Privacy Policy

1. Introduction

At Aura Audit AI ("Aura," "we," "our," or "us"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our audit automation platform, website, and related services (collectively, the "Services").

We understand that CPA firms and auditors handle sensitive client information, and we are committed to maintaining the highest standards of data protection and confidentiality. This Privacy Policy applies to information we collect from:

• Users of our platform (auditors, CPAs, firm staff)
• Visitors to our website
• Individuals who contact us or request information
• Data uploaded to our platform for audit engagements

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Information You Provide

Account Information: When you create an account, we collect your name, email address, company name, job title, phone number, and billing information.

Audit Data: Data you upload to perform audit engagements, including:

• Trial balance data and financial statements
• Client information (company names, addresses, tax IDs)
• Transaction data and journal entries
• Workpapers, documentation, and supporting evidence
• Notes, comments, and communications within the platform

Communications: Information you provide when contacting us, including support requests, feedback, and inquiries.

2.2 Information Collected Automatically

Usage Data: We automatically collect information about your use of the Services, including:

• Pages visited, features used, and actions taken
• Time spent on pages and session duration
• Search queries and filters applied
• Engagement interactions (clicks, downloads, uploads)

Device and Browser Information: IP address, browser type and version, operating system, device identifiers, and screen resolution.

Cookies and Similar Technologies: We use cookies, web beacons, and similar technologies to collect information and improve user experience. See Section 8 for details.

2.3 Information from Third Parties

We may receive information from:

• Accounting System Integrations: Data from QuickBooks, Xero, NetSuite, and other connected systems
• Authentication Providers: Information from SSO providers (Azure AD, Okta, Auth0)
• Payment Processors: Transaction details from Stripe or other payment providers
• Service Providers: Analytics and security vendors who help us operate the Services

3. How We Use Your Information

We use the information we collect to:

3.1 Provide and Improve Services

• Operate, maintain, and deliver the Services
• Process audit engagements and generate workpapers
• Perform AI analysis, anomaly detection, and risk assessment
• Generate reports, disclosures, and documentation
• Provide customer support and respond to inquiries
• Improve our algorithms, models, and features
• Develop new products and services

3.2 Security and Fraud Prevention

• Monitor for security threats and suspicious activity
• Detect and prevent fraud, abuse, and unauthorized access
• Enforce our Terms of Service and acceptable use policies
• Conduct security audits and penetration testing

3.3 Communications

• Send service updates, security alerts, and system notifications
• Provide technical support and account assistance
• Send marketing communications (with your consent)
• Conduct surveys and request feedback

3.4 Legal and Compliance

• Comply with legal obligations and regulatory requirements
• Respond to subpoenas, court orders, and legal processes
• Protect our rights, property, and safety
• Enforce our agreements and policies

3.5 Analytics and Research

• Analyze usage patterns and user behavior (aggregated and anonymized)
• Measure feature adoption and platform performance
• Conduct industry research and benchmarking studies
• Improve AI models using aggregated, anonymized data

4. Data Sharing and Disclosure

We do not sell your personal information. We share information only as described below:

4.1 Service Providers

We share information with trusted third-party service providers who perform services on our behalf, including:

• Cloud infrastructure providers (AWS, Azure)
• AI and machine learning platforms (OpenAI)
• Analytics services (Google Analytics, Mixpanel)
• Payment processors (Stripe)
• Email and communication services (SendGrid)
• Security and monitoring tools

These service providers are contractually obligated to protect your information and use it only for the purposes we specify.

4.2 Business Transfers

If we are involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Subpoenas, court orders, or legal processes
• Government or regulatory requests
• Investigations of potential violations of law
• Protection of our rights, property, or safety
• Emergencies involving danger to persons or property

4.4 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot reasonably be used to identify you or your clients. This includes industry benchmarks, usage statistics, and research findings.

4.5 With Your Consent

We may share your information for other purposes with your explicit consent.

5. Data Security

We implement industry-leading security measures to protect your information:

5.1 Encryption

• At Rest: AES-256 encryption for all stored data
• In Transit: TLS 1.3 encryption for all data transmissions
• Database Encryption: Encrypted backups and point-in-time recovery

5.2 Access Controls

• Role-based access control (RBAC) with least-privilege principles
• Multi-factor authentication (MFA) requirements
• Row-level security for multi-tenant data isolation
• Audit logging of all data access and modifications

5.3 Infrastructure Security

• SOC 2 Type II certified infrastructure
• Regular security audits and penetration testing
• 24/7 security monitoring and intrusion detection
• Automated vulnerability scanning and patching
• DDoS protection and rate limiting

5.4 Data Retention

• Audit documentation retained for 7 years (SEC 17 CFR 210.2-06)
• WORM (Write Once Read Many) storage for immutability
• Secure data deletion procedures for expired data

While we implement robust security measures, no system is completely secure. If you become aware of any security vulnerability or breach, please contact us immediately at security@auraaudit.ai.

6. Your Rights and Choices

6.1 Access and Correction

You have the right to access, update, or correct your personal information. You can update most information through your account settings or by contacting us.

6.2 Data Portability

You can export your data in machine-readable formats (JSON, CSV, PDF) at any time through the platform.

6.3 Data Deletion

You can request deletion of your account and associated data, subject to:

• Legal retention requirements (e.g., 7-year audit documentation retention)
• Ongoing legal obligations or disputes
• Fraud prevention and security purposes

6.4 Marketing Communications

You can opt out of marketing emails by clicking "unsubscribe" in any marketing email or updating your preferences in account settings. You cannot opt out of essential service communications.

6.5 Cookie Preferences

You can manage cookie preferences through your browser settings or our cookie consent banner.

6.6 Do Not Track

Our Services do not currently respond to "Do Not Track" browser signals, but you can control tracking through cookie settings.

7. International Data Transfers

Aura Audit AI is based in the United States. If you access the Services from outside the U.S., your information may be transferred to, stored, and processed in the U.S. or other countries where our service providers operate.

We comply with applicable data protection laws, including:

• GDPR: For European users, we use Standard Contractual Clauses and ensure adequate data protection
• Privacy Shield: We adhere to recognized frameworks for international data transfers
• Data Localization: We can accommodate data residency requirements upon request

8. Cookies and Tracking Technologies

We use cookies and similar technologies to collect information and improve the Services.

8.1 Types of Cookies

• Essential Cookies: Required for authentication, security, and core functionality
• Performance Cookies: Collect analytics data to improve the Services
• Functional Cookies: Remember your preferences and settings
• Marketing Cookies: Track marketing campaign performance (with consent)

8.2 Third-Party Cookies

We use third-party analytics and advertising services that may set cookies:

• Google Analytics (anonymized IP addresses)
• Mixpanel (product analytics)
• Segment (data integration platform)

8.3 Managing Cookies

You can control cookies through browser settings or our cookie banner. Note that disabling essential cookies may affect functionality.

9. Children's Privacy

The Services are not intended for children under 16. We do not knowingly collect information from children under 16. If we learn that we have collected information from a child under 16, we will delete it promptly. If you believe we have collected information from a child, please contact us at privacy@auraaudit.ai.

10. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information (subject to exceptions)
• Right to Opt-Out: Opt out of sale of personal information (we do not sell personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at privacy@auraaudit.ai or call (555) 123-4567.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting a notice on our website
• Sending an email to the address associated with your account
• Displaying a notice when you log in to the platform

The "Last Updated" date at the top of this policy indicates when it was last revised. Your continued use of the Services after the effective date constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: