AuditCoreAuditCore

Privacy Policy

Last updated: April 12, 2026

1. Introduction

AuditCore ("we", "us", "our") operates the website audit-core.tech and provides automated security and SEO auditing services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

Data Controller (GDPR Art. 4(7)): Valer Krystian Szozda, sole proprietor registered in Poland, NIP 6912545436. For privacy inquiries, data access requests, or to exercise your GDPR rights, contact [email protected].

2. Information We Collect

2.1 Information You Provide

  • Email address — required to deliver scan results and create an account.
  • Target URL or uploaded file (APK/IPA) — the asset you submit for scanning.
  • Payment information — processed securely by Stripe. We never store your card details.
  • Account credentials (optional) — if you provide test credentials for multi-role auth testing (Enterprise tier), they are encrypted at rest with AES-256 (Fernet) and deleted after the scan completes.

2.2 Information Collected Automatically

  • Usage data — pages visited, scan configurations, timestamps.
  • Device data — browser type, operating system, IP address.
  • Cookies — essential cookies for authentication and session management. We do not use advertising or tracking cookies.

3. How We Use Your Information

  • To perform the security and SEO scans you request.
  • To deliver scan results via email and the web dashboard.
  • To process payments through Stripe.
  • To send transactional emails (scan completion, scheduled scan results).
  • To improve our Service and fix bugs (aggregated, non-personal analytics).
  • To detect and prevent fraud or abuse of our scanning infrastructure.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share data only with:

  • Stripe — payment processing.
  • Resend — transactional email delivery.
  • Firebase (Google) — authentication.
  • Sentry — error monitoring (if enabled, contains no PII by default).

5. Data Retention

  • Scan results — retained indefinitely so you can access past reports. You may request deletion.
  • Uploaded files (APK/IPA) — deleted within 24 hours after scan completion.
  • Test credentials — encrypted at rest, deleted immediately after the scan completes.
  • Account data — retained until you delete your account.

6. Data Security

We implement industry-standard security measures including HTTPS/TLS encryption, encrypted credential storage (Fernet/AES-256), database access controls, and regular security updates. Our scanning infrastructure runs in isolated Docker containers.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data and account.
  • Export your scan results.
  • Withdraw consent for non-essential data processing.

To exercise these rights, contact us at [email protected].

8. Cookies

We use only essential cookies required for authentication (Firebase session) and CSRF protection. We do not use third-party analytics, advertising, or tracking cookies.

9. Third-Party Data Processors (GDPR)

We use the following third-party services to operate AuditCore. Each acts as a data processor under GDPR; data sharing is limited to what is necessary for the service to function:

  • Stripe, Inc. (USA) — payment processing. Receives: name, email, billing details, payment data. Stripe Privacy Policy.
  • Google Firebase (USA) — authentication. Receives: email, password hash, profile data. Firebase Privacy.
  • Resend (USA) — transactional email delivery (scan results, receipts, verification). Receives: email address, scan summary data. Resend Privacy.
  • Anthropic, PBC (USA) — AI Fix Generator (Claude API). Receives: vulnerability details (title, description, evidence) of selected findings. Inputs are not used for model training under Anthropic's API terms. Anthropic Privacy.
  • Sentry (USA, optional) — error monitoring. Receives: anonymized error stack traces. No personal data unless included in error context. Sentry Privacy.
  • Cloudflare (USA) — DNS, CDN, DDoS protection. Receives: IP addresses, request metadata. Cloudflare Privacy.

For EEA/UK users: data may be transferred outside the EEA/UK to the USA. We rely on Standard Contractual Clauses (SCCs) and provider-specific safeguards. You can request a list of active processors and Data Processing Agreements (DPAs) at [email protected].

10. Third-Party Links

Scan results may contain links to external resources (CVE databases, documentation). We are not responsible for the privacy practices of third-party websites.

11. Children's Privacy

Our Service is not directed to individuals under 16. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website or sending an email.

13. Contact Us

If you have questions about this Privacy Policy, contact us at: [email protected]