Audit It
| Effective date | 5 June 2026 |
|---|---|
| Version | 2.0 |
| Legal entity | Audit It Limited — Company No. 17258971 |
| Registered office | 19A Singleton Court, Wonnastow Road, Monmouth, NP25 5JA, United Kingdom |
| ICO registration | ZC173112 |
| Website | https://auditit.io |
| Contact | contact@auditit.io |
1. Introduction
This Privacy Policy explains how Audit It Limited ("Audit It", "we", "us" or "our") collects, uses, stores, shares and protects personal data in connection with our Software-as-a-Service platform (the "Platform"), our websites, and related services.
Audit It provides tools that enable marketing agencies, freelancers and businesses (our "Customers") to capture leads and generate automated marketing audits, including audits of advertising performance. This policy describes the personal data involved in those activities and the rights available to the individuals it relates to.
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR) where applicable, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) and other applicable United States privacy laws where they apply to our processing.
Where a Customer or authorised user connects a Google account to the Platform, Section 6 (Google User Data and the Google Ads API) applies in addition to the rest of this policy.
2. About Audit It and the Platform
The Platform allows a Customer to build a branded contact form that captures the contact details of the Customer's prospects and, at the same time, runs an instant automated audit. Audit It currently offers three audit products — search engine optimisation (SEO), user experience (UX) and web development — and is introducing advertising performance audits, including audits based on data from Google Ads and Meta Ads.
The audit outputs are made available to the Customer to help them advise their own clients and prospects. Audits are generated automatically and are advisory only.
3. Data Protection Roles
Audit It's role under data protection law depends on the data in question:
- Controller – for Customer account data, billing data and security data that we determine the purposes and means of processing.
- Processor – for prospect data and advertising data, which we process only on the documented instructions of the Customer.
Customers act as controllers of the prospect data and advertising data they collect and connect through the Platform, and are responsible for the lawful collection and use of that data, including providing any required notices and obtaining any required consents.
4. Categories of Data We Collect
We collect and process the following categories of data:
| Category | What it includes |
|---|---|
| Customer data | Name, business name, email address, account credentials, and contact and billing details of the agencies, freelancers and businesses that use the Platform. |
| Prospect data | Information submitted through Customer-built contact forms, such as name, email address, telephone number, website domain and enquiry details of the Customer's prospects. |
| Technical & website data | Website structure, content, configuration and performance metrics analysed during an audit. |
| Advertising data | Data accessed from advertising platforms (for example Google Ads and Meta Ads), such as campaign structure, ad groups, creatives, performance metrics (impressions, clicks, CTR, conversions, cost and ROAS) and configuration (bidding strategies and targeting). |
| Usage & log data | IP address, device and browser information, and log and diagnostic data generated when the Platform is used. |
| Cookie data | Identifiers and preferences set through cookies and similar technologies (see Section 16). |
We do not store full payment card details. Card payments for the Platform are processed by a third-party payment processor, and we do not access the payment or financial account information held in a connected advertising account.
5. How We Use Personal Data
We use personal data to:
- provide the Platform and generate audit reports requested by Customers and their users;
- deliver insights and outputs to Customers;
- administer accounts, process billing and provide customer support;
- maintain, secure, monitor and improve the Platform and prevent fraud and abuse;
- communicate with Customers about the service and, where permitted, about related offerings; and
- comply with our legal and regulatory obligations.
6. Google User Data and the Google Ads API
6.1 Overview
This section explains how Audit It accesses, uses, stores, shares and deletes data obtained through Google APIs, including the Google Ads API, and how that handling complies with the Google API Services User Data Policy. It applies whenever a Customer or authorised account owner connects a Google account to the Platform.
6.2 Data we access
With the user's authorisation, and using read-only access only, Audit It may access the following categories of Google Ads data:
- campaign identifiers and structure;
- ad groups, ads and ad creative data;
- performance metrics, such as impressions, clicks, click-through rate (CTR), conversions, cost data and return on ad spend (ROAS); and
- campaign configuration settings, such as bidding strategies and targeting parameters.
6.3 How we access it
Audit It accesses Google Ads data only through Google's secure OAuth 2.0 authorisation framework, and only after the user has explicitly granted access. We request the minimum scopes necessary to provide the audit, and we request access in context. Audit It uses strictly read-only access and does not create, edit, modify or publish campaigns, budgets, advertisements or account settings, and does not access billing, payment or financial account information held in the connected Google account.
6.4 How we use it
Data obtained through the Google Ads API is used solely to generate the automated audit reports that the user has requested, in order to help advertisers understand and improve their advertising performance. It is not used for any other purpose.
