Privacy Policy
Last updated: May 13, 2026
1. Personal data controller
The controller of your personal data is:
MROZ.CONSULTING Marek Mróz
ul. Okrężna 17F, 05-506 Lesznowola, Poland
NIP: 9222707242 | REGON: 060219022
E-mail: [email protected]
Audit AI has not appointed a Data Protection Officer. For matters related to personal data processing, you can contact the Controller directly at the e-mail address listed above.
2. What data we collect and why
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| E-mail address | Sending audit results, unlocking the full report, handling purchases and subscriptions, and marketing communication (with consent) | Article 6(1)(b) and Article 6(1)(a) |
| Audited website URL | Performing the AI Readiness analysis | Article 6(1)(b) |
| IP address | Rate limiting, abuse prevention, and security logs | Article 6(1)(f) |
| Transaction data (Stripe) | Processing payments for fix code and Care subscriptions | Article 6(1)(b) |
| Browser and device data (Google Tag Manager, Google Analytics 4) - anonymized traffic statistics, no marketing profiling | Traffic analysis and service optimization | Article 6(1)(f) |
| Content submitted through the contact form | Replying to questions and handling Team service inquiries | Article 6(1)(b) and Article 6(1)(f) |
We do not process sensitive data (special categories of personal data) within the meaning of the GDPR.
3. Data recipients (processors)
Your data may be shared with our service providers only to the extent necessary to achieve the purposes listed above:
- Stripe, Inc. - online payment processing
- Resend, Inc. - transactional e-mail delivery
- Cloudflare, Inc. - DNS protection, CDN, WAF, and traffic logs
- OpenAI - ChatGPT models (generating reports and fix code)
- xAI - Grok4 models (generating reports and fix code)
- Google - Gemini 3 models (generating reports and fix code)
- Meta - Llama4 models (generating reports and fix code)
- Abacus AI - generating audit reports and fix code
- OpenRouter - AI request routing / transport
- Perplexity - Perplexity Sonar models (generating reports and fix code)
- Google LLC - Google Tag Manager and traffic analytics (Google Analytics 4) for anonymized visit statistics
- Sentry - application error monitoring, failure diagnostics, and service stability
- Discord- technical and operational notifications for the Service Provider's team, such as error or payment alerts
- Redis (self-hosted) - temporary storage of session data and cache (24h); the server is located on a dedicated VPS in the EU (Hostinger, Vilnius, Lithuania)
4. Transfers outside the EEA
Some of our providers (Stripe, Cloudflare, OpenAI, xAI, Google, Meta, Abacus AI, OpenRouter, Perplexity, Resend, Sentry, Discord) process data on servers located outside the EEA, including in the United States. Transfers are made only on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission and additional technical and organizational safeguards that provide a level of protection corresponding to GDPR requirements.
5. Data retention
| Data category | Retention period |
|---|---|
| Audit reports (including URL and results) | 30 days from generation, then automatically deleted |
| E-mail addresses (contact / unlock) | Until an objection is raised or deletion is requested |
| Purchase data (Stripe) | 5 years - legal requirement (tax and accounting) |
| Server logs (IP, timestamp) | 30 days |
| Care subscription data | For the subscription term and 2 years after it ends |
6. Your rights
You have the following rights under the GDPR:
- Right of access to your data and to receive a copy
- Right to rectification of inaccurate data
- Right to erasure("right to be forgotten") if there are no grounds for further processing
- Right to restriction of processing
- Right to data portability - to receive data in a structured format
- Right to object to processing based on legitimate interest
- Right to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal)
- Right to lodge a complaint with the President of the Personal Data Protection Office in Poland (PUODO)
To exercise your rights, send a message to: [email protected]. We respond within 30 days.
7. Cookies and tracking technologies
Our website uses cookies. We divide them into:
- Essential - required for the service to work properly (for example session handling, language selection, and Stripe security). They do not require consent.
- Analytics - Google Tag Manager and Google Analytics 4 collect anonymized traffic statistics (number of visits, traffic sources, time on page, navigation errors). They are disabled by default and only enabled after you consent.
- Marketing - cookies for remarketing and ad performance measurement (for example Google Ads, Meta). They are disabled by default and only enabled when you explicitly consent.
You grant analytics and marketing cookie consent voluntarily through the consent panel. Until you make a choice, we send Google Consent Mode v2denied signals, so analytics and advertising tags do not write cookies or read device identifiers.
How to change consent: click the "Cookie settings" link in the footer of any page. This opens a panel where you can withdraw or change consent for individual categories at any time. We store your preferences in the cc_cookie cookie for 12 months.
8. Data security
We use technical and organizational measures to protect personal data: SSL/TLS encryption, access limited to authorized persons, regular software updates, and production environment isolation. However, we do not guarantee 100% security of data transmission over the Internet - you use the service at your own risk to the extent permitted by law.
9. Changes to this Privacy Policy
We may update this Privacy Policy as the service develops or laws change. We will inform you about material changes by e-mail or by a notice in the service. The last updated date appears at the top of this document.
10. Contact
For matters related to personal data, contact us at: