Privacy Policy

Last updated: January 22, 2026

GDPR Compliant | EU-Hosted | Your data never leaves Europe

1. Introduction

This Privacy Policy explains how Francisco Javier Pulido Vergara ("we", "us", or "our") collects, uses, and protects your personal data when you use AuditBeam ("the Service").

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and Spanish data protection laws.

Data Controller: Francisco Javier Pulido Vergara, Seville, Spain
Contact: support@auditbeam.eu

2. What Data We Collect

2.1 Account Information

When you register, we collect:

  • Email address (required for login and communication)
  • Name (required for account identification)
  • Password (encrypted and hashed with bcrypt - we never store plaintext passwords)
  • Registration date
  • Subscription tier (Free, Starter, Professional, Business)

2.2 AWS Account Metadata

When you add an AWS account, we collect:

  • IAM Role ARN (Amazon Resource Name of the role we assume)
  • AWS Account ID (12-digit identifier)
  • Account nickname (optional, for your reference)
  • AWS Region where the role is located

2.3 Scan Data

When you run scans, we collect:

  • Infrastructure metadata (resource ARNs, configuration states, tags)
  • Scan results (pass/fail status for each compliance check)
  • Scan timestamps
  • Resource counts (e.g., "5 S3 buckets scanned")

2.4 Usage Data

We automatically collect:

  • Login timestamps
  • IP address (for security purposes)
  • Browser type and version
  • Pages visited
  • Scan frequency

2.5 What We DON'T Collect

We do NOT collect or access:

  • ❌ Your application data or files
  • ❌ Contents of S3 buckets
  • ❌ Database records or contents
  • ❌ EC2 file systems
  • ❌ Your customers' personal data
  • ❌ AWS access keys or secret keys (we use temporary credentials only)
  • ❌ Passwords or secrets stored in your infrastructure

3. Legal Basis for Processing (GDPR)

We process your data based on the following legal grounds:

3.1 Contract Performance (GDPR Art. 6(1)(b))

Processing necessary to provide the Service you've requested (account creation, scans, reports).

3.2 Legitimate Interest (GDPR Art. 6(1)(f))

Processing for security, fraud prevention, and service improvement, balanced against your rights.

3.3 Consent (GDPR Art. 6(1)(a))

For optional features like marketing emails (you can withdraw consent anytime).

4. How We Use Your Data

We use your data to:

  • ✅ Provide the Service (run scans, generate reports)
  • ✅ Authenticate you and manage your account
  • ✅ Send service-related emails (scan completion, account updates)
  • ✅ Improve the Service and develop new features
  • ✅ Detect and prevent fraud or security issues
  • ✅ Comply with legal obligations
  • ✅ Respond to support requests

We will NOT:

  • ❌ Sell your data to third parties
  • ❌ Use your data for advertising
  • ❌ Share your AWS infrastructure data with anyone
  • ❌ Send marketing emails without your consent

5. Data Storage and Security

5.1 Where We Store Your Data

All data is stored in the European Union (Germany).

  • Application server: EU (Germany)
  • Database: EU (same server)
  • Backups: EU (encrypted)

Your data never leaves the EU. We do not use US-based cloud providers for data storage or processing.

5.2 How We Protect Your Data

Security measures include:

  • Encryption in transit: TLS 1.2+ for all connections
  • Encryption at rest: Database encryption enabled
  • Password hashing: Bcrypt with strong work factors
  • Secure sessions: HttpOnly, Secure cookies with 12-hour timeout
  • Access control: Minimal access, SSH key-based authentication only
  • Firewall: Only HTTPS (443) and SSH (22) ports open
  • Regular updates: Security patches applied promptly
  • Backups: Daily encrypted backups

5.3 Data Retention

We retain data as follows:

  • Account data: Until you request deletion
  • Scan results (Free tier): 30 days
  • Scan results (Paid tiers): 365 days
  • Logs: 90 days
  • Deleted accounts: Purged within 30 days

6. Data Sharing and Third Parties

6.1 Who We Share Data With

We do not sell or share your personal data with third parties for marketing.

We may share data with:

  • AWS: To assume IAM roles and scan your infrastructure (temporary credentials only)
  • Email provider: To send service emails (if we use a service like SendGrid - currently we don't)
  • Payment processor: When paid tiers launch (e.g., Stripe - they handle payment data, we don't see credit card numbers)

6.2 Legal Disclosures

We may disclose data if required by law, court order, or to protect our legal rights. We will notify you unless prohibited by law.

6.3 No International Transfers

Your data stays in the EU. We do not transfer data to countries outside the European Economic Area.

7. Your Rights Under GDPR

As an EU resident, you have the following rights:

7.1 Right to Access (Art. 15)

You can request a copy of all personal data we hold about you.

How: Email support@auditbeam.eu with subject "Data Access Request"

7.2 Right to Rectification (Art. 16)

You can update incorrect or incomplete data.

How: Update in your account settings, or email us

7.3 Right to Erasure / "Right to be Forgotten" (Art. 17)

You can request deletion of your account and all associated data.

How: Email support@auditbeam.eu with subject "Delete My Account"
Timeline: We will delete your data within 30 days

7.4 Right to Data Portability (Art. 20)

You can request your data in a machine-readable format (JSON).

How: Email support@auditbeam.eu with subject "Data Export Request"
Timeline: We will provide your data within 30 days

7.5 Right to Object (Art. 21)

You can object to processing based on legitimate interest.

7.6 Right to Restrict Processing (Art. 18)

You can request we temporarily stop processing your data.

7.7 Right to Withdraw Consent

For processing based on consent (e.g., marketing emails), you can withdraw at any time.

7.8 Right to Lodge a Complaint

If you believe we've violated your privacy rights, you can file a complaint with:

Spanish Data Protection Authority (AEPD)
Website: www.aepd.es
Or your local EU data protection authority

8. Cookies and Tracking

8.1 Essential Cookies

We use session cookies to keep you logged in. These are essential for the Service to function and cannot be disabled.

  • Cookie name: session
  • Purpose: Authentication
  • Duration: 12 hours (or until logout)
  • Type: First-party, HttpOnly, Secure

8.2 Analytics Cookies

We currently do not use analytics or tracking cookies (e.g., Google Analytics).

If we add analytics in the future, we will:

  • Update this Privacy Policy
  • Ask for your consent via a cookie banner
  • Use privacy-friendly analytics (e.g., Plausible, not Google Analytics)

8.3 Third-Party Cookies

We do not use third-party cookies.

9. Children's Privacy

The Service is not intended for children under 18. We do not knowingly collect data from children. If you believe we've collected data from a child, contact us immediately.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Email to your registered address
  • Notice in the dashboard
  • Updating the "Last updated" date at the top

Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

11. Contact Us

For privacy questions, data requests, or to exercise your GDPR rights:

Email: support@auditbeam.eu
Data Controller: Francisco Javier Pulido Vergara
Location: Seville, Spain

Full legal address: Available upon request for GDPR compliance purposes.
We will respond to all requests within 30 days as required by GDPR.

Your Privacy Matters

We're committed to protecting your privacy. Your data stays in the EU, we never sell it, and you have full control. Questions? Email us at support@auditbeam.eu