Audit-IQ

Audit-IQ is operated by RIO ENTERPRISE, a proprietorship registered in India, trading as Audit-IQ("Audit-IQ", "we", "our"). We are committed to protecting your personal information and maintaining transparency in how we process data. This Privacy Policy explains what data we collect, how we use it, and your rights.

Audit-IQ is designed to support compliance workflows relevant to Australian regulatory obligations, including those arising under the Privacy Act 1988 (Cth) as amended ("Privacy Act") and the Australian Privacy Principles ("APPs"). Whether the platform satisfies your specific regulatory obligations is a matter for your legal counsel to assess.

1. Scope & Roles

This Privacy Policy applies to personal data collected through the Audit-IQ website and platform. It is designed with reference to the Australian Privacy Principles under the Privacy Act 1988 (Cth), as amended, and applicable international data protection standards.

Where you create an account directly with Audit-IQ, we act as a data controller(or "APP entity" for Australian purposes) for your account and billing information.

Where you upload documents containing personal data on behalf of your organisation, you act as the data controller and Audit-IQ acts as a data processor, processing such data solely to provide the Service.

2. Information We Collect

a. Information you provide

Name, email address, company name, and account details
Billing and subscription information (processed via Stripe)
Documents and materials uploaded for analysis
Communications submitted through forms or support requests

b. Usage and technical data

IP address and device information
Browser type and operating system
Platform usage activity and feature interactions
Log files for performance monitoring and troubleshooting

c. Cookies

We use essential cookies to maintain secure sessions and enable platform functionality. We do not use advertising or third-party tracking cookies. Error monitoring (Sentry) may collect limited technical identifiers as part of its operational function.

3. Legal Basis for Processing

We process personal data based on one or more of the following grounds:

Performance of a contract (providing access to the Service)
Legitimate interests (improving security, reliability, and product performance)
Compliance with legal obligations
Your consent (where required)

For Australian customers, these grounds align with the primary purposes for collection under APP 3 and the use and disclosure principles under APP 6.

4. How We Use Your Information

We process data to:

Provide, operate, and maintain the platform
Process uploaded documents using AI systems
Respond to demo, sales, or support requests
Improve service accuracy, security, and performance
Communicate product updates and administrative notices
Prevent fraud, misuse, and unauthorised access

We do not sell personal data and do not use your content for advertising purposes.

5. Document & AI Processing

Documents uploaded to Audit-IQ are processed securely to generate regulatory insights, obligation extraction, and workflow outputs.

Customer content is processed only to provide the Service.
Audit-IQ does not intentionally use customer content to train AI models. We use commercially available AI API services (currently OpenAI) for document processing features. These services are governed by their respective API usage policies, which are designed for business workloads.
Access to content is restricted to authorised systems and personnel.
We apply technical safeguards to protect data in transit and at rest.

Customers with specific requirements regarding AI processing of their data should review our Data Residency Statement and contact us before uploading sensitive or regulated content.

6. Data Sharing & Subprocessors

We share limited data with trusted service providers strictly for operating the Service. Current subprocessors include:

Supabase — database, authentication, file storage
Fly.io — backend API hosting
OpenAI — AI-assisted document processing
Vercel — frontend application hosting
Stripe — payment processing
Resend / Zoho Mail — transactional email delivery
Sentry — error monitoring and observability

All subprocessors are engaged under contractual terms appropriate to their role. A full list, including processing locations, is available on our Subprocessors page.

Organisations that require a Data Processing Agreement (DPA) for procurement or regulatory purposes should review our DPA structure page and contact legal@audit-iq.com to request a reviewed draft.

7. International Data Transfers

Personal data processed through the Service may be transferred to, or accessed from, countries outside your jurisdiction. This occurs through our use of third-party infrastructure providers, AI inference services, monitoring tools, email delivery services, and payment processors — most of which are primarily located in the United States.

Categories of processing that routinely involve cross-border data transfer include:

AI-assisted features — document analysis involves OpenAI (United States)
Backend API processing — API requests are served from Fly.io (United States primary)
Payment processing — handled by Stripe (United States primary)
Transactional email and monitoring — see our Subprocessors page for provider details

Where cross-border transfers occur, we implement contractual arrangements with subprocessors appropriate to their role. For Australian customers, cross-border disclosures are made in accordance with APP 8 of the Privacy Act 1988 (Cth). These arrangements do not constitute a representation of compliance with any specific regulatory framework.

Customers with regulatory obligations governing cross-border data transfers should conduct their own assessment before uploading sensitive personal data. See our Data Residency Statement and contact legal@audit-iq.com for procurement discussions.

8. Data Retention

We retain personal data only as long as necessary for the purposes set out in this policy:

Account and profile data: retained while your account is active, and for up to 12 months after account closure (unless earlier deletion is requested)
Workspace and project data: retained while your account is active; deleted or de-identified within 60 days of account closure following the 30-day export window
Billing and financial records: retained for 7 years from the date of transaction, or as required by applicable tax and financial law
Legal acceptance records: retained indefinitely for audit and legal enforceability purposes
Operational and security logs: retained for up to 12 months unless required for ongoing incident investigation or legal compliance

You may request deletion of personal data at any time (see Section 9). Where deletion would conflict with a legal obligation or legitimate operational requirement, we will inform you of the basis for retaining it.

9. Your Rights

Subject to applicable law, you may:

Request access to your personal data (we will respond within 30 days)
Request correction of inaccurate data
Request deletion of personal data (subject to legal retention requirements)
Object to or restrict certain processing
Withdraw consent where processing is based on consent

Requests may be submitted to privacy@audit-iq.com. We will respond within 30 days and will notify you if additional time is required.

Australian customers: If you are located in Australia and have a privacy concern that we have not resolved to your satisfaction, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

10. Security

We implement reasonable technical and organisational measures to protect personal data, including:

Encrypted transmission (HTTPS / TLS 1.2+)
Encryption at rest (AES-256 via Supabase managed storage)
Access controls, role-based permissions, and organisation isolation
Monitoring, logging, and incident response procedures

In the event of a data breach that is likely to result in serious harm to individuals, we will notify affected parties and, where required, the Office of the Australian Information Commissioner, in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth) and any other applicable breach notification obligations.

Additional details are available on our Security page.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect regulatory changes or product updates. Where changes are material, we will provide at least 14 days' advance notice through the platform or by email to the address associated with your account.

12. Contact

Audit-IQ (operated by RIO ENTERPRISE) is the data controller for personal data collected directly through the platform.

For privacy-related questions or requests:

Email: privacy@audit-iq.com
Operator: RIO ENTERPRISE
Location: Bengaluru, India