Privacy Policy
What These Policy Cover
AuditSail is a compliance monitoring platform that enables businesses to manage, approve, and audit marketing assets and communications across their teams and partner networks.
We handle personal data in two distinct contexts. For data relating to platform users and business contacts, AuditSail is the data controller and this policy applies directly. For personal data contained within content submitted to the platform for compliance review - such as call recordings - AuditSail and the relevant customer are joint controllers and share responsibility for how that data is handled. Section 4 explains this distinction in full.
If you are a consumer whose data has been processed through our platform, Section 4 explains our respective responsibilities, Section 10 explains how long we keep your data, and Section 11 explains your rights and who to contact. For any other queries, contact us at privacy@auditsail.com.
1. Who are we
AuditSail Limited ("AuditSail", "we", "us", "our") is a company incorporated in England and Wales.
- Registered address: 1 Cambridge Court, Harrowdene Road, Wembley, Greater London, England, HA0 2JW
- Company number: 16979974
- ICO registration number: 20090580
- Contact for data protection matters: privacy@auditsail.com
2. Geographic Scope
The AuditSail platform is directed at businesses operating in the United Kingdom. This policy is written in accordance with UK GDPR and the Data Protection Act 2018. Where we process the personal data of individuals located in the EU or EEA, EU GDPR may also apply. The UK currently benefits from an EU adequacy decision, permitting data flows between the UK and EU/EEA without additional transfer mechanisms. We will update this policy and implement any necessary additional measures before actively onboarding customers in EU or EEA jurisdictions.
We do not represent that this policy satisfies the legal requirements of jurisdictions beyond the UK and EU/EEA, including the United States or Canada.
3. About This Policy
This policy explains how AuditSail collects, uses, stores, and shares personal data in connection with use of our platform and services, communications with prospective or existing customers and partners, and personal data processed through the platform under joint controller arrangements.
It applies to platform users, marketing affiliates and partners, individuals whose personal data is contained within content submitted for compliance review, and anyone who contacts us directly.
4. Our Role: Controller and Joint Controller
4.1 Data Controller
AuditSail is the sole data controller for:
- Personal data of platform users (customer staff, partner contacts, account holders)
- Personal data of prospective customers or partners who contact us
- Data generated through our own platform analytics and administration
4.2 Joint Controller
Where customers use the platform to process content containing the personal data of third parties, AuditSail and the relevant customer act as joint controllers under Article 26 of the UK GDPR. AuditSail determines the means of processing how the AI analyses content, how transcriptions are generated, and how data flows through the platform. The customer determines the purpose and parameters which content to submit, what rules to apply, and why the processing is taking place.
The respective responsibilities are set out in AuditSail's Terms of Service, accepted at registration:
| Responsibility | AuditSail | Customer |
|---|---|---|
| Platform security and infrastructure | ✓ | |
| AI processing and technical means | ✓ | |
| Sub-processor relationships | ✓ | |
| Decision to process consumer data | ✓ | |
| Compliance rules and parameters applied | ✓ | |
| Lawful basis for original data collection | ✓ | |
| Consumer-facing transparency and consent | ✓ |
Individuals may exercise their data protection rights against either party. If you are a consumer or claimant whose data has been processed through the platform, contact the organisation that originally collected your data in the first instance.
5. Personal Data We Collect as Controller
5.1 Platform Users and Business Contacts
When individuals are given access to the platform on behalf of their organisation, or when they contact us directly, we may collect:
- Full name
- Business email address and telephone number
- Organisation name and organisation type (selected from predefined options)
- User role within the organisation (selected from predefined options)
- Login credentials (stored in encrypted form)
- Activity logs within the platform
- Communications sent to or from us
5.2 Prospective Customers and Partners
When prospective customers or partners contact us via LinkedIn, social media, email, or other channels, we may collect:
- Name and professional details
- Contact information provided during outreach or enquiry
- Notes and records of communications
5.3 Platform Usage and Technical Data
We may collect technical data relating to use of the platform, including:
- IP addresses and device identifiers
- Browser type and operating system
- Session data and usage patterns
- Error logs and system diagnostics
6. How and Why We Use Personal Data (Legal Bases)
| Purpose | Data used | Legal Basis |
|---|---|---|
| Providing and administering the platform | User account data, activity logs, platform analytics | Performance of a contract (Article 6(1)(b)) |
| Managing business relationships | Contact data, communications | Legitimate interests (Article 6(1)(f)) |
| Responding to enquiries | Contact data, communications | Performance of a contract (Article 6(1)(b)) |
| Platform security and fraud prevention | Technical data, activity logs | Legitimate interests (Article 6(1)(f)) |
| Complying with legal obligations | Any relevant data | Legal obligation (Article 6(1)(c)) |
| Improving the platform | Anonymised usage data | Legitimate interests (Article 6(1)(f)) |
Where we rely on legitimate interests, we have assessed that our interests are not overridden by the rights and interests of the individuals concerned. You have the right to object to processing based on legitimate interests – see Section 11.
