Privacy Policy

What we collect

• Account data: name, email address, hashed password, profile image.
• Website data: URLs you submit for monitoring, scan results, Lighthouse scores, Core Web Vitals, and generated PDF reports.
• Real User Monitoring (RUM): performance timing metrics, page paths, device type, browser user agent. No IP addresses are collected or stored.
• Integration credentials: optional GitHub personal access tokens, Google service account JSON keys, Slack webhook URLs. These are encrypted at rest and never included in data exports.
• Payment data: billing plan, transaction status, and amount. Full card details are processed exclusively by Paddle and never stored by AuditJet.
• Operational logs: server-side access logs retained for up to 30 days for security purposes.

Legal basis for processing

We process your data under the following GDPR lawful bases:

• Contract (Art. 6(1)(b)): to provide the AuditJet service you have signed up for.
• Legitimate interests (Art. 6(1)(f)): platform security, abuse prevention, and improving service quality.
• Legal obligation (Art. 6(1)(c)): compliance with applicable law and fraud prevention.

How we use your data

• Run performance audits and generate reports for your websites.
• Deliver alert emails and Slack notifications based on your preferences.
• Process subscription payments via Paddle.
• Provide account support and respond to your enquiries.
• Maintain platform security, reliability, and fraud prevention.

We do not sell your personal data, use it for advertising, or share it for purposes unrelated to the service.

Third-party recipients

AuditJet uses the following sub-processors who may receive your data:

Data retention

Scan and report data is automatically deleted based on your plan:

• Free: 7 days
• Watchdog: 30 days
• Pro: 90 days
• Agency: 180 days

Account data is retained until you delete your account. Server access logs are deleted after 30 days.

Security measures

• Passwords are hashed with bcrypt (12 salt rounds) and never stored in plaintext.
• Integration credentials (GitHub tokens, GA4 service account keys) are encrypted at rest using AES-256-GCM.
• All data is transmitted over HTTPS/TLS.
• Session cookies are set with HttpOnly, Secure, and SameSite=Lax attributes.

Your rights (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, you have the following rights:

• Access (Art. 15): request a copy of your personal data.
• Rectification (Art. 16): correct inaccurate or incomplete data.
• Erasure (Art. 17): request deletion of your account and all associated data. You can do this instantly via Dashboard → Settings → Delete Account, or by emailing us.
• Data portability (Art. 20): download a machine-readable export of your data via Dashboard → Settings → Export My Data.
• Restriction (Art. 18): request we limit processing of your data.
• Objection (Art. 21): object to processing based on legitimate interests.

To exercise any right, email support@auditjet.co. We will respond within 30 days.

Cookies

AuditJet sets one essential cookie: a session token required for authentication. No third-party tracking cookies are set inside the authenticated dashboard.

The public marketing site uses Google Analytics (GA4) to measure aggregate traffic. This sends anonymised data (IP anonymisation enabled) to Google. You can opt out using a browser extension such as the Google Analytics Opt-out Add-on.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you additional rights.

Categories of personal information we collect

• Identifiers: name, email address, account ID, profile image URL.
• Commercial information: billing plan, payment status, and transaction amounts (processed by Paddle).
• Internet or other electronic network activity: website URLs you submit, Lighthouse scores, Core Web Vitals, real-user performance metrics (paths, timing, device type, browser user agent). No IP addresses are stored.
• Professional/employment information: none collected.
• Sensitive personal information: none collected.

We do not sell or share your personal information

AuditJet does not sell your personal information and does not share it for cross-context behavioural advertising. We use Google Analytics on our marketing pages for aggregate traffic measurement only, with IP anonymisation enabled.

Your California rights

• Right to know (§ 1798.100): request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to delete (§ 1798.105): request deletion of your personal information. You can do this instantly via Dashboard → Settings → Delete Account.
• Right to correct (§ 1798.106): request correction of inaccurate personal information.
• Right to opt-out of sale/sharing (§ 1798.120): not applicable — we do not sell or share personal information for advertising.
• Right to non-discrimination (§ 1798.125): we will not discriminate against you for exercising any of the above rights.
• Shine the Light (Cal. Civ. Code § 1798.83): we do not disclose personal information to third parties for their own direct marketing purposes.

How to submit a California request

Email support@auditjet.co from the address associated with your account (or have an authorised agent email on your behalf with written permission). We will respond within 45 days. If we need more time we will inform you of the reason and extension period within the initial 45-day window.

You may also download your data directly via Dashboard → Settings → Export Data.

Contact & complaints

Data controller: Rohan Dhir, operating as AuditJet.

For privacy questions, data requests, or complaints contact support@auditjet.co. If you are not satisfied with our response you may lodge a complaint with your local data protection authority (e.g. ICO in the UK, or your national DPA in the EU).