Privacy Policy
What This Policy Covers
AuditSail is a compliance monitoring platform that enables businesses to manage, approve, and audit marketing assets and communications across their teams and partner networks.
We handle personal data in two distinct contexts:
- Platform users and business contacts. For data relating to the people who use our platform and people who contact us, AuditSail is the data controller and this policy applies directly.
- Content submitted by customers for compliance review. For personal data contained within content that customers submit to the platform - such as call recordings, marketing assets, or ad copy - AuditSail acts as a data processor on behalf of the customer. The customer is the data controller and determines why and how that data is processed. Section 3 explains this distinction in full.
If you are a consumer whose data has been processed through our platform by one of our customers, the customer that collected your data is the data controller. Section 3 explains the respective responsibilities, Section 9 explains how long we keep your data, and Section 10 explains your rights and who to contact. For any other queries, contact us at privacy@auditsail.com.
1. Who We Are
AuditSail Limited ("AuditSail", "we", "us", "our") is a company incorporated in England and Wales.
- Registered address: 1 Cambridge Court, Harrowdene Road, Wembley, Greater London, England, HA0 2JW
- Company number: 16979974
- ICO registration number: 20090580
- Contact for data protection matters: privacy@auditsail.com
2. Geographic Scope
The AuditSail platform is directed at businesses operating in the United Kingdom. This policy is written in accordance with UK GDPR and the Data Protection Act 2018. Where we process the personal data of individuals located in the EU or EEA, EU GDPR may also apply. The UK currently benefits from an EU adequacy decision, permitting data flows between the UK and EU/EEA without additional transfer mechanisms. We will update this policy and implement any necessary additional measures before actively onboarding customers in EU or EEA jurisdictions.
We do not represent that this policy satisfies the legal requirements of jurisdictions beyond the UK and EU/EEA, including the United States or Canada.
3. Our Role: Controller and Processor
3.1 Data Controller
AuditSail is the sole data controller for:
- Personal data of platform users (customer staff, partner contacts, account holders)
- Personal data of prospective customers or partners who contact us
- Data generated through our own platform analytics and administration
3.2 Data Processor
Where customers use the platform to submit content containing the personal data of third parties - such as call recordings, marketing assets, or ad copy - AuditSail acts as a data processor under Article 28 of the UK GDPR. The customer is the data controller for that data.
This means:
- The customer decides what content to submit, what compliance rules to apply, and why the processing is taking place. The customer is responsible for ensuring it has a lawful basis for the original collection of that data and for providing any required transparency to the individuals concerned.
- AuditSail processes that content strictly in accordance with the customer's instructions and configuration. We provide the technical means - AI analysis, transcription, storage, scoring, and reporting - but we do not determine the purposes of processing.
The respective obligations of AuditSail and the customer are governed by a Data Processing Agreement between AuditSail and the customer, entered into as part of the platform's Terms of Service.
AuditSail does separately process certain customer-submitted content as an independent controller for the purposes described in Section 3.3 below. This independent controller processing is distinct from AuditSail's processor role and is governed by the terms agreed with each customer.
3.3 Independent Controller Processing
In addition to its processor role described in Section 3.2, AuditSail acts as an independent data controller (not a joint controller with the customer) for certain processing carried out for its own purposes. This processing falls into three categories:
- AI model improvement and scoring methodology development. AuditSail may use customer-submitted content - including call recordings, transcriptions, and compliance analysis outputs - to develop, improve, benchmark, and refine its AI models, compliance scoring methodology, and platform services. This processing relies on AuditSail's legitimate interests in improving the accuracy and effectiveness of its compliance detection capabilities. Customers may opt out of this use at any time by contacting us in writing. Any opt-out is forward-looking only; data already processed or incorporated before the opt-out takes effect is not affected. Even after an opt-out, AuditSail may continue to use anonymised, aggregated data that does not identify the customer, its organisation, or any individual.
- Evaluation feedback. Where customers provide feedback on compliance flags generated by the platform (for example, indicating whether a particular flag was correct or incorrect), AuditSail may use that feedback and the associated flag context to improve its AI models and scoring methodology. This processing uses AuditSail's own analytical outputs and does not involve AuditSail re-accessing or reprocessing the underlying call recording or transcript for this purpose.
