Privacy Policy

Privacy Policy

Last updated: March 29, 2026

1. Who We Are

Auditora.ai is operated by Prozea ("we", "us", "our"). We provide an AI-powered process elicitation platform that joins video calls, guides consultants with a real-time teleprompter, and auto-diagrams business processes using BPMN notation.

For any privacy-related inquiries, contact us at privacy@auditora.ai.

2. Information We Collect

Information You Provide

  • Account data: Name, email address, organization name, and role when you create an account.
  • Session data: Transcripts, process diagrams (BPMN), and risk analyses generated during elicitation sessions.
  • Communications: Messages you send to us, including support requests and contact form submissions.

Information Collected Automatically

  • Usage data: Pages visited, features used, session duration, and interaction patterns.
  • Technical data: IP address, browser type and version, operating system, device information, and referring URLs.
  • Cookies and similar technologies: See Section 5 for details.

Information From Third Parties

  • Authentication providers: If you sign in via Google or Microsoft, we receive your name and email address from those providers.
  • Video call platforms: When Auditora.ai joins a call via your invitation, we process the audio stream for transcription purposes only during the active session.

3. How We Use Your Information

We use the information we collect to:

  • Provide our services: Process elicitation, real-time BPMN diagram generation, risk analysis, and FMEA generation.
  • Maintain your account: Authentication, session management, and user preferences.
  • Send transactional communications: Account verification, session summaries, and service notifications.
  • Improve our platform: Analyze aggregated usage patterns to enhance features and fix issues.
  • Ensure security: Detect fraud, abuse, and unauthorized access.
  • Comply with legal obligations: Respond to lawful requests and enforce our terms.

Important: Your session data (transcripts, diagrams, and analyses) is not used to train AI models. We use third-party AI services solely to process your sessions in real time, and your data is not retained by those providers for training purposes.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

  • Contract performance: Processing necessary to provide the services you requested (account management, session processing, diagram generation).
  • Legitimate interests: Analytics to improve our platform, security measures, and fraud prevention, where these interests are not overridden by your rights.
  • Consent: For analytics cookies, marketing communications, and optional product analytics. You may withdraw consent at any time.
  • Legal obligation: Where processing is required to comply with applicable law.

5. Cookies

We use the following cookies:

| Cookie | Category | Duration | Purpose | | --- | --- | --- | --- | | session_token | Essential | 30 days | Authentication and session management | | NEXT_LOCALE | Essential | Session | Stores your language preference | | cookie_consent | Essential | 1 year | Remembers your cookie preferences | | sidebar-collapsed | Essential | 1 year | Stores UI layout preference | | scan_session | Essential | 24 hours | Maintains anonymous tool scan sessions | | _ga / _gid | Analytics | Up to 2 years | Google Analytics for aggregated usage statistics | | ph_* | Analytics | 1 year | Product analytics (PostHog) |

Managing Your Preferences

When you first visit our site, a cookie consent banner lets you choose which non-essential cookies to accept. You can change your preferences at any time by clicking the cookie settings link in the site footer. Essential cookies cannot be disabled as they are necessary for the site to function.

You can also manage cookies through your browser settings. Note that disabling certain cookies may affect site functionality.

6. Data Sharing

We do not sell your personal information. We share data only in the following circumstances:

  • Service providers: We use trusted third-party providers for hosting (Railway), email delivery, payment processing (Stripe), and analytics. These providers process data solely on our behalf under contractual data processing agreements.
  • AI processing: Session audio is processed through speech-to-text and language model providers to deliver our core service. These providers do not retain your data beyond the processing window.
  • Legal requirements: We may disclose information when required by law, court order, or governmental authority, or when necessary to protect our rights, safety, or property.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

7. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States. When we transfer data outside the EEA, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Ensuring our service providers maintain adequate data protection standards.
  • Your explicit consent where applicable.

For transfers from Mexico, we ensure compliance with the principles established in the LFPDPPP and its regulations.

8. Data Retention

  • Account data: Retained for as long as your account is active. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.
  • Session data (transcripts, diagrams): Retained for the duration of your subscription. You may delete individual sessions at any time.
  • Anonymous scan sessions: Automatically deleted after 24 hours.
  • Usage analytics: Aggregated analytics data is retained for up to 26 months.
  • Legal and compliance records: Retained as required by applicable law.

9. Your Rights

Under GDPR (European Economic Area)

If you are in the EEA, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your personal data ("right to be forgotten").
  • Restrict processing of your data in certain circumstances.
  • Data portability: Receive your data in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time for consent-based processing.
  • Lodge a complaint with your local Data Protection Authority.

Under CCPA (California, USA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose.
  • Delete your personal information, subject to certain exceptions.
  • Opt out of the sale of personal information. Note: we do not sell personal information.
  • Non-discrimination for exercising your privacy rights.

To exercise these rights, contact us at privacy@auditora.ai or use the "Do Not Sell My Personal Information" link on our site.

Under Mexico's LFPDPPP (Aviso de Privacidad)

If you are located in Mexico, you have the following ARCO rights:

  • Acceso (Access): Know what personal data we hold about you and how it is used.
  • Rectificacion (Rectification): Request correction of inaccurate or incomplete data.
  • Cancelacion (Cancellation): Request deletion of your personal data when it is no longer necessary.
  • Oposicion (Opposition): Object to the processing of your personal data for specific purposes.
  • Revocacion del consentimiento (Revocation of consent): Withdraw the consent you previously granted for the processing of your personal data. Revocation does not have retroactive effect on processing carried out prior to the withdrawal.

To exercise your ARCO rights or revoke your consent, send a request to privacy@auditora.ai including:

  1. Your full name and contact information.
  2. A clear description of the data and rights you wish to exercise.
  3. A copy of official identification.

We will respond within 20 business days of receiving your complete request. If accepted, changes will be implemented within 15 business days.

10. Data Security

We implement industry-standard technical and organizational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, regular security reviews, and incident response procedures. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

11. Children's Privacy

Our services are not directed at individuals under 16 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@auditora.ai.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) or by placing a prominent notice on our website. We encourage you to review this page periodically. Your continued use of the platform after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Auditora.ai (by Prozea) Email: privacy@auditora.ai