Privacy Policy

Last updated: April 1, 2026

AuditLift ("we", "us", "our") is a compliance readiness tool for startups and SMBs. This policy explains what data we collect, how we use it, and your rights over it. We've written this to be readable, not just legally defensible.

What we collect

Account information

When you sign up we collect your name, email address, and a hashed password (or, if you use GitHub OAuth, a token — we never see your GitHub password). We store your organization name, industry, team size, and the tech stack you describe during onboarding.

Compliance content

The core of the product. This includes evidence files you upload (screenshots, PDFs, certificates, logs), policies you generate or edit, and notes you attach to controls. This data belongs to you and is stored on your behalf.

Usage data

We log which features you use and when — for example, that a policy was generated or a control was marked complete. We do not record keystroke-level activity or sell behavioral data. We may use a product analytics tool (such as PostHog) to understand how the product is used in aggregate.

Payment information

Payments are processed by Stripe. We never see or store your full card number. We hold a Stripe Customer ID and Subscription ID to manage your billing status.

How we use your data

  • To provide and operate the AuditLift service
  • To send transactional emails — welcome, trial reminders, billing receipts, password resets
  • To compute your readiness score and generate your auditor export package
  • To improve the product based on aggregate usage patterns
  • To comply with legal obligations

We do not sell your data. We do not use your compliance content to train AI models.

Data storage and security

AuditLift is hosted on Railway (US-based infrastructure). Uploaded evidence files are stored on Cloudflare R2 object storage. Data is encrypted in transit (TLS) and at rest. Access to production systems is limited to the engineering team and protected by MFA.

We take compliance seriously — we use AuditLift ourselves to manage our own security posture.

Third-party services

We use the following third-party services to operate AuditLift:

  • Stripe — payment processing (stripe.com/privacy)
  • Resend — transactional email delivery (resend.com/privacy)
  • Railway — application hosting (railway.app/legal/privacy)
  • Cloudflare — file storage (cloudflare.com/privacypolicy)
  • GitHub — optional OAuth sign-in (docs.github.com/privacy)

Each of these providers has their own privacy policy governing how they handle data.

Data retention

We retain your data for as long as your account is active. If you delete your organization from within AuditLift, all associated data — evidence files, policies, controls progress — is permanently deleted within 30 days. If you simply cancel your subscription without deleting your account, your data is retained in read-only form for 90 days before deletion.

Your rights

Depending on where you are located, you may have the right to:

  • Access — request a copy of the data we hold about you
  • Correction — ask us to correct inaccurate data
  • Deletion — request deletion of your account and associated data
  • Portability — export your compliance content via the Auditor Export feature at any time
  • Objection — object to processing of your data for analytics purposes

EU and UK users have these rights under GDPR. California residents have similar rights under CCPA. To exercise any of these rights, email us at hello@auditlift.app.

Cookies

We use a session cookie to keep you signed in. We do not use tracking cookies or third-party advertising cookies. If we add analytics, it will use first-party cookies only.

Changes to this policy

If we make material changes to this policy, we'll notify you by email and update the "Last updated" date above. Continued use of AuditLift after changes constitutes acceptance of the updated policy.

Contact

Questions about this policy or your data? Email us at hello@auditlift.app. We'll respond within 2 business days.

en