Privacy Policy
Effective date: to be set on first commercial customer. Last updated: 2026-05-08.
⚠ Draft for lawyer review. This document is a starting point. It must
be reviewed by an Australian privacy-specialist solicitor before being
published or referenced in any customer contract.
1. Who we are
This Privacy Policy applies to Audit Intelligence ("Audit Intelligence", "we", "us", "our"), an audit-management platform operated by EDENIC Consulting Pty Ltd (ABN to insert), Australia. Contact: privacy@auditintel.com.
Audit Intelligence is regulated under the Privacy Act 1988 (Cth) including the Australian Privacy Principles (APPs) and the Notifiable Data Breaches scheme. We treat compliance with these laws as a baseline, not a ceiling.
2. Scope
This policy covers personal information we collect, hold, use, and disclose when:
- A user of an Audit Intelligence customer firm signs up, logs in, or uses
the platform;
- A client of one of our customer firms uses our client portal (e.g. uploads
documents, responds to questionnaires);
- A visitor uses our marketing website at
auditintel.com.
We are an APP entity for the marketing website, the platform user account data we hold, and customer-firm billing information. For audit data uploaded by our customer firms (working papers, evidence files, client correspondence), the customer firm is the controller and we are the data processor.
3. What personal information we collect
3.1 From auditors (platform users)
- Identity: name, work email, role, firm.
- Authentication: password hash (bcrypt), session tokens.
- Activity: pages visited, actions taken (audit trail), AI prompts you
submit, sign-offs you complete.
- Independence declarations: financial interests, family relationships,
prior employment — only as required to complete the independence questionnaire mandated by APES 110.
3.2 From audit clients (uploaded via firms)
- Identity of client entity and its directors / officers (collected by the
customer firm and entered into Audit Intelligence as part of their audit).
- Financial information: trial balance, journals, working paper content.
- Evidence files: contracts, board minutes, bank confirmations, etc. —
whatever the customer firm uploads.
- Communications: client-portal messages between the firm and the audit
client.
We do not directly collect personal information from audit clients. Their firm controls what is uploaded.
3.3 From visitors
- Standard web analytics: IP address (last octet truncated), user-agent,
pages visited, referrer.
- Information you submit through marketing forms (name, email, firm).
We do not use session replay or cross-site tracking. We do not sell personal information.
4. Why we collect it
| Purpose | Lawful basis |
|---|---|
| Provide the platform to customer firms | Contractual necessity (MSA with firm) |
| Authenticate users + maintain audit trail | Legitimate interest; APES 320 quality-management retention obligation; ASIC + ASA 230 7-year recordkeeping |
| Send transactional emails (notifications, sign-off requests, password resets) | Contractual necessity |
| Detect, prevent, and respond to security incidents | Legitimate interest; NDB compliance |
| Improve the platform | Legitimate interest; data is aggregated and de-identified |
| Marketing communications (only with opt-in) | Consent |
5. How we use AI
The platform uses AI to assist auditors — never to decide for them. AI suggestions are advisory; every output requires explicit auditor review and sign-off.
The AI features and the providers we use are listed in our Sub-processor Register (auditintel.com/legal/subprocessors). In summary:
- Default configuration: AI inference is performed by OpenAI (US),
Anthropic (US), and Google (US). Prompts containing the audit content needed for the specific feature are sent under TLS 1.3 with each vendor's Data Processing Addendum in force. Vendors operate on a zero-retention API basis where available.
- Strict-AU configuration: Customer firms can request that sensitive
AI features (document summarisation, journal fraud analytics, working- paper narrative drafting) are routed through Amazon Web Services Bedrock in ap-southeast-2 (Sydney) instead, keeping inference in Australia. Other features remain on the default vendors.
We never use customer data to train AI models. Vendor contracts prohibit training on submitted data.
6. How we share it
We share personal information only as necessary to operate the platform and only with parties listed in our Sub-processor Register, which is published at auditintel.com/legal/subprocessors and updated with 30 days' notice before any change.
We do not disclose personal information for marketing purposes. We do not sell personal information.
We may disclose personal information where required by law (e.g. court order, regulator request) or to respond to a security incident.
