Privacy Policy

Audito only collects what it needs to inventory your dependencies, watch them for risk, and notify you when something changes. The categories below cover everything we store.

Account & sign-in

Authentication is handled by our identity provider. You can sign in with an email address or with a connected identity provider — Google or GitHub(OAuth). When you use social sign-in, we receive the basic profile the provider releases to us — your email address, display name, avatar, and the provider account identifier used to recognize you on return. We don't receive your password or gain access to your Google or GitHub account beyond confirming who you are. We never store passwords ourselves.

Workspace content you create

• Libraries you add — name, ecosystem (npm, PyPI, etc.), and any notes you attach.
• Dependency manifests you import. For supported SBOM formats (e.g. package.json, requirements.txt, pyproject.toml, CycloneDX), the raw uploaded content is stored on the library record so we can re-parse it as our parsers improve.
• Software and SaaS services you track, including vendor URLs and the status pages or RSS feeds you've pointed us at.
• Per-dependency notes, dismissals, and triage decisions you record.

GitHub connection

If you install the Audito GitHub App, we store the connection details and the dependency information we read from the repositories you grant. This is described in full in the dedicated section below.

Billing data

If you subscribe to a paid plan, we store your subscription status, plan, seat count, and an identifier that links your account to a record held by our payment processor — plus a log of billing events (renewals, cancellations, payment failures). Card and payment details are entered directly with the processor; we never receive or store full card numbers.

API access tokens

If you create tokens for programmatic access (for example, to use Audito's MCP server or API from your tools), we store a hashedform of each token — never the plaintext after it's shown to you once — along with a label and last-used metadata so you can manage and revoke them.

Audit log

We keep a log of mutations you make in your workspace — library.created, dependency.bulk_imported, finding.dismissed, and similar events. This is used so you can see what changed and when.

Preferences

Email digest preferences (off by default — opt-in only), remediation settings, and any UI preferences your account has set.

Things we deliberately stay out of:

• Your source code. We ingest manifest and lockfile content (declared dependencies and resolved versions) — not the application code that imports them. This holds even when you connect a GitHub repository: we read dependency manifests and lockfiles, not your program logic.
• Card and payment details. Full card numbers and banking details go straight to our payment processor. We only see non-sensitive billing metadata such as plan and status.
• Advertising or cross-site tracking cookies. We don't set them and we don't share data with ad networks.
• Third-party analytics with cross-site profiling. Audito has no analytics SDK installed today. If that ever changes, we'll update this page and tell you what we added.
• Sensitive identifiers. We don't ask for government IDs or device fingerprints.

Connecting GitHub is optional. If you install the Audito GitHub App on an account or organization, you choose which repositories it can see, and you can change or revoke that access from GitHub at any time.

What we store

• The installation and the account or organization it belongs to, linked to your Audito workspace.
• The repositories and workspaces you let us sync, and the mapping between each one and the Audito library it feeds.
• The dependency manifests and lockfiles we read from those repositories (for example package.json and package-lock.json) to keep your libraries current.

What we do with it

• Auto-sync.When you push to a repository's default branch, we reconcile its declared dependencies into the matching Audito library and re-scan for risk — so your inventory tracks the code without manual re-imports.
• Dependency checks. We may post a check summarizing findings for a push.
• Remediation pull requests — opt-in, off by default. If you enable it, Audito can open draftpull requests proposing minimal, safe dependency upgrades. We only write to your repositories in this one way, and only when you've turned it on. You review, test, and decide whether to merge — nothing is merged automatically.

We don't read application source beyond dependency manifests and lockfiles, and we never use your repository contents to train models or for any purpose other than operating these features for you.

Audito relies on a small set of service providers to operate. We describe them by the function they perform rather than by brand, so this page doesn't double as a map of our internal infrastructure. The current list of named sub-processors is available on request at privacy@audito.dev.

Service providers that store data

• Authentication provider — handles sign-in, social login (Google and GitHub), session management, and your account profile.
• Cloud database & hosting provider — runs the managed database and infrastructure where your workspace content lives. Access is scoped per tenant using row-level security.
• Email delivery provider— sends digest emails and account notifications, only if you've opted in. Without an opt-in, we don't hand your address to this provider.
• Payment processor — handles checkout, card processing, and the billing portal for paid plans. Your card details are entered with them, not us.

