PayAudit - Privacy Policy

1. Introduction

PayAudit ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered invoice auditing platform.

By using PayAudit, you consent to the data practices described in this policy. If you do not agree with the terms of this policy, please do not use our service.

2. Information We Collect

Account Information:

Name and email address (for account creation)
Company name and business information
Authentication credentials (password, securely hashed)
Account preferences and settings

Document Data:

Contracts and supplier agreements (uploaded by you)
Invoices and billing statements (uploaded by you)
Extracted data (vendor names, line items, pricing, terms)
Audit results and discrepancy reports

Usage Data:

Login history and session data
Features used and actions taken
API request logs (for service functionality)
Performance and diagnostic data

3. How We Use Your Information

We use your information to:

Provide and maintain the PayAudit service
Process and analyze uploaded documents
Generate audit reports and discrepancy alerts
Improve our AI models and service quality
Communicate with you about your account and support requests
Process payments and manage billing
Comply with legal obligations

4. Data Processing & Third-Party AI

AI Processing: To provide AI-powered extraction and analysis, document content is transmitted to OpenAI's API. This is a critical component of our service—we cannot provide AI auditing without this processing.

When processing documents:

Document content is sent to OpenAI solely for text extraction and analysis
Documents are NOT used to train or improve OpenAI's models
We configure API calls to minimize data retention by OpenAI where possible
Extracted structured data is stored in your private, organization-specific database

OpenAI's data handling is governed by their Privacy Policy. We encourage you to review it.

5. Data Sharing & Disclosure

We do NOT sell your personal data or business documents to anyone.

We may share data only in these circumstances:

With your consent: When you explicitly authorize sharing
Service providers: With hosting providers (Render, Neon), payment processors (Stripe), and AI providers (OpenAI) necessary to deliver our service
Legal requirements: When required by law, subpoena, or government request
Business transfers: In connection with a merger, sale, or acquisition of company assets (data would remain subject to this policy)

6. Data Retention

We retain your data only as long as necessary to provide our service and fulfill the purposes outlined in this policy. PayAudit includes a configurable Data Retention Policy system — administrators can configure custom retention periods per document type. Default periods are shown below.

Data Type	Default Retention Period	Deletion Method
Account credentials	While account active + 30 days after deletion request	Upon account deletion (GDPR Art. 17)
Contracts	24 months from upload (configurable)	Automatic hard-delete after expiry (30-day warning email sent)
Invoices	12 months from upload (configurable)	Automatic hard-delete after expiry (30-day warning email sent)
Audit results	12 months from creation (configurable)	Automatic hard-delete after expiry (30-day warning email sent)
Access logs	12 months	Automatic deletion after retention period
Deletion audit trail	Permanently retained (compliance requirement)	Anonymized on account deletion (record remains, personal data removed)
Billing records	7 years (legal requirement)	Automatic deletion after retention period

Documents in active disputes are protected from auto-deletion until 90 days after resolution. Administrators can extend retention for individual documents via the Retention Dashboard.

7. Legal Basis for Processing (GDPR)

Processing Activity	Lawful Basis
Account registration and authentication	Contract (Art. 6(1)(b)) — necessary to provide the service
AI extraction of uploaded documents	Consent (Art. 6(1)(a)) — obtained at registration; withdrawable
Audit results and discrepancy records	Contract (Art. 6(1)(b)) — core service delivery
Email notifications about audits	Legitimate interest (Art. 6(1)(f)) — keeping users informed about their account activity
Marketing communications	Consent (Art. 6(1)(a)) — opt-in only; withdrawable at any time
Security and fraud prevention	Legitimate interest (Art. 6(1)(f)) — protecting users and the platform
Immutable audit trail (deletions)	Legal obligation (Art. 6(1)(c)) — compliance and accountability records

8. Your Rights

Regardless of your location, you have the right to:

Access (Art. 15): Download a complete copy of all your data — use the "Download My Data" button in your Account page for an automated ZIP export
Correction (Art. 16): Update your profile and account settings in real-time via your Account page
Erasure / "Right to be Forgotten" (Art. 17): Use the "Delete My Account" button in your Account page. This permanently deletes your account and all associated documents within seconds
Data Portability (Art. 20): The "Download My Data" export includes JSON exports of all your data in standard formats
Objection to Processing (Art. 21): Withdraw AI processing consent via Settings → Data Governance → Consent Records
Withdrawal of Consent: Withdraw marketing consent or AI processing consent at any time in Settings → Data Governance
Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK, or your EU member state's DPA)

To exercise rights not covered by in-app tools, contact privacy@payaudit.com. We respond within 30 days (72 hours for urgent data breach matters).

9. Data Security

We implement industry-standard security measures:

Encryption in transit: All data is transmitted over TLS
Encryption at rest: Sensitive credentials use AES-256-GCM
Access controls: Role-based access limiting data to authorized users
Authentication: JWT tokens with 7-day expiration
Monitoring: Regular security audits and monitoring

See our Security page for detailed technical measures.

10. Cookies & Tracking

Strictly Necessary Cookies Only: PayAudit uses only functional, strictly necessary cookies for authentication and session management. We do not use tracking, advertising, or analytics cookies.

Cookie	Purpose	Type	Duration
payaudit_token (HttpOnly cookie)	Authentication — stores your JWT session token. HttpOnly flag prevents JavaScript access (XSS-hardened)	Strictly Necessary	24 hours (auto-expires)
payaudit_user (localStorage)	User profile cache — avoids re-fetching on every page load	Strictly Necessary	Session
payaudit_cookie_consent (localStorage)	Remembers your cookie consent response	Preference	Indefinite (until cleared)

No third-party analytics, advertising networks, pixels, or tracking scripts are loaded. You can clear these at any time through your browser's developer tools or by signing out.

11. Third-Party Services & Sub-Processors

PayAudit uses the following third-party services:

OpenAI: AI document processing (data processing agreement in place)
Render: Cloud hosting infrastructure
Neon (PostgreSQL): Database hosting
Stripe: Payment processing

Each provider has their own privacy policy. We encourage you to review them. A Data Processing Agreement (DPA) is available upon request — see our Security page or email privacy@payaudit.com.

12. Children's Privacy

PayAudit is designed for business use and is not intended for children under 16. We do not knowingly collect personal information from children. If we become aware of such collection, we will delete it immediately.

13. International Data Transfer

PayAudit is hosted in the United States. If you access our service from outside the US, your data will be transferred to and processed in the US.

For EU/UK users: Data transfers outside the European Economic Area are protected by Standard Contractual Clauses or equivalent mechanisms. You may request details of these safeguards by contacting privacy@payaudit.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on this page
Updating the "Last updated" date
Emailing registered users at least 30 days before changes take effect

Your continued use after changes take effect constitutes acceptance of the updated policy.

15. Data Breach Notification

In the event of a data breach that affects your personal data, we will:

Notify you within 72 hours of becoming aware of the breach
Describe the nature of the breach and the data affected
Outline steps we are taking to address the breach
Recommend measures you can take to protect yourself

16. Contact & Data Protection Officer

For questions about this Privacy Policy, to exercise your data rights, or to request a Data Processing Agreement (DPA), please contact:

PayAudit Privacy Team
Email: privacy@payaudit.com
Address: Wilmington, Delaware, USA
Response time: Within 30 days (72 hours for urgent data breach matters)

For EU/UK residents: You may also lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO).