Privacy Notice

Privacy Notice

Last updated: 16th March 2026

This Privacy Notice explains how Audit Portal (“Audit Portal”, “we”, “us”, “our”) collects, uses, stores and shares personal data when you:

  • visit our website;
  • contact us;
  • submit an enquiry;
  • request a demo;
  • subscribe to or use our services; or
  • otherwise interact with us in a business context.

Audit Portal is a business-to-business provider of an internal audit platform and compliance tracker.

1. Who we are

Data controller: Audit Portal
Contact email: privacy@auditportal.co.uk

For most website, enquiry, sales, billing and account administration activities, we act as the controller of your personal data.

Where our customers upload personal data into the Audit Portal platform and we process that data on their behalf, we usually act as a processor and the relevant customer acts as the controller.

2. The personal data we collect

We may collect and use the following categories of personal data.

Enquiry and contact data

  • name;
  • business email address;
  • telephone number;
  • company name;
  • job title;
  • details contained in your message or enquiry submission.

Account and customer relationship data

  • account owner and user details;
  • login and profile information;
  • billing contact details;
  • subscription records;
  • support requests and correspondence;
  • service communications.

Technical and usage data

  • IP address;
  • browser type and version;
  • device and operating system information;
  • access timestamps;
  • log and diagnostic data;
  • website and platform usage information.

CAPTCHA and form protection data

If you submit an enquiry through our website, we may use CAPTCHA or similar anti-abuse tools to help prevent spam, automated abuse and malicious submissions. This may involve processing technical information such as IP address, browser or device signals, and interaction data relevant to the security check.

Customer-provided platform data

If you use the platform, customer users may upload information including audit records, action logs, notes, evidence files, contact details and other business records. That content may include personal data.

We do not intend the service to be used for special category personal data unless clearly necessary and appropriately controlled by the customer.

3. How we collect personal data

We collect personal data:

  • directly from you when you contact us, submit a form, request a demo, create an account, subscribe or use the service;
  • from your organisation where it creates or manages your user account;
  • automatically through your use of our website or platform, including certain technical logs and security records;
  • from service providers involved in hosting, security, communications or support.

4. How we use personal data and our lawful bases

We use personal data for the following purposes.

To respond to enquiries and demo requests

We use contact details and correspondence to respond to enquiries, provide information about the service and arrange demonstrations.

Lawful basis: legitimate interests, namely operating and promoting our business and responding to business enquiries.

To provide and administer the service

We use account and user data to create accounts, authenticate users, administer subscriptions and provide the platform.

Lawful basis: performance of a contract, or taking steps at your request before entering into a contract.

To manage the customer relationship

We use contact, account and billing data to provide support, send service messages, issue invoices and manage renewals.

Lawful basis: performance of a contract and legitimate interests in running and administering the service.

To maintain security and prevent misuse

We use technical data, logs and CAPTCHA-related information to maintain the security of the website and platform, detect abuse, prevent spam, investigate issues and protect our systems and users.

Lawful basis: legitimate interests in securing our website, platform and business operations.

To comply with legal obligations

We may use personal data where necessary to comply with applicable laws, lawful requests, accounting obligations or legal claims.

Lawful basis: legal obligation, and where relevant legitimate interests in establishing, exercising or defending legal claims.

To send business communications

We may send business communications relating to our services where permitted by law.

Lawful basis: legitimate interests in promoting and developing our business, or consent where required.

5. When we act as processor

When a customer uploads personal data into the platform for its own audit, governance or compliance purposes, we generally process that data on the customer’s behalf.

In those circumstances:

  • the customer is usually the data controller;
  • Audit Portal is usually the data processor; and
  • our processing is governed by our contract and data processing agreement with that customer.

If you are an end user whose personal data has been uploaded to the platform by one of our customers and you want to exercise your rights in relation to that data, you should usually contact the relevant customer first.

6. Who we share personal data with

We may share personal data with:

  • Supabase for backend and database hosting;
  • Netlify for website or application hosting and deployment;
  • email or communications providers used for service messages and notifications;
  • professional advisers such as legal, insurance or accounting advisers where necessary;
  • regulators, courts, law enforcement or other authorities where required by law;
  • a prospective purchaser of the business, where relevant and subject to appropriate confidentiality measures.

We do not sell personal data.

7. International transfers

We aim to use service providers and hosting arrangements appropriate for our business and customers.

If personal data is transferred outside the UK, we will only do so where a lawful transfer mechanism is in place, such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful safeguard.

8. Data retention

We keep personal data only for as long as reasonably necessary for the relevant purpose, including to provide services, maintain business records, resolve disputes, enforce contracts and comply with legal obligations.

Typical retention periods may include:

  • enquiry data: up to 24 months after the last meaningful contact;
  • customer account, subscription and billing records: for the duration of the contract and then for up to 6 years where required for tax, accounting or legal purposes;
  • technical logs and security records: for a limited period appropriate to security, troubleshooting and service administration;
  • platform data: in accordance with the relevant customer contract and data processing agreement, plus any short post-termination export or deletion period.

9. Your rights

Depending on the circumstances, you may have the right to:

  • request access to your personal data;
  • request correction of inaccurate personal data;
  • request erasure of your personal data;
  • request restriction of processing;
  • object to processing;
  • request portability of your personal data;
  • withdraw consent, where consent is the lawful basis.

To exercise any of these rights, contact us at privacy@auditportal.co.uk.

Where we act only as processor on behalf of a customer, we may need to refer your request to that customer.

10. Complaints

If you have concerns about how we handle personal data, contact us first at: privacy@auditportal.co.uk

You also have the right to complain to the Information Commissioner’s Office (ICO) if you believe your data protection rights have been breached.

11. Security

We use reasonable technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration or disclosure. These measures may include access controls, authentication controls, encryption in transit, role-based permissions, secure hosting arrangements and other appropriate security measures.

12. Cookies and similar technologies

Our website uses cookies or similar technologies to operate, secure and improve the site.

Some cookies or similar technologies may be strictly necessary for the website to function properly, including security-related features and form protection mechanisms.

We also use CAPTCHA on enquiry submissions to help detect and block spam or automated abuse. CAPTCHA or similar technologies may process technical information such as IP address, browser details, device signals and user interaction data in order to perform that security function.

Where we use any non-essential cookies or similar technologies, we will seek consent through our cookie banner before setting them.

Further details will be provided in our Cookie Notice.

13. Third-party services and links

Our website or service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. You should review their privacy notices separately.

14. Changes to this notice

We may update this Privacy Notice from time to time. The latest version will always be published on our website with the updated date shown at the top.