AAuditus.ai

PRIVACY

Privacy policy

Last updated: 2026-06-11

Who we are

Auditus.ai is operated by The Upcapital Inc. (Ontario, Canada). Contact: ceo@theupcapital.com.

Data we collect

  • Account. Name, email, organization, role.
  • Audit data. Documents you upload, findings, comments, sign-offs, workpapers, activity trail.
  • Billing. Invoice address, province, tax id, Stripe customer id. We never see card numbers.
  • Cookies. Session (essential), locale + workspace preferences (functional), anonymous feedback ID (analytics).
  • Technical. Server logs hold short-lived request metadata (IP, user agent) for security.

Legal basis (GDPR Art. 6)

  • Contract. Processing required to provide the audit service you signed up for.
  • Legitimate interest. Security logs, fraud prevention, product analytics in aggregate.
  • Consent. Functional + analytics cookies. Withdrawable anytime via the cookie banner or your account.
  • Legal obligation. Tax and audit-record retention required by Canadian law.

AI processing

When you run the document analyzer, content is sent to Anthropic (Claude) under our Data Processing Agreement and used only to produce findings for your engagement. No model training is performed on your inputs. You can disable AI analysis on a per-engagement basis from the workspace.

Sub-processors

We use the following sub-processors. See the full sub-processor list for purpose, region, and DPA references.

Retention

  • Audit working papers: 7 years (CPAB / PCAOB AS 1215 minimum).
  • Account + billing records: 7 years (CRA tax retention).
  • Server access logs: 90 days.
  • Anonymous feedback: 24 months.
  • Deletion requests honored within 30 days, subject to legal-hold obligations.

Your rights

You can:

  • Access a machine-readable export at /accountExport my data.
  • Rectify inaccurate data from your account settings.
  • Erase your account and personal data at /accountDelete account.
  • Restrict, port, or object by emailing ceo@theupcapital.com.
  • Lodge a complaint with your data-protection authority (e.g., your EU DPA or the Office of the Privacy Commissioner of Canada).

International transfers

Some sub-processors are based in the United States. Where personal data of EU residents is involved, transfers rely on the EU Standard Contractual Clauses and supplementary measures (encryption in transit and at rest, access controls).

Security incidents

We notify affected users and competent supervisory authorities within 72 hours of becoming aware of a personal data breach likely to result in risk to rights and freedoms.

Changes

Material changes are versioned (currently: 2026-06-11) and re-prompt your cookie consent. We post the previous version on request.