6.5 Limited Use commitment
The following statement is the central commitment governing our handling of Google user data:
Consistent with those Limited Use requirements, Audit It affirms that information received from Google APIs is not:
- used or transferred for serving advertising, including retargeting, personalised or interest-based advertising;
- used or transferred to determine creditworthiness or for lending purposes;
- sold, or transferred to data brokers, information resellers or other information service providers;
- used to train, fine-tune or improve generalised or non-personalised artificial intelligence (AI) or machine-learning (ML) models, nor transferred for such purposes; or
- read by any human, except: (a) with the user's explicit prior consent for specific data; (b) where necessary for security purposes, such as investigating abuse; (c) to comply with applicable law; or (d) where the data has been aggregated and anonymised and is used for internal operations in accordance with applicable law.
Audit It does not aggregate Google Ads data across customers and does not use it to build any independent profile of, or commercial relationship with, the connected advertiser. We process advertising data strictly on behalf of the Customer and the authorised account owner.
6.6 Storage and retention
Raw Google Ads data is processed transiently for the sole purpose of generating the requested audit and is not retained beyond what is necessary to produce that audit. Only the resulting audit report and minimal operational logs are retained (see Section 11). OAuth tokens are encrypted, access-controlled and automatically deleted within 24 hours.
6.7 Sharing
Google user data is made available only to the authorised advertising account owner and to the Customer (form owner) who requested the audit, and solely for that purpose. It is not disclosed to any other third party, except to subprocessors that are strictly required to host, secure or deliver the service and that are bound by contractual confidentiality and data-protection obligations consistent with this policy and with Google's requirements.
Customers and authorised account owners may export an audit report, including a report containing Google Ads data, as a PDF document. Exports are available only to those same authorised recipients, only from within their authenticated Audit It account, and are delivered over encrypted (HTTPS) connections. We do not provide public or unauthenticated links to audit reports.
6.8 Revoking access and deleting your data
You may revoke Audit It's access to your Google account at any time:
- by disconnecting the Google integration within the Audit It platform;
- by removing Audit It's access in your Google Account security settings at https://myaccount.google.com/permissions; or
- by contacting us at contact@auditit.io.
On revocation, Audit It stops accessing the relevant Google data and any associated OAuth tokens are deleted. You may also request deletion of audit reports generated from your Google data by contacting us.
7. Lawful Bases for Processing (UK/EU)
Where the UK GDPR or EU GDPR applies, we rely on the following lawful bases:
| Purpose | Lawful basis |
|---|---|
| Providing the Platform and audit services to Customers | Performance of a contract (Article 6(1)(b)). |
| Account administration, billing and support | Performance of a contract; legitimate interests (Article 6(1)(f)). |
| Processing prospect and advertising data on Customer instructions | Processed on behalf of the Customer, who is the controller; Audit It acts as processor. |
| Security, fraud prevention and service integrity | Legitimate interests; legal obligation where applicable. |
| Marketing communications to Customers | Consent and/or legitimate interests. |
| Complying with legal obligations | Legal obligation (Article 6(1)(c)). |
8. Automated Processing
Audit reports are generated automatically. They are advisory only and are intended to support human decision-making. They do not produce legal or similarly significant effects on individuals, and we do not use them to make solely automated decisions of that kind within the meaning of Article 22 of the UK/EU GDPR.
9. Data Sharing and Subprocessors
We share personal data only where necessary, and only with:
- subprocessors that provide services such as cloud infrastructure and hosting, security and monitoring, analytics, payment processing and communications;
- the authorised account owner and the Customer who requested an audit, in respect of that audit; and
- competent authorities, regulators or advisers where required by law or to protect our rights.
All subprocessors are engaged under written data processing agreements that require them to protect personal data, keep it confidential and process it only in accordance with our instructions. We do not sell personal data. Our current subprocessors are:
| Subprocessor | Service provided | Personal data involved | Location |
|---|---|---|---|
| Replit, Inc. | Cloud hosting and infrastructure for the Platform and its database | Customer account data, prospect data, audit reports, operational logs | United States |
| Stripe, Inc. / Stripe Payments Europe Ltd | Subscription billing and payment processing | Customer billing details; full card data is held by Stripe, not by us | United States / Ireland |
| Zoho Corporation | Business email (our support and privacy contact inbox) | Contents of correspondence, including any personal data emailed to us | European Union (Zoho EU data centre) |
| Resend, Inc. | Transactional email delivery (account and audit notification emails) | Names, email addresses, message content | United States |
| Google LLC | Google Analytics 4 — website and product usage analytics | Pseudonymous identifiers, device and usage data (with consent where required) | United States |
We will update this list when our subprocessors change. Google Ads and Meta Ads are not subprocessors: they are the advertising platforms whose data our users choose to connect for audits, and our handling of that data is described in Section 6.
