Policy

Privacy Policy

Last updated: May 19, 2026

Summary

For a free scan we collect your email + the URL you submit + your IP + user-agent. Nothing else.
If you create an account we also store your name, optional company, password hash, and (if you subscribe) your Stripe customer ID. No card details ever touch our servers — they live with Stripe.
This site uses SysWP Radar for page-view counting. No tracking cookies, no PII, no cross-site tracking.
We share data with Resend (email), OpenRouter (AI analysis), Browserless (page rendering) and Stripe (payments) — only what's required.
Logged-in users can export or delete their account in one click at /account/settings. Otherwise: dpo@auditto.pro — 30-day response.

1. Who we are

Auditto is a product operated by SysWP — an independent GDPR / CCPA / LGPD compliance verifier for websites. We run auditto.pro and auditto.syswp.com.br and their subdomains (api.auditto.pro, app.auditto.pro).

Data Protection Officer (DPO): dpo@auditto.pro. Physical address and company registration available on request to data subjects exercising their rights.

2. Data we collect

2.1 When you submit a free scan

The URL of the site you want to scan.
Your email (so we can send you the report link).
Your IP address and user-agent at request time (anti-fraud, anti-abuse).
Consent timestamp (when you ticked the agreement box).

2.2 Data generated by the scan

To deliver the service we make public HTTP requests to the site you submitted and store: observed network requests, cookies set, public text of the privacy policy, compliance findings and the action plan. These are not your personal data — they are metadata about the audited website.

2.3 When you create an account

To give you a personal dashboard at /account we store:

Email (account identifier, also the recipient of system notifications).
Name and optionally company name (shown in your dashboard, used in receipts).
Password hash using password_hash() (PHP — bcrypt cost 12). We never see your plaintext password.
Session token (JWT) stored in your browser's localStorage on auditto.pro, 30-day lifetime. Used to keep you logged in. This is not a tracking cookie — see Section 6.
Magic-link tokens (single-use, 24h expiry) emailed to you for email verification, password reset and one-click onboarding from your free-scan email.
API keys you generate (only their bcrypt hash + last-4 prefix — we cannot recover the plaintext, you must regenerate if lost).
Audit history: which sites you scanned linked to your user_id, plus the resulting scores.
Login + audit timestamps for security (last-login, last-IP, anti-fraud).

2.4 When you subscribe to a paid plan

When you click Upgrade we redirect you to Stripe Checkout. Stripe collects your card details directly — we never see card numbers, CVV or billing address details. From Stripe's webhook we store on our side:

Stripe customer ID (e.g. cus_…) so we know which Stripe customer maps to your account.
Stripe subscription ID + current plan + status (active / cancelled / past_due).
Country code (returned by Stripe from your billing address) — used for VAT and to decide which brand domain hosts your reports.
Receipts / invoices remain hosted on Stripe; we link to them when you visit your dashboard.

Stripe is the controller of card data; we are the controller of your account record + the link between your email and your Stripe customer ID.

2.5 Visit analytics (SysWP Radar)

This site uses SysWP Radar (radar.syswp.com.br), first-party analytics from our SysWP group. Radar records only:

URL visited
Referrer (where you came from)
User-agent (browser type, no personal identifiers)
Approximate country (via IP, then discarded)

What Radar does NOT do: no cookies, no device fingerprinting, no cross-site tracking, no linking visits to a personal identity, no sharing with anyone outside the SysWP group. Data stays hosted in Brazil.

3. Why we use your data (GDPR Art. 6 legal bases)

Purpose	Legal basis
Run the scan you requested	Contract (Art. 6(1)(b))
Email you the report link	Contract (Art. 6(1)(b))
Display the report publicly (free tier)	Consent (Art. 6(1)(a))
Maintain your account + dashboard	Contract (Art. 6(1)(b))
Process subscription payments via Stripe	Contract (Art. 6(1)(b))
Issue invoices / VAT records	Legal obligation (Art. 6(1)(c))
Send magic-link / verification emails	Contract (Art. 6(1)(b))
Prevent abuse (per-IP/email rate limit)	Legitimate interest (Art. 6(1)(f))
Measure site traffic (Radar)	Legitimate interest (Art. 6(1)(f))
Comply with legal obligations	Legal obligation (Art. 6(1)(c))

4. Who we share with

We share only what's strictly necessary to deliver the service. Each vendor below is a processor (GDPR Art. 28) that processes data on our behalf under a signed data processing agreement (DPA).

SysWP Radar

BR · radar.syswp.com.br

First-party analytics from the SysWP group. Receives URL visited, referrer, user-agent. No explicit personal data. Hosted in Brazil.

Resend

US · resend.com

Transactional email provider. Receives: your email + the report link email body. No marketing use. Resend retention policy: 30 days for sent messages.

OpenRouter / Anthropic

US · openrouter.ai

AI model router used to extract facts from the public policy of the site you submitted. Receives: public privacy-policy text of the scanned website (not your personal data). Configured with zero data retention on Anthropic models.

Browserless (self-hosted)

BR · browserless.syswp.online

Headless web page rendering (Chromium). Self-hosted on our Brazilian server. No third-party transfer and no retention.

Stripe

US / IE · stripe.com

Payment processor for paid plans. Stripe is an independent controller of card data — we never see your card number, CVV or full billing address. We receive only customer ID, subscription state, country code and the URL to your invoice. Stripe is GDPR-compliant, PCI-DSS Level 1 certified and a signatory of the EU-US Data Privacy Framework. Their privacy policy: stripe.com/privacy.

