Effective Date: April 15, 2026 | Last Updated: April 22, 2026
This Privacy Policy describes how AuditXYZ, operated by LowerPlane, Inc. ("we," "us," or "our"), collects, uses, discloses, and protects your personal information when you visit www.auditxyz.com (the "Site") or use our services.
1. Information We Collect
Information You Provide Directly
- Contact information: Name, email address, phone number, and company name when you submit forms, request consultations, or subscribe to our newsletter.
- Lead qualification data: Framework interests, company size, compliance timeline, budget tier, and current compliance stage — collected through our consultation request forms.
- Communications: Messages, feedback, and correspondence you send to us.
Information Collected Automatically
- Usage data: Pages visited, time spent on pages, referral URLs, and navigation patterns. We use Plausible Analytics, a privacy-first analytics platform that does not use cookies and does not collect personally identifiable information.
- Device data: Browser type, operating system, screen resolution, and device type — collected in aggregate for performance optimization.
- IP-derived data: Approximate country of origin (derived from IP address via Cloudflare). We do not store raw IP addresses beyond rate-limiting purposes.
Information from Third Parties
We do not purchase personal data from third-party data brokers. We may receive information from auditor firms you request quotes from, limited to confirmation of engagement status.
2. How We Use Your Information
- Service delivery: To match you with auditors, provide compliance recommendations, and deliver requested guides and resources.
- Communication: To respond to inquiries, send consultation matches, and deliver newsletter content you opted into.
- Lead routing: To connect you with relevant auditor firms or compliance tool vendors based on your stated needs. Leads routed to LowerPlane, Inc. are disclosed — see Section 5.
- Site improvement: To analyze aggregate usage patterns, identify content gaps, and improve performance.
- Fraud prevention: To detect and prevent spam via rate limiting, honeypot fields, and Cloudflare Turnstile.
We do not sell data to brokers, use targeted advertising, or make automated decisions with legal effects.
3. Legal Basis for Processing (GDPR)
For EEA, UK, or Swiss residents:
| Purpose | Legal Basis |
|---|---|
| Responding to inquiries / delivering services | Contract performance |
| Newsletter | Consent (withdrawable anytime) |
| Analytics (Plausible) | Legitimate interest (privacy-preserving, no cookies) |
| Fraud prevention | Legitimate interest |
| Lead routing to requested auditors | Contract performance |
4. Data Sharing and Disclosure
We share data only in these cases:
- Auditor matching: When you request a consultation, we share your details with the relevant firm(s). You are informed before submission.
- LowerPlane, Inc.: Compliance automation leads may be shared with our parent company. This is disclosed on forms.
- Service providers: Cloudflare (hosting, D1 database), Resend (email), Plausible (analytics) — each under a DPA.
- Legal requirements: If required by law or court order.
We do not sell data or share with advertising networks.
5. LowerPlane, Inc. Relationship Disclosure
AuditXYZ is operated by LowerPlane, Inc., which also operates a compliance automation platform. Tool recommendations follow our published methodology at /methodology. LowerPlane is scored identically to all other tools. Lead routing is disclosed on forms. The /methodology page explains the ownership relationship.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Lead form submissions | 24 months, then deleted |
| Newsletter subscriptions | Until unsubscribe, deleted within 30 days |
| Rate-limiting records | 24 hours, auto-purged |
| Analytics (Plausible) | Aggregate only, no personal data |
7. Your Rights
GDPR Rights (EEA/UK/Switzerland)
Access, rectify, erase, restrict processing, data portability, object to processing, and withdraw consent.
CCPA/CPRA Rights (California)
Know, delete, opt out of sale (we do not sell), and non-discrimination.
Exercising Rights
Email [email protected]. Response within 30 days (GDPR) or 45 days (CCPA). Identity verification may be required.
8. Cookies and Tracking
| Cookie | Purpose | Duration |
|---|---|---|
auditxyz-cookie-consent | Cookie consent choice | Persistent |
theme | Light/dark mode preference | Persistent |
We use Plausible Analytics — no cookies, no cross-site tracking, GDPR/CCPA/PECR compliant. We do not use Google Analytics, Facebook Pixel, or ad trackers.
9. Data Security
- HTTPS/TLS 1.3 encryption in transit
- Cloudflare D1 encrypted at rest
- Access controls and audit logging
- Cloudflare DDoS protection and WAF
- Regular security reviews
10. International Data Transfers
Data processed in US and EU via Cloudflare's network. Cloudflare maintains EU-US Data Privacy Framework certification and Standard Contractual Clauses.
11. Children's Privacy
Not directed at individuals under 16. We do not knowingly collect data from children.
12. Changes to This Policy
Material changes posted here with updated date. Review periodically.
13. Contact
Email: [email protected] Entity: LowerPlane, Inc. Website: www.auditxyz.com