California Consumer Privacy Act (CCPA). Our services are governed by the laws of the British Virgin Islands, and we uphold international best practices for data protection worldwide.
2. Data We Collect and Why
We collect only the minimum data necessary to provide our services: account information (name, email, company) for account management and communication; project data (smart contract code, documentation) to perform security audits; identity verification data (government-issued ID, biometrics) exclusively for KYC verification; and technical data (IP address, browser type) for security and fraud prevention. We never collect data for advertising or profiling purposes.
3. Legal Basis for Processing (GDPR Art. 6)
Under GDPR Article 6, we process personal data based on: contract performance (Art. 6(1)(b)) — to deliver the services you have requested; legal obligation (Art. 6(1)(c)) — to comply with AML/KYC regulatory requirements; legitimate interests (Art. 6(1)(f)) — for platform security and fraud prevention; and consent (Art. 6(1)(a)) — for optional marketing communications, which you may withdraw at any time. Biometric data is processed under GDPR Article 9(2)(a) with your explicit consent.
4. Your Rights (GDPR / CCPA)
Under GDPR, you have the right to: access your personal data, rectify inaccurate data, request erasure ("right to be forgotten"), restrict or object to processing, receive your data in a portable format, and withdraw consent at any time. Under CCPA (California residents), you have the right to know what data we collect, delete personal data, opt out of sale (we do not sell data), and non-discrimination for exercising your rights. To exercise any right, contact: privacy@auditflow.online
5. International Data Transfers
AuditFlow operates internationally. Where personal data is transferred outside the European Economic Area (EEA) or United Kingdom, we ensure adequate protection through Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms. All data processors are contractually bound to maintain equivalent levels of protection.
6. Data Retention
We retain personal data only as long as necessary. Account data is retained for the duration of your relationship with us plus 7 years for legal compliance. KYC biometric data is deleted immediately after verification is complete. Published audit reports are retained indefinitely with your explicit consent. You may request deletion of any data not subject to legal retention obligations at any time.
7. Security Measures (GDPR Art. 32)
We implement appropriate technical and organizational measures as required by GDPR Article 32: AES-256 encryption at rest and TLS 1.3 in transit, multi-factor authentication for all staff with data access, role-based access controls (RBAC), regular penetration testing and security audits, pseudonymization where applicable, and a documented incident response plan with 72-hour breach notification capability.
8. Data Protection Officer (DPO)
Our Data Protection Officer oversees GDPR compliance and can be contacted for any privacy-related matters, including exercising your rights or filing a complaint. Contact: privacy@auditflow.online. You also have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national DPA within the EU). We respond to all verified requests within 30 days.
Questions about your data? privacy@auditflow.online