Audera

legal

Privacy policy

last updated — 11 June 2026

The short version: we collect what's needed to run a monitoring service for your agency — your account, your billing status, and the public web pages you ask us to scan. No ad tracking, no selling data, no surprises. The detail follows.

1. Who's responsible

Audera ("we", "us") is the controller for the personal data described in this policy. For anything privacy-related — questions, requests, complaints — use the contact page or email us directly, and we'll respond within a month.

2. What we collect about you

Account data: your name, work email, role, agency membership and authentication details (password hash, two-factor configuration, passkeys). Billing data: plan, invoices, payment status and VAT details — card numbers go directly to Stripe and never touch our servers. Communications: the content of support, beta-access and security conversations. Usage and security data: log-in events, IP addresses in server logs, and the actions recorded on your agency's audit trail (who accepted a baseline, who resolved a finding, and when).

3. Website scan data

The heart of the service is scanning websites your agency registers: we fetch publicly available pages, store snapshots and full-page screenshots, and run checks against them. This content belongs to those websites and is processed on your instruction as part of providing the service. If a scanned public page happens to contain personal data (a named medical contact, for example), we hold it only as part of the page record, only for your plan's retention window, and we don't extract, enrich or repurpose it. To the extent we process such data on your behalf, we act as your processor and a data processing agreement is available on request.

4. Why we use it (lawful bases)

To provide the service your agency has contracted for, including scans, findings, alerts and exports (performance of contract). To secure the service, investigate abuse, debug problems and improve how it works (legitimate interests — we've balanced these against your rights, and you can object at any time). To send service emails such as alerts, digests and material-change notices (performance of contract; these aren't marketing). To meet accounting, tax and legal obligations (legal obligation). We don't sell personal data, we don't share it for third-party advertising, and we don't make automated decisions about you that have legal or similarly significant effects.

5. Cookies

We use only the essential cookies the application needs to work: a session cookie and a security (CSRF) cookie for signed-in use, and a "remember me" cookie if you ask to stay signed in. No advertising, analytics or cross-site tracking cookies — which is why you don't see a cookie banner here. If that ever changes, this policy and the site will change first.

6. Marketing

If you ask about beta access we'll write back about beta access — that's correspondence, not a mailing list. We don't currently send marketing email. If we ever introduce a newsletter it will be strictly opt-in, with working unsubscribe links.

7. Who we share it with

Service providers who process data on our documented instructions: Stripe (payments, billing and invoicing), our cloud hosting provider (application, database and evidence storage), and our email delivery provider (transactional email such as alerts, digests and invitations). Each is bound by a data processing agreement. Beyond that, we disclose personal data only where the law requires it, or as part of a sale or reorganisation of the business — in which case this policy continues to apply to it.

8. International transfers

We aim to keep data in the UK and EU. Where a provider processes personal data outside the UK, we rely on recognised safeguards — UK adequacy regulations, the UK Addendum to the EU standard contractual clauses, or equivalent measures — and we'll tell you which on request.

9. How long we keep it

Scan history, screenshots and evidence: your plan's rolling retention window (7 to 60 days), then deleted automatically. Account data: while your agency has an account, then deleted within a reasonable operational period. Audit trail entries: the life of the agency account, because that's their purpose. Support and security correspondence: up to two years, so we have context if something recurs. Invoices and billing records: six years, as UK tax law requires.

10. How it's protected

Encryption in transit everywhere, strict per-agency data isolation that fails closed, evidence on private storage behind authenticated and agency-scoped routes, signed expiring download links, role-based access and audit trails. The full picture is on the security & data page. If a breach ever affects your personal data, we'll notify you and the ICO as UK GDPR requires.

11. Your rights

Under UK GDPR you can ask for: access to your personal data; correction of anything inaccurate; deletion; restriction of processing; a portable copy in a machine-readable format; and you can object to processing based on legitimate interests. Asking costs nothing and doesn't affect your service. We'll respond within a month. If you're unhappy with our answer, you can complain to the Information Commissioner's Office at ico.org.uk — though we'd appreciate the chance to put it right first.

12. Children

Audera is a business tool for agency teams and isn't directed at children. We don't knowingly collect personal data from anyone under 18.

13. Changes

We'll update this policy as the service evolves and keep the date at the top current. For material changes we'll tell account holders by email before they take effect.