- Platform operational data. Error logs, system diagnostics, and technical performance data necessary to maintain and secure the platform.
AuditSail's independent controller processing is separate from its processor role. It is governed by the terms agreed with each customer and is not carried out under the customer's instructions. Where the customer's Terms of Service or contract include specific provisions regarding independent controller processing (including opt-out rights), those provisions apply.
4. Personal Data We Collect as Controller
4.1 Platform Users and Business Contacts
When individuals are given access to the platform on behalf of their organisation, or when they contact us directly, we may collect:
- Full name
- Business email address and telephone number
- Organisation name and organisation type (selected from predefined options)
- User role within the organisation (selected from predefined options)
- Login credentials (stored in encrypted form)
- Activity logs within the platform
- Communications sent to or from us
4.2 Prospective Customers and Partners
When prospective customers or partners contact us via LinkedIn, social media, email, or other channels, we may collect:
- Name and professional details
- Contact information provided during outreach or enquiry
- Notes and records of communications
4.3 Platform Usage and Technical Data
We may collect technical data relating to use of the platform, including:
- IP addresses and device identifiers
- Browser type and operating system
- Session data and usage patterns
- Error logs and system diagnostics
5. How and Why We Use Personal Data (Legal Bases)
| Purpose | Data used | Legal Basis |
|---|---|---|
| Providing and administering the platform | User account data, activity logs, platform analytics | Performance of a contract (Article 6(1)(b)) |
| Managing business relationships and responding to enquiries | Contact data, communications | Legitimate interests (Article 6(1)(f)) |
| Platform security and fraud prevention | Technical data, activity logs | Legitimate interests (Article 6(1)(f)) |
| Complying with legal obligations | Any relevant data | Legal obligation (Article 6(1)(c)) |
| Improving the platform | Anonymised usage data | Legitimate interests (Article 6(1)(f)) |
| AI model improvement and scoring methodology development (independent controller - see Section 3.3) | Customer-submitted content including call recordings, transcriptions, and compliance analysis outputs | Legitimate interests (Article 6(1)(f)) |
| Processing evaluation feedback (independent controller - see Section 3.3) | Customer feedback on compliance flags and associated flag context | Legitimate interests (Article 6(1)(f)) |
Where we rely on legitimate interests, we have assessed that our interests are not overridden by the rights and interests of the individuals concerned. You have the right to object to processing based on legitimate interests - see Section 10. For independent controller processing described in Section 3.3, customers may also exercise their contractual opt-out right.
6. Call Recordings and Transcription
Call recordings submitted for compliance review will typically contain the voice of a consumer or claimant (which may constitute biometric data), personal and financial information, and in some cases sensitive information relating to health, vulnerability, or financial difficulty.
AuditSail processes call recordings and transcriptions as a data processor on behalf of the customer (see Section 3.2). The platform's compliance analysis is not used to make solely automated decisions with legal or similarly significant effects about consumers as individuals.
The customer is responsible for ensuring it has a lawful basis for the original recording, providing any required transparency to individuals whose data is contained in the recordings, and determining how to act upon the compliance outputs.
7. Who We Share Personal Data With
AuditSail does not sell personal data.
7.1 Sub-Processors
We use a number of third-party sub-processors to deliver our services. These organisations process personal data only on our instructions and are bound by appropriate data processing agreements. Our current sub-processors are:
| Provider | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting; AI-powered platform processing | USA | UK Addendum to the EU SCCs |
| Google LLC | Cloud services; user authentication; website analytics; AI-powered platform processing | USA | UK Addendum to the EU SCCs |
| OpenAI, Inc. | AI-powered platform processing | USA | IDTA |
| AssemblyAI, Inc. | AI-powered platform processing | USA | UK Addendum to the EU SCCs |
| Stripe, Inc. | Payment processing | USA | IDTA |
| Cookiebot (Cybot A/S) | Cookie consent management | EU (Denmark) | UK Adequacy |
All sub-processors located outside the UK are subject to appropriate safeguards, including the UK Addendum to the EU Standard Contractual Clauses, the International Data Transfer Agreement (IDTA), or a UK adequacy decision, as applicable. We review our sub-processor list regularly and will update this policy when sub-processors are added or changed.
