Last updated:

Privacy Policy — AuditFlash.ai

1. Data Controller

The AuditFlash.ai platform, accessible at aiflashaudit.com, is operated by Taher Mestiri, sole trader (auto-entrepreneur), registered at 14, rue du Clos de la Herse, 45800 Saint-Jean-de-Braye, France, SIRET 914 979 125 00012 (hereinafter "AuditFlash.ai" or "we").

Contact: contact@aiflashaudit.com
Data Protection Officer: privacy@aiflashaudit.com

2. Data Collected and Purposes

2.1 Identification and contact data

  • First name, last name, professional email address
  • Job title and department
  • Company name, industry, company size

Purpose: service delivery, report communication, customer relationship. Legal basis: performance of contract (Art. 6.1.b GDPR).

2.2 Diagnostic and maturity data

  • Answers to the AI maturity questionnaires
  • Generated outputs (scores, recommendations, reports)

Purpose: audit report generation, scoring algorithm improvement, anonymised sector benchmarking. Legal basis: performance of contract; legitimate interest for service improvement (aggregated and anonymised data only).

2.3 Technical and navigation data

  • IP address, browser type, operating system
  • Pages visited, session duration, actions taken
  • Cookie data (see section 7)

Purpose: security, technical performance, user experience improvement. Legal basis: legitimate interest.

2.4 Payment data

Payment data is collected and processed exclusively by our PCI-DSS certified payment provider Stripe. AuditFlash.ai does not store any banking or credit card data on its own servers. Legal basis: performance of contract.

3. Recipients

Your data is accessible to AuditFlash.ai's internal team and may be shared with the following sub-processors, in strict compliance with GDPR:

  • Platform host: AWS — European Union
  • AI models: Anthropic (Claude API) — processing limited to data strictly necessary for report generation
  • Payment provider: Stripe — billing data only
  • Transactional email: Mailjet — report delivery and notifications

No personally identifiable data is sold, rented, or transferred to third parties for commercial purposes.

4. International Transfers

Some of our sub-processors (notably Anthropic) are established outside the European Union. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, pursuant to Art. 46 GDPR. Contact privacy@aiflashaudit.com for more information.

5. Retention Periods

  • Account and identification data: duration of the contractual relationship + 3 years after termination
  • Audit reports and results: 2 years from the date of completion (Flash and Expert tiers)
  • Navigation data and technical logs: 12 rolling months
  • Billing data: 10 years (statutory accounting obligation)
  • Prospecting data (free tier): 3 years from last contact

6. Your Rights

Under the GDPR (Arts. 15–22) and the French Data Protection Act, you have the following rights:

  • Right of access: obtain a copy of your personal data
  • Right to rectification: correct inaccurate or incomplete data
  • Right to erasure ("right to be forgotten"): in cases provided for by law
  • Right to restriction of processing: freeze the use of your data
  • Right to data portability: receive your data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interest
  • Right not to be subject to automated decision-making: applicable to audit scores

To exercise these rights: privacy@aiflashaudit.com — Response within 30 calendar days.

You may also lodge a complaint with the CNIL (www.cnil.fr).

7. Cookies

7.1 Strictly necessary cookies

Essential for platform operation (session, authentication, CSRF security). Cannot be disabled.

7.2 Analytics cookies

Subject to your consent, we use Google Analytics 4 (provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to analyse platform usage and improve our services. Google Analytics uses cookies to collect anonymised data about your navigation (pages visited, session duration, approximate geographic origin). This data is transmitted to Google servers, which may be located outside the European Union; these transfers are governed by Standard Contractual Clauses. You may withdraw your consent at any time via the cookie banner. You may also opt out globally using the Google Analytics opt-out browser add-on.

7.3 Third-party cookies

With the exception of Google Analytics, no advertising or third-party targeting cookies are used on the platform.

8. Data Security

AuditFlash.ai implements appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration, or disclosure, including: TLS encryption in transit, encryption at rest, role-based access control, access logging, and periodic security audits.

9. Automated Decisions and AI

The AI maturity scores generated by the platform are based on automated processing of your answers. These scores are indicative only and do not give rise to any legal decision or decision producing significant effects without human intervention. You may request an explanation of the scoring methodology at any time by contacting contact@aiflashaudit.com.

10. Policy Updates

This policy may be updated to reflect changes in our practices or applicable law. In the event of a material change, you will be notified by email or platform notification at least 15 days before the new version takes effect.

Last updated: April 25, 2026