We do not sell your data. No sharing with ad networks, data brokers, social networks or marketing analytics tools.

5. International transfers (GDPR Chapter V)

Three of our processors (Resend, OpenRouter, Stripe) operate in or have US infrastructure. The transfer relies on the following safeguards:

Standard Contractual Clauses (SCCs) signed with each provider.
EU-US Data Privacy Framework (DPF), successor to Privacy Shield.
Minimum volume: we send only what's strictly required for the declared purpose.
You consent to this transfer when you submit a free scan.

UK residents: under UK GDPR these transfers rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs.

6. Cookies & local storage

We have no advertising cookies, no analytics cookies, no third-party trackers of any kind. You can verify this in DevTools (F12 → Application → Cookies). The only browser-side storage we use is described below — all of it is strictly necessary under GDPR Recital 30 / ePrivacy Directive Art. 5(3) and therefore does not require a consent banner.

6.1 What we store, where

Key	Where	Purpose	Lifetime
`auditto_token`	localStorage on `auditto.pro`	Keep you logged into `/account/*`. Set only after you sign in.	30 days (or until logout)
`auditto_sid`	Cookie on `api.auditto.pro` (HttpOnly, Secure, SameSite=Lax)	Server-side session for the admin panel (SysWP staff only) and for OAuth callback flows.	30 days
`auditto_csrf`	Cookie on `api.auditto.pro` (Secure, SameSite=Lax)	Anti-CSRF token for the admin panel.	Session
"banner dismissed", "i18n preference"	localStorage on `auditto.pro`	Remember UI preferences (which banner you closed, your language).	Until you clear browser data

6.2 Third-party browser storage

When you visit a public report page we embed nothing third-party. When you click Upgrade we redirect you to checkout.stripe.com — at that point Stripe sets its own cookies (out of our control, governed by Stripe's cookie policy). SysWP Radar (Section 2.5) is deliberately cookie-free.

6.3 How to disable

You can clear localStorage and cookies at any time from your browser settings — doing so will log you out and reset your UI preferences, but no data is lost on our side.

7. Retention

Data	Period
Scan reports (public + private)	180 days after last access
Free-scan submitter email (no account)	24 months after last scan
Account record (email, name, hash)	Until you delete your account
Magic-link / verification tokens	24h (then auto-purged, used or not)
Session JWT in localStorage	30 days (you can clear at any time)
Invoice / billing records	5 years (tax law, GDPR Art. 6(1)(c))
Stripe customer ID after account deletion	Detached on our side; Stripe retains per their policy
Rate-limit log (IP)	30 days
Server error logs	90 days
Aggregated Radar metrics	indefinite (no identification)

8. Your rights (GDPR Chapter III)

As a data subject under GDPR (Articles 15-22) you have the right to:

Access the data we hold about you (Art. 15).
Rectification of incomplete or inaccurate data (Art. 16).
Erasure ("right to be forgotten") of your data (Art. 17).
Restriction of processing in certain cases (Art. 18).
Data portability in a structured, machine-readable format (Art. 20).
Object to processing based on legitimate interest (Art. 21).
Withdraw consent at any time (Art. 7(3)).
Lodge a complaint with your national supervisory authority.

California residents have equivalent rights under the CCPA + CPRA (right to know, delete, correct, opt-out of sale/sharing, limit use of sensitive PI). UK residents have rights under UK GDPR.

Self-serve (recommended): if you have an Auditto account, you can export all your data as JSON or permanently delete your account with one click from /account/settings. Deleting your account also cancels any active Stripe subscription and unlinks your Stripe customer ID on our side.

Otherwise, write to dpo@auditto.pro. We respond within 30 days. Please identify yourself with the email you originally used so we can verify the request.

9. Security (GDPR Art. 32)

We apply technical and organisational measures appropriate to the risk:

TLS 1.2+ on every connection (HSTS preload).
bcrypt cost-12 hashing for all account passwords (admin + customer). Plaintext is never stored or logged.
API keys hashed with bcrypt — only the last 4 characters of the prefix are kept for UI display.
JWT session tokens signed with HMAC-SHA256; payload contains only the user UUID + expiry.
Database in a private VPC, only accessible from the project's internal network.
Access logs retained for 90 days.
Daily encrypted database backups.
Security headers: HSTS, CSP, X-Frame-Options DENY, restrictive Permissions-Policy.
Stripe webhooks verified with HMAC-SHA256 + 5-minute tolerance window (replay protection).

10. Children

We do not direct our services to children under 16 (EU) / 13 (US). If we learn we have collected data from a child without parental consent we delete it immediately.

11. Changes to this policy

Material changes (new processors, new categories of data, retention changes) are notified by email to active users at least 30 days in advance. Cosmetic changes (wording, link fixes) are silent. The "Last updated" field at the top always reflects the current version.

12. Governing law

For EU residents this policy is governed by the General Data Protection Regulation (Regulation (EU) 2016/679) and the data-protection law of your member state. UK residents are covered by the UK GDPR and the Data Protection Act 2018. California residents are covered by the CCPA (as amended by CPRA).

13. Contact

Data Protection Officer (DPO): dpo@auditto.pro
General support: ola@auditto.pro
Supervisory authorities: EU residents can find their national DPA at edpb.europa.eu; UK residents at ico.org.uk; California residents at cppa.ca.gov.