7. Content Processed Through the Platform
7.1 Compliance Guidelines Generation
Customers may use AuditSail's guidelines generation feature to produce compliance guidelines using AI. This feature is designed to receive only regulatory and platform-related inputs - such as regulatory body names, jurisdictions, and ad platform names. Users are instructed not to enter personal data into this feature. No personal data is processed through this function.
7.2 Marketing Assets Submitted for Pre-Approval
Customers and their partners submit creative assets including images, video, ad copy, SMS, email, and landing page content for compliance review before publication. Assets are automatically scored by AuditSail's AI engine against the compliance guidelines configured by the customer, and routed through the customer's approval workflow. In most cases this content does not contain personal data.
Where assets do incidentally contain personal data (for example, an ad featuring a named individual), the customer is responsible for ensuring they hold the appropriate rights and consents. AuditSail stores and processes these assets solely to facilitate the compliance review and approval workflow.
7.3 Live Ad Verification
This feature is planned but not yet live. No processing of this type is currently taking place.
When available, AuditSail will connect to advertising platforms including Meta, TikTok, and Google via secure API to pull live ads and compare them against approved versions. Where ads incidentally contain personal data such as a named individual or testimonial the customer is responsible for ensuring that personal data has been collected and used lawfully. This policy will be updated when this feature launches.
7.4 Call Recordings and Transcription
Call recordings submitted for compliance review will typically contain the voice of a consumer or claimant (which may constitute biometric data), personal and financial information, and in some cases sensitive information relating to health, vulnerability, or financial difficulty.
Call recording processing is subject to the full joint controller framework in Section 4.2. AuditSail's AI engine processes recordings and transcriptions automatically to assess script adherence, detect vulnerability signals, and flag prohibited phrases. This analysis evaluates the conduct of call handlers and marketing partners – it is not used to make solely automated decisions with legal or similarly significant effects about consumers as individuals. Customers are responsible for how they act upon the outputs of this analysis within their regulated activities.
AuditSail does not:
- Use call recording data for its own commercial, marketing, or analytical purposes
- Share this data with third parties except as necessary to deliver the platform (see Section 8)
- Retain this data beyond the periods set out in Section 10
8. Third-Party Integrations
Customers may connect third-party platforms to AuditSail – such as cloud storage, call centre systems, and diallers. Where they do so:
- The customer initiates and authorises the connection using their own credentials
- The customer determines what data is imported and from which sources
- AuditSail processes that data in accordance with the customer's configuration and instructions
The privacy implications of these integrations depend on the nature of the data imported and the customer's configuration. Customers remain responsible for ensuring they have the appropriate rights to transfer and process that data within AuditSail.
9. Who We Share Personal Data With
AuditSail does not sell personal data.
9.1 Sub-Processors
We use a number of third-party sub-processors to deliver our services. These organisations process personal data only on our instructions and are bound by appropriate data processing agreements. Our current sub-processors are:
| Provider | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting; AI-powered platform processing | USA | IDTA |
| Google LLC | Cloud services; user authentication; website analytics; AI-powered platform processing | USA | IDTA |
| OpenAI, Inc. | AI-powered platform processing | USA | IDTA |
| AssemblyAI, Inc. | AI-powered platform processing | USA | IDTA |
| Mistral AI | AI-powered platform processing | EU (France) | UK Adequacy |
| Stripe, Inc. | Payment processing | USA | IDTA |
| Cookiebot (Cybot A/S) | Cookie consent management | EU (Denmark) | UK Adequacy |
| Hotjar Ltd | Session recording and heatmap analytics – planned, not yet active (marketing website only) | EU (Malta) | UK Adequacy |
All sub-processors located outside the UK are subject to appropriate safeguards in the form of the International Data Transfer Agreement (IDTA) or, where the recipient country benefits from a UK adequacy decision, on that basis. We review our sub-processor list regularly and will update this policy when sub-processors are added or changed.
9.2 Third-Party Controllers
When you visit our marketing website, certain third parties may collect data about your visit independently via tracking technologies. These parties operate as independent data controllers and process data in accordance with their own privacy policies. They are not sub-processors acting on AuditSail's instructions.
| Provider | Purpose | Location |
|---|---|---|
| Meta Platforms, Inc. | Advertising measurement and audience building via Meta Pixel | facebook.com/privacy/policy |
| TikTok Technology Limited | Advertising measurement and audience building via TikTok Pixel | tiktok.com/legal/privacy-policy |
9.3 Customers
Where AuditSail acts as joint controller, processed data including compliance reports and flagged content is made available to the relevant customer within the platform.
9.4 Legal and Regulatory Obligations
We may disclose personal data where required by law, court order, or regulatory authority including the FCA or ICO.
9.5 Business Transfers
In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the relevant third party. We will notify affected individuals where required.
10. How Long We Keep Personal Data
| Category | Retention period |
|---|---|
| Platform user account data | Duration of the customer contract + 12 months following termination |
| Business contact and communications data | 3 years from last meaningful contact |
| Consumer data processed under joint controllership | Duration of the customer's subscription + 6 years |
| Technical and usage logs | 12 months rolling |
Where we are required by law to retain data for a specific period, we will retain it for that period regardless of the above.
When data is no longer required it is securely deleted or anonymised. Where deletion is not immediately possible (for example in backup systems), we will isolate it from further processing until deletion is possible.
11. Your Rights
If AuditSail is the data controller for your personal data, you have the following rights:
- Right of access – to obtain a copy of the personal data we hold about you
- Right to rectification – to have inaccurate data corrected
- Right to erasure – to request deletion of your data in certain circumstances
- Right to restriction – to restrict how we process your data in certain circumstances
- Right to data portability – to receive your data in a structured, machine-readable format (where applicable)
- Right to object – to object to processing based on legitimate interests or for direct marketing
- Rights in relation to automated decision-making – to not be subject to solely automated decisions that produce significant effects
To exercise any of these rights contact us at privacy@auditsail.com. We will respond within one calendar month and may need to verify your identity before processing your request.
If you are not satisfied with our response you may complain to the ICO at ico.org.uk or on 0303 123 1113.
If your data was collected by one of our customers and submitted to the platform, both AuditSail and that customer may be joint controllers. You may exercise your rights against either party. We recommend contacting the organisation that originally collected your data in the first instance, as they will hold the broadest record of your information. We will cooperate fully with any requests and direct you appropriately.
12. Google Authentication
AuditSail offers the option to register and log in using your Google account. If you do so, Google will share your name, email address, and profile picture with us. We use this information solely to create and manage your AuditSail account and do not use it for marketing purposes or share it with third parties except as described in Section 9.
13. Payment Processing
Payments are processed by Stripe, Inc. AuditSail does not collect, store, or process payment card data directly. All payment information is submitted directly to Stripe and governed by Stripe's Privacy Policy at stripe.com/gb/privacy. We receive only transaction confirmation data for the purpose of administering your account.
14. Cookies and Tracking
We use cookies and similar tracking technologies on our marketing website and platform. Non-essential cookies are not placed on your device without your consent, which is managed via our cookie banner.
For full details, including a complete list of cookies in use and how to manage your preferences, see our Cookie Policy at auditsail.com/cookies.
15. Children
Our platform is intended for business use only. We do not knowingly collect or process personal data relating to children under the age of 18. If you believe we have inadvertently received such data, contact us immediately at privacy@auditsail.com.
16. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction, including:
- Encryption of data in transit and at rest
- Role-based access controls
- Audit logging of platform activity
- Regular security assessments
- Sub-processor due diligence
In the event of a personal data breach likely to result in risk to individuals, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.
17. Changes to This Policy
We may update this policy from time to time to reflect changes in our services, legal requirements, or data processing practices. The current version is always available at auditsail.com/privacy. Where changes are material we will notify platform users directly.
18. Contact Us
AuditSail Limited1 Cambridge Court, Harrowdene Road, Wembley, Greater London, England, HA0 2JW privacy@auditsail.com
This policy was last reviewed on 24 February 2026.