Privacy Policy
Updated: March 26, 2026
1. Data Controller
The data controller under the General Data Protection Regulation (GDPR) is:
Auditera AI UG (haftungsbeschränkt)
\[Address to be added upon confirmation of registered office\]
Managing Directors: Anil Colak, Jannik Wienecke
Email: hello@auditera.de
Website: www.auditera.de
2. Data Protection Officer
Auditera AI UG (haftungsbeschränkt) is currently not required to appoint a Data Protection Officer under § 38 BDSG, as the statutory thresholds have not been reached. For data protection inquiries and to exercise your data subject rights, please contact:
Data Protection Contact: Anil Colak
Email: hello@auditera.de
A Data Protection Officer will be appointed promptly upon reaching the statutory thresholds under § 38 BDSG.
3. Data We Collect and Why
3.1 Account Registration Data (Legal Basis: Contract Performance - GDPR Art. 6(1)(b))
When you register for Auditera, we collect:
First and last name
Email address
Organization name and size
Industry and jurisdiction
Job title
Timezone
Company contact details
Authentication (including password management) is handled by the Convex Auth SDK. Auditera does not directly store passwords or password hashes. The minimum password length is 8 characters.
This data is necessary to provide our services and communicate with you.
3.2 Uploaded Compliance Documents (Legal Basis: Contract Performance — GDPR Art. 6(1)(b))
When you upload compliance documents, policies, or other files:
We store them on Convex servers in the EU (Ireland). Encryption at rest is provided by Convex infrastructure. AES-256-GCM is applied at the application level exclusively for encrypting AI provider API keys.
These files remain under your full control
You can view, modify, or delete them at any time
3.3 AI Processing via OpenAI API (Legal Basis: Contract Performance — GDPR Art. 6(1)(b))
Our platform uses OpenAI API (models: gpt-4.1-nano for text analysis, gpt-4.1-mini for standards analysis, gpt-4o for image and document analysis) to analyze your documents with AI Assistant "Era":
Your documents are transmitted to OpenAI API for analysis against compliance frameworks (ISO 27001, ISO 9001, ISO 14001, SOC 2, GDPR, TISAX, NIS2)
When analyzing images or scanned documents, these are transmitted to OpenAI via the gpt-4o model
OpenAI processes data under the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs pursuant to Commission Implementing Decision (EU) 2021/914)
All data is encrypted in transit via TLS
Your data is NEVER used for AI model training by OpenAI (API opt-out)
BYOM (Bring Your Own Model): The BYOM feature is available exclusively for Unlimited and Enterprise tier customers. Supported providers: Ollama, vLLM, LM Studio, LocalAI, and any OpenAI-compatible endpoint.
3.4 Payment Data (Legal Basis: Contract Performance — GDPR Art. 6(1)(b))
Payments are processed entirely by Polar (Sweden). Auditera does not process or store credit card data, IBAN, or any other payment information directly:
Polar handles all payment processing as an independent payment service provider
Auditera stores only the Polar customer ID, email address, and subscription status
Invoicing and payment processing are handled exclusively by Polar
3.5 Website Analytics and Cookies (Legal Basis: Consent — GDPR Art. 6(1)(a))
Our services consist of two domains with different tracking technologies:
Marketing Website (www.auditera.de, hosted by Framer B.V.):
Framer Analytics: Anonymized usage statistics (cookieless)
Google Analytics (optional): Website usage analysis — only with your explicit consent via the cookie banner
Application (app.auditera.de, hosted by Vercel Inc.):
Authentication cookies: Via Clerk Auth SDK for session management (technically necessary, § 25(2) TTDSG)
Sentry error monitoring (consent required): Collects error reports, IP addresses, user identifiers, browser information, and session replay data (10% sampling rate, 100% on errors). sendDefaultPii is enabled. Personally identifiable information is actively collected.
Performance metrics (consent required): Web Vitals tracking (LCP, INP, CLS) with userId and sessionId context
Sentry and performance metrics are only activated after your explicit consent. Legal basis: GDPR Art. 6(1)(a) in conjunction with § 25(1) TTDSG.
For full details, see our separate Cookie Policy.
3.6 AI Credit Usage and Token Consumption (Legal Basis: Contract Performance — GDPR Art. 6(1)(b))
As part of platform usage, we collect data on AI credit consumption and token usage per workspace. This data is used for billing and fair-use monitoring.
3.7 Performance Monitoring Data (Legal Basis: Consent — GDPR Art. 6(1)(a))
When performance monitoring is enabled, we collect technical identifiers (userId, sessionId, correlationId) for diagnosing performance issues. This data is collected only with your consent.
4. Data Retention
We retain your personal data only as long as necessary. Retention periods differ by data category:
Registration and account data: Uploaded compliance documents | During contract term + 7 business days after: During contract term; deletable at any time; | GDPR Art. 6(1)(b); deletion after account deletion: GDPR Art. 6(1)(b) after account deletion: 7 business days
Registration and account data: Audit data and findings | During contract term + 7 business days after: During contract term; after account deletion: | GDPR Art. 6(1)(b); deletion after account deletion: GDPR Art. 6(1)(b) 7 business days
Registration and account data: AI credit usage / token consumption | During contract term + 7 business days after: During contract term; after account deletion: | GDPR Art. 6(1)(b); deletion after account deletion: GDPR Art. 6(1)(b) 7 business days
Registration and account data: Invoice data (at Polar) | During contract term + 7 business days after: 10 years (statutory retention obligation, | GDPR Art. 6(1)(b); deletion after account deletion: GDPR Art. 6(1)(c); § 147 AO, German tax law) | contract end: § 257 HGB
Registration and account data: Sentry error reports | During contract term + 7 business days after: 90 days (Sentry default) | GDPR Art. 6(1)(b); deletion after account deletion: GDPR Art. 6(1)(a) (consent)
Registration and account data: Performance monitoring data | During contract term + 7 business days after: Session duration | GDPR Art. 6(1)(b); deletion after account deletion: GDPR Art. 6(1)(a) (consent)
Registration and account data: Session cookies (Clerk, Framer) | During contract term + 7 business days after: End of session | GDPR Art. 6(1)(b); deletion after account deletion: § 25(2) TTDSG (technically necessary)
Registration and account data: Google Analytics (www.auditera.de) | During contract term + 7 business days after: Up to 26 months (Google default) | GDPR Art. 6(1)(b); deletion after account deletion: GDPR Art. 6(1)(a) (consent)
Deletion of your personal data after account deletion is completed within 7 business days. This includes: account data, uploaded documents, audit findings, extracted document content, and AI analysis results.
5. Your Rights
Under GDPR, you have the following rights:
Access: Request what data we hold about you (Art. 15 GDPR)
Rectification: Correct inaccurate data (Art. 16 GDPR)
Erasure: Request deletion of your data (Art. 17 GDPR). Deletion is completed within 7 business days.
Restrict Processing: Limit how we use your data (Art. 18 GDPR)
Data Portability: Receive your data in structured format (Art. 20 GDPR)
Object: Oppose processing based on legitimate interest (Art. 21 GDPR)
Withdraw Consent (Art. 7(3) GDPR): Where processing is based on your consent (e.g., Sentry, performance monitoring, Google Analytics), you have the right to withdraw your consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. You can withdraw your consent via: (a) cookie settings on www.auditera.de, (b) the consent mechanism in app.auditera.de, or (c) by email to hello@auditera.de.
Not Be Subject to Automated Decisions: See AI Processing section (Art. 22 GDPR)
To exercise your rights, email: hello@auditera.de. We will process your request within 30 days.
Requirement to Provide Data (GDPR Art. 13(2)(e))
The provision of the following data is contractually required to use the Auditera platform:
Name and email address (for registration and authentication)
Organization name (for workspace setup)
Without this data, a user account cannot be created and the service cannot be provided.
The provision of the following data is voluntary:
Job title, industry, jurisdiction, timezone (for an improved user experience)
Consent for analytics cookies and performance monitoring (for product improvement and error resolution)
There is no statutory obligation to provide data. However, failure to provide the contractually required data means the service cannot be used.