7.2 Legal and Regulatory Obligations
We may disclose personal data where required by law, court order, or regulatory authority including the FCA or ICO.
7.3 Business Transfers
In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the relevant third party. We will notify affected individuals where required.
8. Payment Processing
Payments are processed by Stripe, Inc. AuditSail does not collect, store, or process payment card data directly. All payment information is submitted directly to Stripe and governed by Stripe's Privacy Policy at stripe.com/gb/privacy. We receive only transaction confirmation data for the purpose of administering your account.
9. How Long We Keep Personal Data
9.1 Data We Control
| Category | Retention period |
|---|---|
| Platform user account data | Duration of the customer contract + 12 months following termination |
| Business contact and communications data | 3 years from last meaningful contact |
| Technical and usage logs | 12 months rolling |
9.2 Data We Process on Behalf of Customers
| Category | Retention period |
|---|---|
| Customer-submitted content (including call recordings, marketing assets, and compliance outputs) | Duration of the customer's subscription + 30 days to allow for data export, after which data is securely deleted |
Specific retention terms may be agreed with individual customers under their Data Processing Agreement.
9.3 Data Processed Under Independent Controller Role
Data that has been processed or incorporated by AuditSail for AI model improvement purposes under Section 3.3 is retained by AuditSail as independent controller and is not subject to the processor deletion obligations in Section 9.2. Where such data has been anonymised and incorporated into aggregated datasets, it no longer constitutes personal data and is retained indefinitely. Identifiable data processed under the independent controller role is retained only for as long as necessary for the purposes described in Section 3.3, after which it is securely deleted or anonymised.
Where we are required by law to retain data for a specific period, we will retain it for that period regardless of the above.
When data is no longer required it is securely deleted or anonymised. Where deletion is not immediately possible (for example in backup systems), we will isolate it from further processing until deletion is possible.
10. Your Rights
10.1 If AuditSail Is the Data Controller
If AuditSail is the data controller for your personal data (for example, you are a platform user or you have contacted us directly), you have the following rights:
- Right of access - to obtain a copy of the personal data we hold about you
- Right to rectification - to have inaccurate data corrected
- Right to erasure - to request deletion of your data in certain circumstances
- Right to restriction - to restrict how we process your data in certain circumstances
- Right to data portability - to receive your data in a structured, machine-readable format (where applicable)
- Right to object - to object to processing based on legitimate interests or for direct marketing
- Rights in relation to automated decision-making - to not be subject to solely automated decisions that produce significant effects
To exercise any of these rights contact us at privacy@auditsail.com. We will respond within one calendar month and may need to verify your identity before processing your request.
If you are not satisfied with our response you may complain to the ICO at ico.org.uk or on 0303 123 1113.
10.2 If Your Data Was Submitted by a Customer
If your personal data was collected by one of our customers and submitted to the platform for compliance review, that customer is the data controller for your data. AuditSail processes it on their behalf as a data processor.
To exercise your data protection rights, contact the organisation that originally collected your data in the first instance, as they will hold the broadest record of your information and are responsible for responding to your request.
If you contact AuditSail directly, we will assist where we can and direct you to the relevant customer where appropriate.
11. Cookies and Tracking
We use cookies and similar tracking technologies on our marketing website and platform. Non-essential cookies are not placed on your device without your consent, which is managed via our cookie banner.
For full details, including a complete list of cookies in use and how to manage your preferences, see our Cookie Policy at auditsail.com/cookies.
12. Children
Our platform is intended for business use only. We do not knowingly collect or process personal data relating to children under the age of 18. If you believe we have inadvertently received such data, contact us immediately at privacy@auditsail.com.
13. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction, including:
- Encryption of data in transit and at rest
- Role-based access controls
- Audit logging of platform activity
- Regular security assessments
- Sub-processor due diligence
In the event of a personal data breach likely to result in risk to individuals, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.
14. Changes to This Policy
We may update this policy from time to time to reflect changes in our services, legal requirements, or data processing practices. The current version is always available at auditsail.com/privacy. Where changes are material we will notify platform users directly.
15. Contact Us
AuditSail Limited1 Cambridge Court, Harrowdene Road, Wembley, Greater London, England, HA0 2JW
This policy was last reviewed on 20 May 2026.