Merchant Audit

Privacy Policy

Last updated: 24/04/2026

The data controller is Ces Vincent Tejas, a sole proprietor based in Finland, trading as Merchant Audit. We take your privacy seriously and do not sell personal data.

What we collect

  • Account data: email, password hash, authentication tokens.
  • Audit data: URLs you submit and the resulting reports.
  • Usage logs: IP address, user-agent, request timestamps for security and abuse prevention.
  • Billing data: processed by Paddle (our Merchant of Record) — we receive transaction IDs and subscription status only, never your full card details.

How we use it

  • To deliver the audit service and store your reports
  • To send transactional emails (password resets, billing receipts)
  • To prevent fraud, abuse, and unauthorised access
  • To improve our checks and develop new features

Legal basis: contract performance (delivering the service you paid for), legitimate interests (security and product improvement), and consent (where required).

Crawling & third-party sites

When you submit a URL, our crawler fetches publicly accessible pages of that site to run checks. We respect robots.txt for non-essential paths. We do not collect personal data from those sites — only product/pricing/policy signals needed to compute your audit score.

Who we share data with

We share data with the following categories of recipients:

  • Paddle — our Merchant of Record for payments, subscription management, tax compliance, and invoicing
  • Lovable Cloud / Supabase — hosting, database, and authentication infrastructure
  • Authorities — only where required by law or valid legal process

We do not sell your data, and we do not use it for advertising or behavioural profiling.

Data retention

Audit reports are retained while your account is active. You can delete your account at any time by emailing us — we'll erase your audits and account data within 30 days, except where we are required to retain billing records by law.

Your rights

Depending on your jurisdiction, you have the right to access, rectify, erase, restrict processing, or port your personal data. UK/EEA users also have the right to object to processing, withdraw consent, and lodge a complaint with their supervisory authority. Email us and we'll respond within 30 days.

Security

Data is encrypted in transit (TLS) and at rest. Access to production systems is limited to authorised personnel and protected with multi-factor authentication. We follow industry-standard practices for managing secrets and credentials.

International transfers

Our infrastructure providers may process data outside your country. Where data is transferred outside the UK/EEA, we rely on Standard Contractual Clauses or adequacy decisions to ensure equivalent protection.

Cookies

We use only essential cookies needed to keep you signed in and to remember your session. We do not use marketing or third-party tracking cookies.

Contact

For privacy questions or to exercise your rights, email privacy@getmerchantaudit.com.