Privacy policy

AuditSmith sells fixed-scope engineering audits. This page describes what personal data the auditsmith.io website collects, why, how long it is kept, and the subprocessors that handle it on our behalf.

AuditSmith is operated by Muhammed Erdem, a senior frontend engineer based in Madrid, Spain, who is the data controller for the processing described here. For any question or data-subject request, write to privacy@auditsmith.io.

• Email address — when you request the methodology PDF. It goes to Resend to add you to the PDF-requester segment and to send you the PDF.
• Booking details — when you book a fit call, Cal.com collects your name, email, the time you pick, and any message you add.
• Aggregate analytics — Plausible counts page views without cookies. It stores no IP addresses and no identifier that singles you out.
• Operational logs — our hosting (Vercel), inbox (Mailbox.org), and email (Resend) keep short-lived request logs, including IP address and user agent, under their own defaults — the same as any web service.
• Rate-limit hashes — to stop the PDF form being abused, we store a SHA-256 hash of your IP address and email in Upstash Redis for one hour. The raw values never leave the API route; only the hashes are stored, and they expire automatically.

• Deliver the methodology PDF and send one short follow-up to people who asked for it.
• Schedule and run the fit calls you book.
• Keep the site available and prevent abuse — rate limiting on the form and handling email bounces.

We do not profile you, build advertising audiences, or sell data.

We rely on legitimate interest under GDPR Article 6(1)(f) for the transactional and service-delivery processing above. Delivering a document you asked for, and keeping the site running, are interests you would reasonably expect; the data is minimal (an email address), retention is short, and you can object or ask for deletion at any time via privacy@auditsmith.io.

We ran a three-part balancing test: the interest is real (you actively requested the PDF), the processing is necessary (an email address is required to deliver it, with no less-intrusive alternative), and it does not override your rights (minimal data, bounded retention, no marketing, no sharing for anyone else’s purposes). The full assessment is recorded in our internal decision log.

We do not run a newsletter or marketing list, so we do not ask you to consent to one. If that ever changes, we will ask for explicit consent first and update this page.

• PDF-requester email (Resend segment) — kept up to 90 days after we deliver the PDF, then removed; sooner if you ask privacy@auditsmith.io.
• Fit-call booking records — held by Cal.com under its own retention defaults (see Cal.com’s privacy notice, linked below).
• Rate-limit hashes (Upstash) — one hour, then they expire automatically.
• Server logs (Vercel, Mailbox.org, Resend) — kept under each provider’s defaults, typically around 30 days.

We use 7 subprocessors to run the site and the PDF and booking flows — 3 hosted in the EU/EEA and 4 with US-hosted account data, whose transfers are covered by Standard Contractual Clauses (see the next section).

• ResendUS · SCCs

  Transactional email delivery and the PDF-requester segment

  US-hosted account data; outbound sending pinned to eu-west-1 (Ireland)

• Mailbox.orgEU

  Operator inbox (privacy@, hello@) and reply handling

  Germany

• Cal.comEU

  Fit-call scheduling and booking records

  EU instance (cal.eu)

• Plausible AnalyticsEU

  Aggregate, cookieless web analytics

  European Union

• UpstashUS · SCCs

  Rate-limit store (hashed identifiers) for the PDF form, via Vercel Marketplace

  US-hosted account; request routing in eu-west-1 (Ireland)

• VercelUS · SCCs

  Hosting and content delivery (CDN)

  United States, with EU edge

• NamecheapUS · SCCs

  Domain registrar and DNS

  United States

If any of the above changes, we update this page. A Data Processing Addendum is available on request to privacy@auditsmith.io.

Four of these subprocessors — Resend, Upstash, Vercel, and Namecheap — process some account or operational data in the United States. Those transfers run under the Standard Contractual Clauses in each provider’s data processing agreement, which is the mechanism for moving EU personal data to the US.

auditsmith.io sets no cookies. Plausible is cookieless, and we run no analytics or marketing cookies of our own.

The Cal.com booking window, when you open it, may set cookies under Cal.com’s own policy.

Because the site itself sets no cookies, there is no cookie banner.

Under the GDPR you can:

• access the data we hold about you (Article 15);
• have it corrected (Article 16);
• have it erased (Article 17);
• restrict how we use it (Article 18);
• receive it in a portable format (Article 20);
• object to processing based on legitimate interest (Article 21);
• and, where we rely on consent, withdraw it (for the processing on this site, we do not rely on consent).

You can also lodge a complaint with the data protection supervisory authority in your country (Article 77).

Email privacy@auditsmith.io. We respond within 30 days. There is no fee for reasonable requests.

AuditSmith is a B2B service. We do not knowingly collect data from anyone under 16. If we learn that we have, we delete it.

• auditsmith.io is served only over HTTPS, with HSTS enabled.
• The PDF form endpoint is rate-limited to curb abuse.
• During an audit engagement, repository access is read-only and under NDA, and engagement data is deleted 30 days after delivery. Those engagement terms are set out in full in the access and data section.

We update this page in place and change the effective date at the top. For a material change that affects people whose data we already hold — for example, a new subprocessor that processes it — we email the last address on file.

• Data-subject requests (access, deletion, objection): privacy@auditsmith.io.
• Everything else: hello@auditsmith.io.
• A postal address is available on request to privacy@auditsmith.io; we do not publish it to limit spam.