10. International Data Transfers
The Platform is hosted in the United States by Replit, Inc., and some of our other subprocessors listed in Section 9 also process personal data in the United States. This means that personal data we handle, including data processed on behalf of our Customers, is transferred outside the United Kingdom and the European Economic Area.
Where we transfer personal data internationally, we rely on appropriate safeguards: the UK Extension to the EU–US Data Privacy Framework where the recipient is certified under it; otherwise, the UK International Data Transfer Agreement or the European Commission's Standard Contractual Clauses together with the UK International Data Transfer Addendum, supplemented by additional measures where appropriate. Transfers to jurisdictions covered by UK adequacy regulations (such as the European Economic Area, which covers our Zoho EU email hosting) do not require additional safeguards. Further information about the safeguards we use is available on request.
11. Data Retention
We apply data-minimisation and retention principles and keep personal data only for as long as necessary for the purposes set out in this policy:
| Data | Retention period |
|---|---|
| Customer account and profile data | For the life of the account and for 90 days after account closure, after which it is deleted unless a longer period is required by law. |
| Billing and transaction records | As required for tax, accounting and legal purposes (in the UK, generally six years). |
| Prospect data | Controlled by the Customer; retained only as long as the Customer instructs, then deleted or returned. |
| Raw advertising data from Google Ads API | Processed transiently to generate the audit; not stored long-term. |
| Audit reports | 12 months by default, unless the Customer deletes them earlier or configures a shorter period. Exported copies are outside our systems (see Sections 6.7 and 18). |
| OAuth tokens (Google) | Encrypted and automatically deleted within 24 hours. |
| Operational and security logs | Retained for a limited period for security and service integrity, then deleted or anonymised. |
12. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption of data in transit and at rest, access controls and least-privilege principles, secure handling and short-lived storage of OAuth tokens, and logging and monitoring of our systems. While no system can be guaranteed to be completely secure, we take reasonable and appropriate steps to protect the data we hold.
13. Data Breach Notification
If a personal data breach occurs, we will assess it and, where required, notify the relevant supervisory authority and affected Customers without undue delay and in accordance with applicable law. Where we act as a processor, we will notify the relevant Customer (controller) so that they can meet their own notification obligations.
14. Your Rights (UK/EU)
Subject to applicable law, individuals in the UK and EEA have the right to: access their personal data; request rectification of inaccurate data; request erasure; restrict or object to processing; data portability; and, where processing is based on consent, withdraw that consent at any time. Where we act as a processor, we will refer requests to the relevant Customer and assist them in responding. To exercise your rights, contact us using the details in Section 20.
15. Your Rights (United States / California)
Where the CCPA/CPRA or comparable US state privacy laws apply, eligible individuals have the right to know about and access the personal information we hold, to request its deletion, to request correction, and to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we will not discriminate against you for exercising your rights. You may submit a request, including through an authorised agent, using the details in Section 20.
16. Cookies and Similar Technologies
We use cookies and similar technologies, including Google Analytics 4, for analytics and to maintain and improve the performance of the Platform. Where required, we obtain consent for non-essential cookies, and you can manage your preferences through your browser settings or any cookie controls we make available.
17. Children's Privacy
The Platform is a business-to-business service intended for use by businesses and professionals. It is not directed to, or intended for use by, individuals under the age of 18, and we do not knowingly collect personal data from children.
18. Customer Responsibilities
As controllers of the prospect and advertising data they collect and connect through the Platform, Customers are responsible for establishing a lawful basis for that processing, providing any required privacy notices to their prospects, obtaining any necessary consents, and otherwise complying with applicable data protection laws. This includes any audit report a Customer exports from the Platform: exported copies are held outside our systems and are the Customer's responsibility as controller.
19. Changes to This Policy
We may update this policy from time to time. When we do, we will revise the effective date above and, where the changes are material, we will take reasonable steps to notify Customers. If we plan to access or use a type of Google user data not previously disclosed, we will update this policy and obtain any further consent required before doing so.
20. How to Contact Us and Complaints
Data controller: Audit It Limited (Company No. 17258971), 19A Singleton Court, Wonnastow Road, Monmouth, NP25 5JA, United Kingdom.
Email: contact@auditit.io.
If you are in the UK or EEA and have a concern about how we handle your personal data, you have the right to lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner's Office (ICO):
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF — https://ico.org.uk — helpline 0303 123 1113.
Last updated: 5 June 2026.