Legal
Privacy Policy
Last updated: June 11, 2026
1. Who we are
Audvera AI, Inc. (“Audvera”, “we”, “us”) provides an AI-native audit management and GRC platform at audvera.com. This policy explains what personal data we collect, how we use it, and the choices you have. It applies to our websites, the free risk assessment, trials, and the Audvera application.
2. Two kinds of data
We distinguish between personal data we control (your name, email, billing details, usage analytics) and customer audit content we process on your behalf (engagements, risks, controls, workpapers, evidence files your team uploads). For audit content, your organization is the data controller and Audvera acts as a processor under your instructions.
3. Data we collect
- Account and lead data. Email address, name, organization, and role when you request the free risk assessment, start a trial, or create an account.
- Customer audit content. Engagement plans, risk registers, controls, test results, findings, and evidence files your team creates or uploads.
- Billing data. Processed by Stripe. We never store full card numbers.
- Usage data. Product analytics (pages viewed, features used) via PostHog. Session replay, where enabled, masks sensitive fields and audit content.
4. How we use data
- To provide and operate the service, including AI-assisted drafting you request.
- To send transactional email: magic links, trial onboarding, billing notices.
- To send your assessment results and a short follow-up sequence after the free risk assessment. Every non-essential email includes an unsubscribe link, and we honor opt-outs immediately.
- To improve the product based on aggregate usage patterns.
- To respond to support requests and meet legal obligations.
We do not sell personal data. We do not share it with advertisers.
5. Legal bases
Where the GDPR or similar laws apply, we process personal data on these bases: performance of a contract (operating your account and the service); legitimate interests (securing the service, understanding product usage, and communicating with business contacts about relevant features); consent where required (for example, non-essential communications); and compliance with legal obligations.
6. AI processing
When you use AI features, the relevant engagement context is sent to Google’s Gemini API to generate the draft you requested. Google processes that data under its paid API terms: your audit content is not used to train Google’s models, and Google retains it only for the limited period its API terms allow for abuse and misuse monitoring. We do not use your audit content to train AI models either — ours or anyone else’s. Every AI generation is logged so your team can see what was generated, from what inputs, and who reviewed it.
7. Subprocessors
We use a small set of infrastructure providers:
- Cloud hosting and database infrastructure (United States)
- Stripe — payment processing
- Resend — transactional email delivery
- PostHog — product analytics
- Google (Gemini API) — AI model inference (United States)
We engage subprocessors only after reviewing their data protection terms. Customers can request the current subprocessor list and our data processing addendum at info@audvera.com; customers with an executed addendum receive notice of subprocessor changes.
8. International data transfers
Audvera is operated from the United States, and personal data is processed there. Where we receive personal data protected by the GDPR or UK GDPR, we rely on appropriate safeguards for the transfer, including standard contractual clauses with our subprocessors.
9. Cookies
We use strictly necessary cookies for authentication and session security, and first-party analytics cookies to understand product usage. We do not use third-party advertising cookies.
10. Retention and deletion
Customer audit content is retained for the life of your subscription and deleted on verified request after termination, subject to a limited backup-rotation window. Expired trial workspaces are retained for at least 30 days so you can convert without losing work, and may be deleted after that. Lead data from the free assessment is retained while we have an active relationship with you and no longer than 24 months after your last interaction — or until you ask us to delete it. Email info@audvera.com to request deletion.
11. Security
Data is encrypted in transit and at rest. Access is tenant-isolated at the query level, role-based within your workspace, and logged. Audit trails in the product are append-only. We notify affected customers of security incidents without undue delay.
12. Your rights
Depending on your jurisdiction (including GDPR and CCPA), you may have rights to access, correct, export, or delete your personal data, and to object to certain processing. We do not sell personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. You will not be discriminated against for exercising privacy rights. Contact info@audvera.com and we will respond within the timelines required by applicable law. If your data is in a customer workspace, we may direct your request to that customer as the controller.
13. Children
Audvera is a business tool and is not directed to children. We do not knowingly collect personal data from anyone under 16; if you believe a child has provided us data, contact us and we will delete it.
14. Changes
We will post updates to this policy here and update the date above. Material changes affecting customer data handling will be communicated by email.
15. Contact
Audvera AI, Inc. · info@audvera.com