AuditDraftAuditDraft

Privacy Policy

Last updated: January 29, 2026

1. Introduction

Omen Systems ("we", "us", "our") operates AuditDraft. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. We are committed to compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Data Controller

Omen Systems is the data controller for personal data processed through AuditDraft. For data protection inquiries, contact our Data Protection Officer at audit-support@omensystems.com.

3. Information We Collect

We collect the following categories of personal data:

  • Account information: Name, email address, profile photo (via Google OAuth)
  • Organization data: Company name, industry, AI system descriptions, market selections
  • Usage data: Pages visited, features used, documents generated, time stamps
  • Payment data: Processed by our payment provider (Dodo Payments); we do not store card details
  • Content data: Documents you create, AI system classifications, compliance tracking data
  • Technical data: IP address, browser type, device information, cookies

4. How We Use Your Information

  • Provide, maintain, and improve the Service
  • Process subscriptions and payments
  • Generate AI-powered compliance documents on your behalf
  • Send transactional emails (account confirmation, password reset, billing)
  • Send product updates and marketing communications (with consent)
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

5. Legal Basis for Processing (GDPR)

  • Contract performance: Processing necessary to provide the Service you subscribed to
  • Legitimate interest: Product improvement, security, fraud prevention
  • Consent: Marketing communications, optional analytics
  • Legal obligation: Tax records, regulatory compliance

6. Third-Party Services

We use the following third-party processors:

  • Convex: Database and backend infrastructure (USA)
  • Vercel: Application hosting and edge network (Global)
  • Google Gemini: AI document generation (USA)
  • Dodo Payments: Payment processing (EU/USA)
  • Google: Authentication via OAuth (USA)

All processors are bound by data processing agreements. For transfers outside the EEA, we rely on Standard Contractual Clauses or adequacy decisions.

7. Data Retention

  • Account data: retained while account is active, deleted 30 days after account deletion
  • Documents: retained while account is active, 30-day recovery period after deletion
  • Exported files: stored for 90 days, then automatically deleted
  • Audit logs: retained for 2 years for compliance purposes
  • Payment records: retained for 7 years per tax law requirements

8. Your Rights (GDPR)

You have the following rights regarding your personal data:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Portability: Receive your data in a machine-readable format
  • Restriction: Request limitation of processing
  • Objection: Object to processing based on legitimate interest
  • Withdraw consent: Withdraw previously given consent at any time

To exercise these rights, contact audit-support@omensystems.com. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority.

9. Cookies

We use essential cookies for authentication and session management. Analytics cookies are optional and require your consent. You can manage cookie preferences at any time through your browser settings. See our cookie consent banner for detailed options.

10. Security

We implement industry-standard security measures including TLS encryption in transit, encryption at rest, access controls, regular security audits, and secure development practices. See our Security page for details.

11. Children's Privacy

The Service is not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us immediately.

12. Changes to This Policy

We may update this policy periodically. Material changes will be communicated via email at least 30 days before taking effect. The "Last updated" date will be revised accordingly.

13. Contact

Omen Systems — audit-support@omensystems.com