AuditDrivenStart Audit

Privacy Policy

Last updated: April 2026

1. Data Controller

The data controller for personal data collected via auditdriven.com is Crosscheck AI Limited, a company registered in England and Wales (company number 15971170). Registered office: [TO BE FILLED IN BY USER]. ICO registration: [TO BE FILLED IN BY USER — ICO registration number].

Contact: privacy@auditdriven.com

2. What We Collect

When you purchase an audit, we collect:

  • Email address — to send your report and receipts
  • Intake form data — the specific information needed to generate your audit (e.g. tax code, payslip figures, contract text, tenancy details)
  • Payment metadata — Stripe session ID and payment intent ID. We do NOT store or see your card number
  • Technical metadata — a hashed IP address (for fraud prevention), user agent string, and referrer URL

3. Legal Basis (UK GDPR)

  • Contract performance (Art. 6(1)(b)) — to deliver the audit you purchased
  • Legitimate interests (Art. 6(1)(f)) — fraud prevention via hashed IP logging
  • Legal obligation (Art. 6(1)(c)) — retaining payment records for HMRC and accounting law

4. How We Use AI

Your intake form data is sent to Anthropic's Claude API to generate your audit report. Anthropic processes this data under a zero-retention commercial agreement — they do not train models on your data and do not retain inputs beyond the processing window. The request is encrypted in transit (TLS 1.3).

We do not send your data to OpenAI, Google, or any other AI provider.

5. How Long We Keep Data

  • Intake data and report content: automatically deleted 30 days after purchase. This is enforced by a scheduled function in our database
  • Payment records (email, order ID, amount, date): retained for 7 years per HMRC record-keeping requirements
  • Technical metadata (hashed IP, user agent): retained for 12 months for fraud analysis, then purged

6. Who We Share Data With

We share minimum-necessary data with:

  • Stripe (payment processing) — email + payment amount only
  • Anthropic (AI report generation) — your intake data only, under zero-retention terms
  • Resend (email delivery) — email address + report link only
  • Supabase (database hosting) — data stored in EU (West Europe) region, encrypted at rest
  • Cloudflare (hosting + analytics) — aggregate, non-personal traffic data

We do NOT share data with advertisers, marketers, data brokers, or any third party not listed above.

7. International Transfers

Some processors (Stripe, Anthropic, Resend) process data in the United States. These transfers rely on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, combined with the UK-US Data Bridge.

8. Your Rights (UK GDPR)

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Erase data (subject to 7-year HMRC payment record retention)
  • Restrict processing
  • Object to processing based on legitimate interests
  • Data portability
  • Lodge a complaint with the Information Commissioner's Office (ICO)

To exercise any of these rights, email privacy@auditdriven.com. We respond within 30 days.

ICO: ico.org.uk · 0303 123 1113

9. Cookies

We use strictly necessary cookies only — for session security during checkout. We do not use tracking, advertising, or analytics cookies. We use Cloudflare Web Analytics, which is cookieless and privacy-preserving. No cookie banner is required because we use no non-essential cookies.

10. Security

All traffic is TLS 1.3 encrypted. Database encryption at rest (AES-256). Row-Level Security ensures no cross-customer data exposure. Report access is gated by cryptographically random access tokens (32 bytes). Stripe webhook signatures are verified on every event. We do not log raw intake data or PII in our application logs.

11. Children

AuditDriven services are for UK adults (18+). The UCAS Personal Statement Review product accepts content from applicants who may be 17 — parental consent is assumed for purchases made on behalf of a minor. We do not knowingly collect data from children under 13.

12. Changes

We may update this policy. Material changes will be notified via the email on file for any active customers. The "last updated" date at the top reflects the most recent change.