Privacy Policy

1. Data Controller Details

Audital Consulting Ltd (“Audital”, “we”, “us”, “our”) is the data controller for the personal data described in this policy. We are registered in England and Wales under Company No. 16931341.

We are registered with the Information Commissioner’s Office (ICO) as a data controller. When we process compliance and audit trail data on behalf of our FCA-regulated clients, we act as a data processor under the terms of a Data Processing Agreement entered into with each client.

2. Lawful Basis for Processing

We process personal data only where we have a lawful basis to do so under UK GDPR (Article 6). The bases we rely on depend on the category of data and the purpose of processing:

• -Contractual necessity (Article 6(1)(b)): Processing account data, authentication credentials, and integration credentials is necessary to perform our contract with you and deliver the Audital platform.
• -Legitimate interests (Article 6(1)(f)): We process usage data (login timestamps, feature usage) and maintain audit event data for security monitoring, fraud prevention, service improvement, and to ensure the integrity of the cryptographic audit trail. Our legitimate interest does not override your fundamental rights and freedoms.
• -Legal obligation (Article 6(1)(c)): We retain certain records to comply with FCA record-keeping requirements, anti-money-laundering obligations, and other applicable UK law.
• -Consent (Article 6(1)(a)): Where we process data that falls outside the bases above — for example, optional marketing communications — we obtain your explicit consent. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

3. Data We Process

We process the following categories of personal data:

• -Account data: name, work email address, job role, organisation name, and billing information where applicable.
• -Authentication data: hashed passwords (bcrypt, cost factor 12), multi-factor authentication enrolment records, and session tokens stored as httpOnly secure cookies.
• -Audit event data: AI model inputs and outputs, risk scores, decision metadata, reviewer identities, and approval records — submitted by your organisation as the data controller.
• -Integration credentials: encrypted API keys and OAuth tokens for connected third-party services, encrypted at rest using AES-256-GCM with per-organisation key derivation (HKDF).
• -Usage data: login timestamps, IP addresses, user-agent strings, and feature usage logs collected for security monitoring and platform reliability.

We do not process special category data (e.g. health, biometric, or political data) unless explicitly included in audit event payloads by the data controller. Clients are responsible for ensuring they have an appropriate lawful basis for any special category data submitted to the platform.

4. How Data Is Stored

Integration credentials (API keys, OAuth tokens) are encrypted using AES-256-GCM with keys derived per-organisation via HKDF before storage. Passwords are never stored in plaintext — only bcrypt hashes with a cost factor of 12.

5. Data Residency

During onboarding, each organisation selects its preferred data residency region. We currently offer two options:

• -UK South (London) — data hosted exclusively within the United Kingdom.
• -EU West (Ireland) — data hosted within the European Union.

Your selection is immutable after onboarding to preserve the integrity of the cryptographic audit chain. All primary data storage, backups, and processing occur within the selected region. We do not transfer personal data outside the UK or EEA without appropriate safeguards (see Section 8).

6. Data Retention

We retain data for the following periods:

Due to the append-only nature of the cryptographic audit ledger, individual audit records cannot be selectively deleted before the retention period expires without compromising the integrity of the hash chain. This is a necessary technical safeguard required for regulatory compliance.

7. Data Subject Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• -Right of access (Article 15) — request a copy of the personal data we hold about you.
• -Right to rectification (Article 16) — request correction of inaccurate or incomplete personal data.
• -Right to erasure (Article 17) — request deletion of your personal data where there is no compelling reason for continued processing. Note: audit records in the append-only ledger cannot be selectively erased during the retention period due to regulatory and cryptographic integrity requirements.
• -Right to data portability (Article 20) — receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV).
• -Right to object (Article 21) — object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
• -Right to restriction of processing (Article 18) — request that we restrict processing of your data in certain circumstances, such as while we verify the accuracy of contested data.
• -Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• -Right to lodge a complaint — you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been infringed.

To exercise any of these rights, contact us at contact@audital.ai. We will respond within one calendar month. If your request is complex or we receive a large number of requests, we may extend this period by a further two months, in which case we will inform you within the initial one-month period.

8. International Transfers

Your primary data is stored in the UK or EU region you selected at onboarding. Where a transfer of personal data outside the UK or EEA is necessary (for example, to a sub-processor), we ensure appropriate safeguards are in place:

• -UK adequacy regulations — transfers to countries the UK Government has deemed to provide an adequate level of data protection.
• -EU adequacy decisions — transfers to countries recognised by the European Commission as providing adequate protection.
• -International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses — used where no adequacy decision exists.
• -Supplementary measures — including encryption in transit and at rest, pseudonymisation, and access controls — applied where required by the transfer risk assessment.

A copy of the relevant transfer mechanism for any international transfer is available on request.

9. Sub-processors

We use a limited number of sub-processors to deliver the platform. All sub-processors are bound by Data Processing Agreements that meet UK GDPR requirements. We will notify clients of any material changes to our sub-processor list at least 30 days before the change takes effect.

A complete and up-to-date list of sub-processors, including their locations and processing activities, is available on request by emailing contact@audital.ai.

10. Cookies

We use only strictly necessary cookies to operate the platform. We do not use advertising, analytics, or third-party tracking cookies.

• -Session cookie — a secure, httpOnly cookie that maintains your authenticated session. Expires after 24 hours of inactivity or on logout.
• -CSRF token — a secure cookie used to prevent cross-site request forgery attacks. Expires with your session.
• -Data residency preference — a cookie that records your selected data region to route requests to the correct infrastructure. Persistent for the duration of your subscription.

Because we use only strictly necessary cookies, consent is not required under the Privacy and Electronic Communications Regulations (PECR). No cookie banner is displayed.

11. Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction:

12. Data Breach Notification

In the event of a personal data breach, we will follow a documented incident response procedure:

• -We will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms, as required by Article 33 of UK GDPR.
• -We will notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of UK GDPR.
• -Where we act as a data processor, we will notify the relevant data controller (our client) without undue delay upon becoming aware of a breach, enabling them to meet their own notification obligations.
• -We maintain a breach register documenting all personal data breaches, their effects, and remedial actions taken, regardless of whether they meet the reporting threshold.

13. Children’s Data

The Audital platform is a business-to-business service designed for use by professionals at FCA-regulated firms and other organisations. Our service is not directed at individuals under the age of 18, and we do not knowingly collect personal data from children.

If we become aware that we have inadvertently collected personal data from a person under 18, we will take steps to delete that data as soon as reasonably practicable. If you believe a child has provided us with personal data, please contact us at contact@audital.ai.

14. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• -Update the "Last updated" date at the top of this page.
• -Notify registered users by email at least 14 days before material changes take effect.
• -Where changes affect how we process data under a Data Processing Agreement, notify clients in accordance with the terms of that agreement.

We encourage you to review this policy periodically. Continued use of the platform after changes have been notified constitutes acceptance of the updated policy.

15. Contact Details

For any questions about this privacy policy, to exercise your data subject rights, or to raise a concern about how we handle your personal data, please contact us:

We aim to respond to all data protection enquiries within one calendar month. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):