7. Cross-border disclosure (APP 8)
By default, the AI features described in §5 send prompts to providers located in the United States, and our outbound email provider (Resend) is US-based. These are disclosed cross-border flows.
Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs in relation to that information (APP 8.1). We rely on:
- Data Processing Addenda incorporating the EU Standard Contractual
Clauses (or equivalent Australian-compliant terms);
- Vendor commitments not to train models on submitted data;
- Encryption in transit (TLS 1.3);
- Operational controls — least-privilege API keys, hashed prompt logging,
no retention of customer outputs beyond the audit trail required by ASA 230.
Customer firms requiring no overseas disclosure can be deployed with the Strict-AU configuration (§5), in which case sensitive AI features route through Bedrock in Sydney and the Resend outbound flow can be disabled in favour of in-app notifications only.
8. Where we store data
Structured customer data is stored in Neon Postgres in AWS ap-southeast-2 (Sydney). Files (evidence, trial-balance imports, archived audit files) are stored in Cloudflare R2 with the APAC location hint (Sydney/Melbourne data centres). Backups remain in the same regions.
For full architectural detail, see our Data Residency Posture document at auditintel.com/legal/data-residency.
9. How long we keep it
We retain personal information for as long as needed for the purpose for which it was collected, plus any retention period required by law.
| Data category | Retention |
|---|---|
| Audit working papers, journals, evidence (the audit file) | 7 years from audit report date (ASIC + APES 320 + ASA 230) |
| Audit trail / activity logs | 7 years (same statutory basis) |
| User account data after cancellation | 30 days (then deleted unless retention obligation applies) |
| Marketing website analytics | 24 months |
| Customer support correspondence | 3 years |
| Financial / billing records | 7 years (tax law) |
After the retention period, data is securely deleted from primary storage. Where deletion is not technically possible (e.g. immutable backups), the data is sealed in archival storage with no application access path until physical deletion.
10. How we secure it
- TLS 1.3 in transit. AES-256 at rest.
- Multi-tenancy isolation: each customer firm has its own Postgres
schema. Cross-firm queries are architecturally impossible.
- Audit trail is insert-only: state transitions cannot be tampered with
retroactively.
- Two-factor authentication required for all operator and administrator
accounts.
- Annual review of access privileges. Quarterly review of sub-processor
list.
- Regular security testing.
We cannot guarantee absolute security. If a notifiable data breach occurs, we will follow the process in our Incident Response Runbook, which includes notifying the OAIC within 72 hours and affected individuals as soon as practicable.
11. Your rights
Under the APPs, you have the right to:
- Access the personal information we hold about you (APP 12).
- Correct information that is inaccurate, out of date, incomplete,
irrelevant or misleading (APP 13).
- Make a complaint about how we have handled your personal information
(APP 1.3).
- Opt out of direct marketing at any time (APP 7).
- Anonymity or pseudonymity where lawful and practicable (APP 2) —
not generally available for audit-context use because identification is required for the audit trail.
To exercise any of these rights, email privacy@auditintel.com. We will respond within 30 days. There is no charge for reasonable access requests.
For audit data held about you by one of our customer firms, please contact the firm directly — they control that data; we process it on their behalf.
12. Complaints
If you have a privacy complaint:
- Email
privacy@auditintel.comwith the details. We will acknowledge
within 5 business days and aim to resolve within 30 days.
- If you are not satisfied with our response, you can complain to the
Office of the Australian Information Commissioner: - Website: https://www.oaic.gov.au/privacy/privacy-complaints - Phone: 1300 363 992
13. Children
The platform is designed for professional audit firms. We do not knowingly collect personal information from anyone under 18. If we learn that we have, we will delete it.
14. Changes to this policy
We will publish material changes to this policy on auditintel.com and notify customer firm administrators by email at least 30 days in advance.
15. Contact
EDENIC Consulting Pty Ltd [Registered address — to insert] ABN: [to insert] Email: privacy@auditintel.com General contact: eden@edenic.com.au
Document history
| Date | Change | Author |
|---|---|---|
| 2026-05-08 | Initial draft for lawyer review | Eden Pearson |