International Data Transfers (GDPR Chapter V, Art. 44–49)
As we use US-based service providers, data transfers to the USA and other third countries occur. Each sub-processor has a specific transfer mechanism:
Convex, Inc.: EU/Ireland) | USA (Hosting:: application data | Backend infrastructure, all: SCCs (2021/914)
Convex, Inc.: OpenAI, L.L.C. | USA (Hosting:: USA | Backend infrastructure, all: AI document analysis | EU-US Data Privacy Framework (DPF) +: DPF + SCCs (2021/914)
Convex, Inc.: Polar | USA (Hosting:: Sweden | Backend infrastructure, all: Payment processing | EU-US Data Privacy Framework (DPF) +: EU (no third-country transfer)
Convex, Inc.: Vercel Inc. | USA (Hosting:: USA | Backend infrastructure, all: App hosting (app.auditera.de) | EU-US Data Privacy Framework (DPF) +: DPF + SCCs (2021/914)
Convex, Inc.: Clerk Inc. | USA (Hosting:: USA | Backend infrastructure, all: Authentication and session management | EU-US Data Privacy Framework (DPF) +: DPF + SCCs (2021/914)
Convex, Inc.: Sentry / Functional Software Inc. | USA (Hosting:: USA | Backend infrastructure, all: Error monitoring, session replay | EU-US Data Privacy Framework (DPF) +: DPF + SCCs (2021/914)
Convex, Inc.: Resend Inc. | USA (Hosting:: USA | Backend infrastructure, all: Transactional emails | EU-US Data Privacy Framework (DPF) +: DPF + SCCs (2021/914)
Convex, Inc.: Framer B.V. | USA (Hosting:: Netherlands | Backend infrastructure, all: Website hosting (www.auditera.de) | EU-US Data Privacy Framework (DPF) +: EU (no third-country transfer)
Convex, Inc.: Google LLC | USA (Hosting:: USA | Backend infrastructure, all: Website analytics (www.auditera.de) | EU-US Data Privacy Framework (DPF) +: DPF + SCCs (2021/914)
Convex, Inc.: Tavily | USA (Hosting:: USA | Backend infrastructure, all: AI-powered web research | EU-US Data Privacy Framework (DPF) +: SCCs (2021/914); no direct PII (clause research) | processing, but search queries may indirectly contain personal data from compliance documents
Supplementary measures per EDPB Recommendation 01/2020:
TLS encryption for all data transfers (provided by Vercel and Convex at infrastructure level)
AES-256-GCM encryption for API keys at application level
Pseudonymization where possible (e.g., internal IDs instead of plain names)
Contractual commitments by sub-processors to GDPR compliance
All Standard Contractual Clauses are based on Commission Implementing Decision (EU) 2021/914.
8. AI and Automated Decision-Making (GDPR Art. 13(2)(f), Art. 22)
Our AI Assistant "Era" processes your documents for compliance analysis. Below we disclose the logic, significance, and consequences of this processing:
Processing logic: The text of your uploaded documents is transmitted to OpenAI models, which analyze the content against selected compliance frameworks (e.g., ISO 27001, SOC 2, GDPR). Results are stored as findings with severity ratings (Critical, High, Medium, Low) in your workspace.
Significance and consequences:
A Data Protection Impact Assessment (DPIA) has been conducted
No automated decisions within the meaning of Art. 22 GDPR: AI analyses are recommendations and decision aids, not legally binding assessments
You have the right to request manual review of AI results by qualified personnel at any time
AI results are stored exclusively in your workspace and are not accessible to other customers
Model training: Your data is NEVER used for training or improving AI models
9. Security Measures (GDPR Art. 32)
We protect your data with:
Encryption at rest: Infrastructure encryption by Convex (ISO 27001, SOC 2, C5 certified). AES-256-GCM at application level exclusively for AI provider API keys.
Encryption in transit: TLS encryption provided by infrastructure providers (Vercel, Convex)
Infrastructure: Convex (EU/Ireland) with ISO 27001, SOC 2, and C5 certified data centers
Access controls: Role-based access control (RBAC) within the platform
Error and performance monitoring: Sentry-based monitoring of application errors and performance metrics (consent required only)
Planned security reviews: Regular review of security measures and infrastructure, with the goal of introducing formal penetration testing
Rate limiting: Protection against automated attacks on authentication endpoints
10. Contact & Complaints
For privacy questions:
Email: hello@auditera.de
Contact form: https://www.auditera.de/kontakt
The competent supervisory authority for Auditera AI UG (haftungsbeschränkt) is:
Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany
Phone: +49 40 428 54 4040
Email: mailbox@datenschutz.hamburg.de
Web: https://datenschutz-hamburg.de
You also have the right to lodge a complaint with the supervisory authority in your member state of residence.
10. Policy Changes
We may update this Privacy Policy to reflect changes in legal requirements, new services, or technical developments. The current version is always available on our website. Registered users will be notified by email of material changes.