Public sources we query (data flows out, not in)

While scanning your dependencies, our backend makes outbound requests to public registries and advisory feeds. We send package names and versions — never your account or workspace identifiers.

• OSV.dev — Open Source Vulnerabilities database.
• npm and PyPI registries — version metadata and release timestamps.
• GitHub — advisory metadata and repository information for dependencies that publish there.
• Repology may be queried for cross-ecosystem package mapping (for example, conda-style manifests).
• Statuspage v2 endpoints and RSS / Atom feeds — for the SaaS-services tracker we make outbound requests to URLs you configure. Those vendors don't receive any data about you, only an anonymous request from our backend.

Audito uses the minimum cookies required to keep you signed in. There are no advertising cookies and no third-party trackers.

• Session cookies — essential. Set by our authentication provider, they keep you authenticated as you move between pages. You can't opt out without signing out, because they're what proves the request is yours.
• Theme / UI preferences — a small first-party cookie or local storage entry to remember light vs. dark mode and similar settings.

We keep workspace data for as long as you have an active account, and delete it on request or on account deletion.

• Account and workspace data — retained while your account is active. When you delete your account, the associated workspace records are removed from our database.
• GitHub connection data— when you uninstall the GitHub App or remove a repository's access, we stop syncing it and remove the connection records on our side.
• Billing records — subscription and billing-event history is retained as needed to provide the service and to meet tax and accounting obligations, even after a plan ends.
• Audit log entries — retained for up to 12 months, then automatically removed. If you want them deleted sooner, email us at privacy@audito.dev.
• Backups — our hosting provider keeps automated database backups on a standard schedule. Deleted records may persist in backups until those rotate out.

Audito and its service providers may store and process your data in the United States and other countries that may have different data protection laws than where you live.

Where we transfer personal data out of the EU, UK, or another region with transfer restrictions, we rely on appropriate safeguards — such as the European Commission's Standard Contractual Clauses — through our agreements with the providers involved. If you'd like more detail about a specific transfer, contact us at the address below.

Whatever jurisdiction you're in, you can ask us to access, correct, or delete the data we hold about you. If you're in the EU, UK, or another region with similar laws (GDPR, UK DPA), those rights apply directly.

• Access and export. The dashboard already exposes most of your data. For a full export, email privacy@audito.dev and we'll send you a machine-readable copy.
• Correction. Most fields can be edited directly from the dashboard. Tell us if something can't be and you need it changed.
• Deletion. Delete your account from your account settings and your workspace data is removed from our database. You can also email us to request deletion of specific records.
• Objection or restriction. Email us if you want us to stop a specific kind of processing.

We haven't appointed a Data Protection Officer — we're too small for that to be required. For privacy questions, the inbox above is the right place.

What we do today, and what we don't.

• TLS in transit. All traffic between you and Audito, and between Audito and its sub-processors, is encrypted.
• Row-level security at the database. Workspace data is scoped per tenant in the database so requests can only read or write what they own.
• Delegated authentication. Sign-in, OAuth, password handling, and MFA are delegated to a specialist identity provider rather than rolled in-house.
• Hashed credentials.API access tokens are stored hashed, so a database read alone can't recover a usable token.
• No formal certifications today. Audito does not currently hold SOC 2, ISO 27001, or similar attestations. If that's a hard requirement for you, get in touch and we'll tell you where we are.

If we become aware of a security breach that affects your personal data, we'll notify you without undue delay — and, where the law requires it, the relevant data protection authority — describing what happened, what data was involved, and the steps we're taking in response.

We use the email address on your account for this, so please keep it current.

Audito is not directed at children under 16, and we don't knowingly collect data from them. If you believe a child has signed up, email us and we'll remove the account.

When we change how we handle data, we update this page and bump the “last updated” date at the top. For changes that materially affect how your data is processed — adding a new sub-processor, broadening retention, anything user-visible — we email the address on your account before the change takes effect.

Questions, requests, or concerns about anything on this page go to privacy@audito.dev. We aim to reply within a few business days.

Audito is currently operated by an individual based in Santiago, Chile, acting as the data controller for the personal data described in this policy. You can reach the controller at privacy@audito.dev, and we'll provide the operator's full legal identity on request. Once a legal entity is formed to operate Audito, this section will name that entity and its registered address, and that entity will become the data controller. We'll update this page and the “last updated” date when that happens.