Privacy Policy

Welcome to Pibicy! Your privacy is important to us. This Privacy Policy explains how we collect, use, and protect your personal and business data when you use Coauditor and related services ("Services"). By using our Services, you agree to the terms outlined in this Privacy Policy.

1. Information We Collect

a. Account Information

• Name, email, and contact details for communication and account management
• Organization name and details
• Authentication credentials (securely hashed)
• Role and permission settings

b. Audit-Related Data

• Project and engagement information
• Document requests and responses
• Uploaded documents (PDFs, spreadsheets, word documents, images, emails)
• Annotations, comments, and observations
• AI-generated analysis and findings

c. Usage Data

• Access logs and timestamps
• Feature usage patterns
• Browser and device information
• IP addresses

d. Payment Information

• Billing details are processed and stored by our payment processor, Stripe
• We do not store credit card numbers on our systems

2. How We Use Your Data

We use collected data to:

• Provide and maintain the Coauditor platform
• Process and analyze documents using AI capabilities
• Enable collaboration between audit teams and clients
• Send service-related communications
• Improve our platform and develop new features
• Ensure security and prevent fraud
• Comply with legal obligations

We do not sell your data to third parties.

3. Data Sharing

a. Within Your Organization

Data such as audit documents, comments, and metadata are accessible only to users within your organization's account, based on role-based access controls. Each organization's data is logically isolated at the database level.

b. Third-Party Services

We use the following third-party services:

• Amazon Web Services (AWS): Infrastructure hosting and data storage
• Stripe: Payment processing
• OpenAI & Google (Gemini): AI document analysis

These providers are contractually obligated to handle your data securely. AI providers process data according to enterprise API terms, which prohibit training on customer data.

4. Data Storage & Security

a. Hosting

• Primary infrastructure hosted on Amazon Web Services (AWS)
• Default region: US East (Ohio)
• Regional hosting available upon request

b. Encryption

• In Transit: TLS 1.2+ encryption for all data transmission
• At Rest: AES-256 encryption for stored data and backups
• Encryption keys managed through AWS Key Management Service (KMS)

c. Access Controls

• Role-based access ensures only authorized users can view or modify data
• Multi-tenant architecture with strict data isolation
• Support for Single Sign-On (SSO) via SAML 2.0 and OAuth 2.0

d. Monitoring

• Regular penetration testing and vulnerability scanning
• Comprehensive audit logging of user actions
• Continuous infrastructure monitoring

5. Data Retention

• Active subscriptions: Data retained for the duration of your subscription
• After cancellation: Data retained for 6 months to allow reactivation
• After 6 months: All customer data permanently deleted
• Immediate deletion: Available upon request at any time

Deletion requests are processed within 30 days. Backup deletion occurs within the normal rotation cycle (up to 35 days).

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data
• Portability: Request your data in a portable format
• Objection: Object to certain processing activities

You can access and update your personal information through your account settings, or contact us to exercise these rights.

7. Compliance

We are committed to data protection compliance:

• GDPR compliance for EU data subjects
• ISO 27001 certification (in progress)
• SOC 2 Type II certification (in progress)

8. Policy Updates

We may update this policy from time to time. We will notify users of material changes via email and in-application notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

9. Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us: