Legal

Privacy Policy

How we collect, use, share, and protect personal data, and the rights you have over it.

Last updated: July 4, 2026

1. Introduction and Scope

This Privacy Policy (the “Policy”) describes how Solution Bowl (“Solution Bowl”, “we”, “us”, or “our”), the operator of Audaitly, an artificial-intelligence website-audit platform for digital agencies (the “Service”), collects, uses, discloses, retains, and otherwise processes Personal Data in connection with the Service, our marketing website, and our related communications. Our registered address is [registered address of Solution Bowl to be inserted]. For all privacy matters, we can be reached at privacy@audaitly.ai.

The Service crawls websites that our customer (the “Customer”) authorizes and generates audit findings covering user interface and user experience, content, conversion, search engine optimization, accessibility, forms, and compliance signals. The Service is offered on an invite-only, business-to-business basis and is intended solely for use by persons aged 18 or older acting in a professional capacity.

1.1 Our roles. We act in two distinct capacities, and the applicable legal framework differs accordingly:

  • Controller.We act as a controller (or the equivalent concept under applicable law, including “business” under the CCPA/CPRA, “Data Fiduciary” under the DPDP Act, and “controlador” under the LGPD) with respect to Personal Data relating to our Customers’ personnel, prospective customers, and website visitors, including account, billing, usage, and marketing data. This Policy governs that processing.
  • Processor.We act as a processor (or the equivalent concept, including “service provider” under the CCPA/CPRA and “Data Processor” under the DPDP Act) with respect to Customer Audit Content, meaning the content of websites that a Customer instructs us to crawl and analyze. That processing is governed by our Data Processing Agreement(the “DPA”) and the Customer’s instructions, not by this Policy, except where this Policy expressly states otherwise. Individuals whose Personal Data appears within Customer Audit Content should direct requests to the relevant Customer, which determines the purposes and means of that processing.

1.2 Scope. This Policy applies to Personal Data processed in connection with the Service and our marketing website. It does not apply to the practices of third parties that we do not control, including the websites that Customers direct us to audit. By accessing or using the Service, you acknowledge that you have read and understood this Policy. Where consent is the applicable legal basis for a given processing operation, we will obtain it separately in the manner required by applicable law; this Policy is a notice, not a consent instrument.

2. Definitions

Capitalized terms used in this Policy have the meanings set out below:

  • Personal Data” means any information relating to an identified or identifiable natural person, and includes “personal information” as defined under the CCPA/CPRA, “digital personal data” as defined under the DPDP Act, and “dados pessoais” as defined under the LGPD.
  • Customer Audit Content” means the content of websites, pages, and associated assets that a Customer authorizes the Service to crawl and analyze, including HTML, text, screenshots, metadata, and network responses, together with the audit findings derived from them, which may incidentally contain Personal Data appearing on those websites.
  • Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
  • Sub-processor” means a third-party service provider engaged by us to process Personal Data on our behalf in connection with the Service.
  • GDPR” means Regulation (EU) 2016/679 (the General Data Protection Regulation); “UK GDPR” means the GDPR as incorporated into United Kingdom law by the Data Protection Act 2018; “CCPA/CPRA” means the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020, together with implementing regulations; “DPDP Act” means India’s Digital Personal Data Protection Act, 2023; and “LGPD” means Brazil’s Lei Geral de Proteção de Dados (Law No. 13,709/2018).
  • You” means the natural person whose Personal Data we process as a controller, such as a Customer’s authorized user, a prospective customer, or a visitor to our marketing website.

3. Categories of Personal Data We Collect

We collect the following categories of Personal Data. For each category we identify the typical sources from which the data is obtained.

3.1 Identity and contact data

Name, work email address, company or agency name, job title, and any other identifying details you choose to provide. Source: provided directly by you when you request an invitation, create an account, or correspond with us; or provided by the Customer that invites you to its workspace.

3.2 Account and credential data

Authentication credentials, session tokens, sign-in method (including whether you use optional Google OAuth sign-in), workspace membership, and role assignments. Source: generated by the Service when you register and authenticate; where you use Google sign-in, limited profile information (such as your name and email address) is received from Google with your authorization.

3.3 Commercial and billing data

Subscription plan, transaction history, invoices, and payment status. Payment card details are collected and processed directly by Stripe, our payment processor; we never store full card numbers. Source: provided by you or your organization at the time of purchase, and generated by Stripe in the course of processing payments.

3.4 Usage and technical log data

Product usage records (such as audits initiated, features used, and credits consumed), IP address, browser and device type, operating system, timestamps, referring pages, error and diagnostic logs, and security event logs. Source: collected automatically when you interact with the Service or our marketing website.

3.5 Communications data

The content of emails, support requests, access requests, feedback, and other correspondence you exchange with us, together with associated metadata. Source: provided directly by you.

3.6 Customer Audit Content incidentally containing Personal Data

When the Service crawls a website at a Customer’s instruction, the crawled pages may incidentally contain Personal Data of third parties, for example names appearing in testimonials, contact details on a staff page, or the content of published forms. We process such data solely as a processor on the Customer’s documented instructions, solely to generate the audit findings, and in accordance with the DPA. Source: the websites the Customer authorizes for crawling.

We do not intentionally collect special categories of Personal Data (such as data revealing health, religious beliefs, or political opinions), and we ask that you do not submit such data to us. We do not purchase Personal Data from data brokers and we do not acquire marketing lists.

4. Purposes and Legal Bases of Processing

Where the GDPR or UK GDPR applies, we process Personal Data only where a legal basis under Article 6 exists. The table below maps our processing purposes to the categories of Personal Data involved and the applicable legal basis. Where we rely on legitimate interests, we have identified the specific interest pursued and have balanced it against your rights and freedoms; you may request further information about a specific balancing assessment.

PurposeData categoriesLegal basis (GDPR Art. 6)
Providing, operating, and administering the Service, including account creation and authenticationIdentity and contact; account and credentialPerformance of a contract (Art. 6(1)(b))
Executing audits and delivering findings and reports at the Customer’s instructionCustomer Audit Content; account and credentialPerformance of a contract (Art. 6(1)(b)); as processor, the Customer’s documented instructions under the DPA
Billing, invoicing, and subscription managementIdentity and contact; commercial and billingPerformance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) for tax and accounting records
Securing the Service, preventing fraud and abuse, enforcing crawl scoping, and investigating incidentsUsage and technical log; account and credentialLegitimate interests (Art. 6(1)(f)): protecting the security and integrity of the Service and its users
Improving and developing the Service, including aggregate usage analysisUsage and technical log (aggregated or pseudonymized where feasible)Legitimate interests (Art. 6(1)(f)): understanding and improving product performance and reliability
Reviewing access requests and responding to inquiries and support requestsIdentity and contact; communicationsPerformance of a contract, including pre-contractual steps (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)): serving prospective customers
Sending service and transactional communications (for example sign-in links and audit notifications)Identity and contact; account and credentialPerformance of a contract (Art. 6(1)(b))
Sending optional product news or marketing, where applicable law requires consentIdentity and contactConsent (Art. 6(1)(a)), withdrawable at any time
Complying with legal obligations, responding to lawful requests, and establishing, exercising, or defending legal claimsAll categories, as requiredLegal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)): protecting our legal position

We do not use Customer Audit Content, or any Personal Data contained in it, to train artificial-intelligence models, and our AI inference provider does not use your content to train models and is contractually restricted from doing so, as described in Section 5.

5. How We Share Personal Data

We do not sell Personal Data, and we do not share Personal Data for cross-context behavioral advertising. We disclose Personal Data only as described in this Section.

5.1 Sub-processors and service providers

We engage the following categories of Sub-processors to operate the Service, as permitted by Article 13(1)(e) GDPR. Each is bound by a written contract that limits its processing to the purposes stated below and imposes confidentiality and security obligations consistent with this Policy and, where applicable, the DPA. The identities of our current Sub-processors are available to Customers upon written request to privacy@audaitly.ai.

Category of recipientPurposeLocation
AI inference providerAI model inference on audit content to generate findings; API data is not used to train modelsUnited States
Cloud hosting and database infrastructure providerCloud hosting, compute, and databasesAsia-Pacific (primary region) and United States
Transactional email delivery providerTransactional email delivery (sign-in links, notifications)United States
Identity provider for optional single sign-on (Google)Optional OAuth sign-in authenticationUnited States and global infrastructure
Payment processor (Stripe)Payment processing and subscription billing; we never store full card numbersUnited States and global infrastructure

5.2 Other disclosures

  • Legal disclosures. We may disclose Personal Data where we believe in good faith that disclosure is required by applicable law, regulation, legal process, or enforceable governmental request, or is necessary to detect or prevent fraud or security incidents, or to protect the rights, property, or safety of Solution Bowl, our Customers, or the public. Where lawfully permitted, we will notify the affected Customer before disclosing Customer Audit Content.
  • Corporate transactions. If Solution Bowl is involved in a merger, acquisition, financing, reorganization, insolvency proceeding, or sale of all or part of its assets, Personal Data may be disclosed or transferred as part of that transaction, subject to confidentiality protections. We will provide notice of any resulting change of controller or material change to this Policy.
  • At your direction. We may share Personal Data with third parties where you or your Customer administrator direct us to do so.

We do not disclose Personal Data to third parties for their own independent marketing purposes.

6. International Data Transfers

The Service is hosted on cloud infrastructure with an Asia-Pacific primary region, and our infrastructure and AI inference Sub-processors may process Personal Data in the United States and other jurisdictions. Accordingly, your Personal Data may be transferred to, stored in, and processed in countries other than your own, including countries that have not been deemed to provide an adequate level of data protection by the authorities of your jurisdiction.

Where we make such transfers, we implement appropriate safeguards, including:

  • for transfers subject to the GDPR, the European Commission’s Standard Contractual Clauses (“SCCs”), supplemented where necessary by additional technical and organizational measures;
  • for transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the SCCs or the UK International Data Transfer Agreement, as applicable;
  • for transfers subject to the DPDP Act, compliance with any restrictions on transfers to countries notified by the Government of India, together with contractual safeguards equivalent to those described above; and
  • for transfers subject to the LGPD, transfer mechanisms recognized under Articles 33 to 36 of the LGPD, including contractual clauses providing an adequate level of protection.

You may request further information about the safeguards applicable to a specific transfer, including a copy of the relevant contractual clauses (redacted where necessary), by contacting privacy@audaitly.ai.

7. Data Retention

We retain Personal Data only for as long as reasonably necessary to fulfil the purposes for which it was collected, to comply with our legal, accounting, tax, and reporting obligations, to resolve disputes, and to establish, exercise, or defend legal claims. Retention periods are determined by the criteria set out below.

CategoryRetention period or criteria
Identity, contact, account, and credential dataLife of the account, plus a limited period thereafter to handle residual inquiries, enforce our Terms of Service, and satisfy legal obligations
Customer Audit Content (including incidental Personal Data)Until the Customer requests deletion or the account is closed, subject to the DPA and any mandatory legal retention
Commercial and billing recordsAs required by applicable tax and accounting law, typically 7 to 8 years from the relevant transaction
Usage and technical logsA short rolling window appropriate to security monitoring and diagnostics, after which logs are deleted or aggregated
Communications and support correspondenceFor as long as needed to resolve the matter and for a reasonable period thereafter for record-keeping
BackupsNightly backups on a rolling retention of approximately 14 days, plus pre-deployment snapshots; deleted data ages out of backups in the ordinary course

When retention is no longer justified, we delete or irreversibly anonymize the relevant Personal Data. Data deleted from production systems may persist in encrypted backups for the remainder of the backup retention window described above before being overwritten.

8. Security

We implement technical and organizational measures designed to protect Personal Data against unauthorized access, disclosure, alteration, and destruction, including: database-level Row-Level Security providing tenant isolation between Customer workspaces; encryption in transit using TLS and encryption at rest on encrypted volumes; role-based access controls; scoped crawling with protections against server-side request forgery; and nightly backups with a rolling retention of approximately 14 days plus pre-deployment snapshots. A fuller description of our security program is available on our Security page.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a Personal Data breach affecting you, we will notify you and the competent authorities where and as required by applicable law.

9. Your Rights (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies to our processing of your Personal Data as a controller, you have the following rights, subject to the conditions and exemptions in applicable law:

  • Access: to obtain confirmation of whether we process your Personal Data and to receive a copy of it, together with prescribed information about the processing.
  • Rectification: to have inaccurate Personal Data corrected and incomplete Personal Data completed.
  • Erasure: to have your Personal Data deleted in the circumstances set out in Article 17 GDPR.
  • Restriction: to restrict processing in the circumstances set out in Article 18 GDPR.
  • Portability: to receive Personal Data you provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller where technically feasible.
  • Objection: to object to processing based on legitimate interests on grounds relating to your particular situation, and to object at any time to processing for direct marketing purposes.
  • Withdraw consent: where processing is based on consent, to withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Complain:to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement, or with the UK Information Commissioner’s Office.

To exercise any of these rights, contact privacy@audaitly.ai. We will respond within one month, extendable by two further months for complex or numerous requests as permitted by law, in which case we will inform you of the extension. Where a request concerns Personal Data contained in Customer Audit Content that we process as a processor, we will refer the request to the relevant Customer and assist that Customer as required by the DPA.

10. Additional Notice for California Residents (CCPA/CPRA)

This Section supplements this Policy for California residents and applies to Personal Data (“personal information”) that we process as a business under the CCPA/CPRA.

10.1 Categories collected in the preceding 12 months

CCPA statutory categoryCollectedExamples in our context
IdentifiersYesName, work email address, IP address, account identifiers
Customer records (Cal. Civ. Code § 1798.80(e))YesCompany name, billing and transaction records (no full card numbers)
Commercial informationYesSubscription plan, purchase history, credits consumed
Internet or other electronic network activityYesUsage logs, device and browser information, interactions with the Service
Professional or employment-related informationYesJob title, employer or agency name
Sensitive personal informationLimitedAccount credentials used to sign in; used only to provide the Service
Geolocation data (precise)NoNot collected; coarse location may be inferable from IP address in logs
Protected classifications; biometric information; audio, visual, or similar sensory data; education information; inferences used for profilingNoNot collected

10.2 Sources, purposes, and disclosures

We collect these categories from you directly, from your organization, automatically from your use of the Service, and from our Sub-processors (for example payment status from Stripe and profile data from Google where you use OAuth sign-in). We use them for the business purposes described in Section 4 and disclose them to the service providers listed in Section 5.1 for those business purposes only.

We have not sold personal information, and we have not shared personal information for cross-context behavioral advertising, in the preceding 12 months, and we do not do so. We do not use or disclose sensitive personal information for purposes other than those permitted by Cal. Civ. Code § 1798.121(a) and its implementing regulations. We have no actual knowledge of selling or sharing the personal information of consumers under 16 years of age.

10.3 Your California rights

  • the right to know the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of recipients;
  • the right to delete personal information, subject to statutory exceptions;
  • the right to correct inaccurate personal information;
  • the right to opt out of sale or sharing (not applicable, as we do neither);
  • the right to limit the use and disclosure of sensitive personal information (we already limit such use as described above); and
  • the right to non-discrimination for exercising any of these rights.

10.4 Verification, authorized agents, and Global Privacy Control

Submit requests to privacy@audaitly.ai. We will verify your identity by matching the information you provide against the information we hold, for example by confirming your control of the email address associated with your account, and we may request additional information where reasonably necessary. An authorized agent may submit a request on your behalf if the agent provides your signed permission and we can verify your identity; we may also require you to confirm the request with us directly. Because we do not sell or share personal information, opt-out preference signals such as the Global Privacy Control do not change any processing we perform; we nonetheless honor the legal effect of such signals to the extent required by law.

11. Additional Notice for India (DPDP Act 2023)

This Section supplements this Policy for individuals in India whose digital personal data we process. For such data processed for our own purposes, Solution Bowl acts as the Data Fiduciary. For Customer Audit Content, the Customer is the Data Fiduciary and we act as a Data Processor on its instructions.

11.1 Data Principal rights

As a Data Principal, you have the right to:

  • access a summary of the personal data we process about you, the processing activities undertaken, and the identities of the persons with whom your personal data has been shared;
  • correction and erasure of your personal data, including completion and updating of inaccurate or incomplete data;
  • grievance redressal through a readily available means, as described in Section 11.3; and
  • nominate another individual to exercise your rights in the event of your death or incapacity.

11.2 Consent and withdrawal

Where we process your personal data on the basis of consent, the consent is free, specific, informed, unconditional, and unambiguous, given by clear affirmative action. You may withdraw consent at any time by contacting us, with the same ease with which it was given. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, and following withdrawal we will cease the processing based on that consent within a reasonable time unless another lawful ground applies.

