Inaudity

Legal

Privacy Policy

Effective June 24, 2026

This Privacy Policy explains how personal data is processed when you visit our website or use the Inaudity service (the "Service"). It is issued in accordance with Regulation (EU) 2016/679 (GDPR) and Act No. 18/2018 Coll. on the Protection of Personal Data.

1. Controller

The controller of your personal data is:
TBD, sole trader
TBD, Slovak Republic
IČO: TBD, registered in the Trade Register of the District Office Nitra under reg. no. TBD
E-mail: hello@inaudity.com

The controller has not designated a Data Protection Officer because such designation is not mandatory in our case under Art. 37 GDPR.

2. Categories of personal data

  • Account data: e-mail, name, organisation (optional), authentication identifiers, password hash, OAuth identifiers.
  • Billing data: invoicing details (name, business address, IČO/DIČ/IČ DPH), invoice metadata, payment status. Full payment-card data is processed by Stripe — we do not see or store it.
  • Usage data: scans you ran, reports generated, queries, settings, in-product events, timestamps.
  • Technical data: IP address, device, browser, language, referrer, cookies and similar identifiers, security logs.
  • Communications: e-mails and support tickets you send us.

3. What we do not process

We do not process personal data about the third-party vendors you scan beyond information publicly available on their websites and public sources. We do not notify or contact vendors about scans.

4. Purposes and legal bases

  • Providing the Service (Art. 6(1)(b) GDPR — contract): account creation, scans, reports, support.
  • Billing, accounting and tax (Art. 6(1)(c) GDPR — legal obligation): invoices, bookkeeping, statutory archiving.
  • Security, fraud and abuse prevention (Art. 6(1)(f) GDPR — legitimate interest in protecting the Service and users).
  • Product improvement and analytics (Art. 6(1)(f) GDPR — legitimate interest), using aggregated and pseudonymised data wherever possible.
  • Direct e-mails about your account and similar own services (Art. 6(1)(f) GDPR — legitimate interest, with opt-out).
  • Marketing e-mails and non-essential cookies (Art. 6(1)(a) GDPR — consent, revocable at any time).
  • Legal claims and compliance (Art. 6(1)(c) and (f) GDPR).

5. Recipients and sub-processors

We share personal data only with carefully selected processors bound by a data processing agreement (Art. 28 GDPR). Current categories of recipients:

  • Cloud hosting and database — Supabase / underlying cloud providers (EU region where available).
  • Payment processing — Stripe Payments Europe.
  • AI providers — large-language-model providers used via our AI gateway to generate report content. Prompts may include the vendor URL/domain and contextual instructions; we do not deliberately send your personal data into prompts.
  • E-mail delivery — transactional e-mail provider.
  • Analytics and error monitoring — product analytics and error-tracking providers.
  • Professional advisors — accountants, lawyers, auditors under confidentiality.
  • Public authorities — where required by law.

A current list of sub-processors is available on request at the controller's e-mail address.

6. International transfers

Where personal data is transferred outside the European Economic Area (e.g. to U.S.-based AI or infrastructure providers), the transfer is protected by appropriate safeguards under Chapter V GDPR, in particular the European Commission's Standard Contractual Clauses, the EU-U.S. Data Privacy Framework (where applicable), and supplementary measures such as encryption.

7. Retention periods

  • Account data: for the duration of the account and 12 months after closure (for re-activation and dispute handling), then deleted or anonymised.
  • Reports: for the duration of the account; deletable on request earlier.
  • Invoices and accounting records: 10 years under Act No. 431/2002 Coll. on Accounting.
  • Tax-related records: as required by Act No. 595/2003 Coll. and related tax laws.
  • Security and access logs: up to 90 days, longer if necessary to investigate an incident.
  • Marketing consents: until withdrawn or 3 years of inactivity.

8. Your rights

You have the following rights regarding your personal data:

  • right of access (Art. 15) and to receive a copy;
  • right to rectification (Art. 16);
  • right to erasure / "to be forgotten" (Art. 17);
  • right to restriction of processing (Art. 18);
  • right to data portability (Art. 20);
  • right to object, in particular to processing based on legitimate interest or for direct marketing (Art. 21);
  • right to withdraw consent at any time, without affecting prior lawful processing (Art. 7(3));
  • right not to be subject to a decision based solely on automated processing producing legal effects (Art. 22) — we do not take such decisions about you;
  • right to lodge a complaint with the supervisory authority: Úrad na ochranu osobných údajov SR, Hraničná 12, 820 07 Bratislava (dataprotection.gov.sk).

Requests can be sent to the controller's e-mail. We respond within one month and may extend by two further months for complex requests. We may ask for reasonable verification of identity.

9. Cookies and similar technologies

We use strictly necessary cookies for authentication, session and security. Analytics or marketing cookies, if any, are set only after your consent obtained via the cookie banner; consent can be withdrawn at any time via the cookie settings.

10. Security

We apply appropriate technical and organisational measures, including encryption in transit (TLS), access controls, least-privilege principles, logging and regular updates. No system is 100% secure; please notify us promptly of any suspected security issue.

11. Children

The Service is a B2B product and is not directed at persons under 16. We do not knowingly collect personal data from children.

12. Changes

We may update this Privacy Policy. Material changes will be announced by e-mail or in-product notice. The current version is always available at this URL with the effective date above.