Privacy Policy
This Privacy Policy explains how Md R Rafi, operating under the trading name "Auditably.co" ("we", "us", "Auditably.co"), with business contact at 11 Jalan SS15/4, Subang Jaya, Selangor, Malaysia, collects, uses, and protects your personal data when you use the Auditably.co service (the "Service").
1. Who we are
The data controller for the purposes of applicable data protection law (including GDPR where relevant) is:
- Operator: Md R Rafi (sole proprietor, trading as Auditably.co)
- Address: 11 Jalan SS15/4, Subang Jaya, Selangor, Malaysia
- Contact email:
[email protected]
2. What data we collect
Information you provide directly
- Account data: email address, password (stored hashed, never in plaintext)
- Optional profile data: company name (if you choose to enter it)
- Contact form submissions: name, email, message (if you contact us via the form)
Information collected automatically
- Authentication tokens: session tokens stored in your browser's localStorage to keep you signed in
- Subscription data: tier (Practitioner/Pro), status, current billing period (synced from Paddle)
Information we do NOT collect
- We do not see or store the contents of CSV files you upload to the Service. CSVs are processed entirely in your browser
- We do not see the contents of AI prompts you send to OpenAI or Anthropic (in Auto-API mode). These calls go directly from your browser to those providers
- We do not use third-party advertising trackers, cookies for advertising, or behavioural tracking
3. How we use your data
We process your data for the following purposes:
- To provide the Service: authenticate you, store your subscription status, deliver requested features
- To process payments: share your email with Paddle (our Merchant of Record) to facilitate billing
- To communicate with you: respond to support requests, send transactional emails (e.g. password reset)
- To comply with legal obligations: tax records, financial records, regulatory requests
The lawful bases under GDPR (where applicable to you) are: performance of a contract, legitimate interests (operating and improving the Service), and compliance with legal obligations.
4. Who we share data with
We use the following third-party providers to operate the Service. Each is bound by their own privacy policy:
| Provider | Purpose | Data shared |
|---|---|---|
| Paddle (Merchant of Record) |
Process payments, calculate tax, handle refunds | Email, billing address, payment method, transaction history |
| Supabase (Database & Auth) |
Store account credentials and subscription metadata | Email, hashed password, subscription tier & status |
| Resend (Transactional email) |
Deliver password reset, contact form, and notification emails | Email address and message content |
| Cloudflare (Hosting & CDN) |
Serve the website and API endpoints | IP address (transient), browser metadata, request logs |
| OpenAI / Anthropic (Optional, Pro tier) |
Power the Auto-API disclosure generator (you provide your own keys) | Whatever data you choose to send via prompts (we don't see this) |
We do not sell your data to third parties. We do not share your data with advertisers.
5. International data transfers
Our service providers (Paddle, Supabase, Resend, Cloudflare, OpenAI, Anthropic) may process data outside of your country of residence, including in the United States, United Kingdom, and European Union. These providers contractually commit to data protection standards (e.g. Standard Contractual Clauses, SOC 2, GDPR compliance).
6. Data retention
We retain your data for as long as your account is active and for a reasonable period afterwards to comply with legal obligations (typically 7 years for financial records, per Malaysian tax law).
Specifically:
- Account data: retained while your account is active. Deleted within 30 days of account closure on request
- Subscription records: retained for 7 years for tax/audit compliance
- Contact form submissions: retained for 24 months
- Server logs: retained for 30 days
7. Your rights
Subject to applicable law (including GDPR for residents of the European Economic Area, UK GDPR for UK residents, and equivalent laws), you have the right to:
- Access your personal data we hold
- Correct inaccurate or incomplete data
- Delete your data ("right to erasure")
- Restrict or object to certain processing
- Data portability: receive your data in a portable format
- Withdraw consent where processing is based on consent
- Lodge a complaint with a data protection authority
To exercise these rights, email [email protected]. We respond within 30 days.
8. Security
We take reasonable technical and organisational measures to protect your data:
- HTTPS encryption for all data in transit
- Passwords are hashed (we never store or see plaintext passwords)
- Database access is restricted via row-level security policies
- Service credentials are stored as encrypted secrets, never in source code
- We use established providers (Supabase, Paddle, Cloudflare) that maintain industry-standard security certifications
However, no system is 100% secure. If we become aware of a breach affecting your data, we will notify you and the relevant authorities in accordance with applicable law.
9. Cookies and similar technologies
We use minimal browser storage to operate the Service:
- localStorage: stores your authentication session token so you stay signed in. No tracking, no analytics
- Essential cookies: may be set by Cloudflare for security purposes (e.g. bot mitigation)
We do not use analytics cookies, advertising cookies, or tracking pixels.
10. Children's privacy
The Service is intended for use by adults in a business context. We do not knowingly collect data from children under 16. If you believe we have inadvertently collected such data, contact us and we will delete it promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or via the Service. The "Last updated" date at the top reflects when this policy was last revised.
12. Contact
For privacy questions, data requests, or complaints:
- Email:
[email protected] - Operator: Md R Rafi
- Address: 11 Jalan SS15/4, Subang Jaya, Selangor, Malaysia