11.3 Grievance Officer

You may contact our Grievance Officer at: Grievance Officer, Solution Bowl, privacy@audaitly.ai. We will acknowledge and respond to grievances within the timelines prescribed under the DPDP Act and its rules, endeavoring in any event to respond within 30 days. If you are not satisfied with our response, or do not receive one within the prescribed period, you have the right to complain to the Data Protection Board of India.

12. Additional Notice for Brazil (LGPD)

This Section supplements this Policy for individuals in Brazil. We process personal data under the legal bases of Article 7 of the LGPD, principally: performance of a contract or preliminary procedures relating to a contract (Art. 7(V)); compliance with a legal or regulatory obligation (Art. 7(II)); the legitimate interests of the controller or a third party (Art. 7(IX)), subject to the balancing required by Article 10; and consent (Art. 7(I)) where required.

Under Article 18 of the LGPD, you have the right to obtain from us:

  • confirmation of the existence of processing;
  • access to your personal data;
  • correction of incomplete, inaccurate, or outdated data;
  • anonymization, blocking, or deletion of unnecessary or excessive data or data processed in noncompliance with the LGPD;
  • portability of your data to another service or product provider, subject to regulatory requirements;
  • deletion of personal data processed with your consent, except where retention is permitted by law;
  • information about the public and private entities with which we have shared your data;
  • information about the possibility of denying consent and the consequences of such denial; and
  • revocation of consent.

Our Encarregado (data protection officer) for LGPD purposes can be reached at privacy@audaitly.ai. You also have the right to petition the Autoridade Nacional de Proteção de Dados (ANPD) regarding your personal data.

13. Cookies and Similar Technologies

We use strictly necessary cookies only. We do not use analytics cookies, advertising cookies, or any cross-site tracking technologies, and we do not permit third parties to place tracking cookies through the Service or our marketing website.

Cookie namePurposeDuration
authjs.session-tokenMaintains your authenticated session after sign-in (strictly necessary)Session-based
__Secure-authjs.session-tokenSecure variant of the session cookie, served over HTTPS only (strictly necessary)Session-based

Because we set no cookies other than those strictly necessary to provide a service you have explicitly requested, applicable e-privacy rules do not require us to display a cookie consent banner. If we ever introduce non-essential cookies, we will update this Policy first and implement a compliant consent mechanism before setting them.

14. Automated Decision-Making

The Service uses artificial intelligence to analyze websites, not people. Audit findings are assessments of web pages, their content, and their technical characteristics. We do not use Personal Data to make automated decisions that produce legal effects concerning individuals or that similarly significantly affect them, within the meaning of Article 22 GDPR or equivalent provisions of other applicable laws. Decisions about account access, invitations, and billing involve human review.

15. Children’s Privacy

The Service is a business tool offered on an invite-only basis and is not directed to, or intended for use by, anyone under 18 years of age. We do not knowingly collect Personal Data from children. If you believe a person under 18 has provided Personal Data to us, contact privacy@audaitly.ai and we will delete it promptly.

16. Third-Party Links

Our website and the Service may contain links to third-party websites, including the websites that Customers direct us to audit. We are not responsible for the privacy practices or content of those third parties, and this Policy does not apply to them. We encourage you to review the privacy policy of every website you visit.

17. Changes to This Policy

We may amend this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or Sub-processors. When we do, we will revise the “Last updated” date above. For material changes, we will provide reasonable advance notice, for example by email to account holders or by prominent notice within the Service, and, where required by applicable law, we will obtain your consent. Your continued use of the Service after the effective date of a revised Policy constitutes acknowledgment of the revision to the extent permitted by law. Prior versions are available on request.

18. Contact and Complaints

For any question, request, or complaint regarding this Policy or our processing of Personal Data, contact us at privacy@audaitly.ai or by post at [registered address of Solution Bowl to be inserted]. [EU/UK representative to be appointed if required under Article 27 GDPR / UK GDPR; details to be inserted upon appointment.]

We will endeavor to resolve any complaint directly with you. You additionally have the right to complain to your local supervisory or data protection authority, including a European supervisory authority or the UK Information Commissioner’s Office under the GDPR and UK GDPR, the Data Protection Board of India under the DPDP Act, and the ANPD under the LGPD. Related documents: our Terms of Service, our Data Processing Agreement, and our Security overview.