LynxAuditRun Audit

GDPR Compliance

Last updated: 27 March 2026

LynxAudit is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). This page explains our obligations, your rights as a data subject, and how we handle personal data in accordance with GDPR requirements.

1. Data controller

LynxAudit acts as the data controller for personal data collected through our platform and website. As controller, we determine the purposes and means of processing your personal data.

For all GDPR-related matters, contact our data protection lead at: info@lynxaudit.com.

2. Data we process

As a data controller, we process:

  • Identity and contact data (name, email address)
  • Account credentials (securely hashed passwords)
  • Billing data (processed by Stripe as a separate controller)
  • Technical data (IP address, browser type, usage logs)
  • Audit input data (website URLs submitted for analysis)
  • Communications (support enquiries, feedback)

3. Lawful basis for processing

We rely on the following lawful bases under Article 6 GDPR:

  • Article 6(1)(b) — Contract: processing necessary to deliver the audit service you have contracted for.
  • Article 6(1)(a) — Consent: marketing emails and non-essential cookies, where you have given explicit consent.
  • Article 6(1)(f) — Legitimate interests: fraud prevention, platform security, and product improvement.
  • Article 6(1)(c) — Legal obligation: tax records, accounting obligations, and regulatory compliance.

4. Data subject rights

Under GDPR, you have the following rights. To exercise any of them, email info@lynxaudit.com:

  • Right of access (Art. 15) — request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”).
  • Right to restriction (Art. 18) — request that we limit how we process your data.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent (Art. 7) — withdraw consent at any time where processing is consent-based.
  • Right not to be subject to automated decisions (Art. 22) — we do not use solely automated processing for decisions with significant legal effect.

We will respond to all verified requests within 30 days. In complex cases, we may extend this by a further 60 days, with notice.

5. Data processors

We use the following sub-processors under Data Processing Agreements (DPAs) in accordance with Article 28 GDPR:

  • OpenAI (USA) — AI processing of website content. Transfer basis: Standard Contractual Clauses (SCCs).
  • Supabase (USA) — database, authentication, and storage. Transfer basis: SCCs.
  • Stripe (USA) — payment processing. Independent controller for payment data.
  • Vercel (USA) — hosting and infrastructure. Transfer basis: SCCs.

6. International data transfers

Some of our processors are located outside the European Economic Area (EEA), primarily in the United States. All such transfers are made under appropriate safeguards as required by Chapter V GDPR — specifically, Standard Contractual Clauses (SCCs) as approved by the European Commission.

7. Data retention

  • Account data is retained for the duration of your account plus 12 months after closure.
  • Audit results are retained for the duration of your active subscription.
  • Billing records are retained for 7 years to comply with tax law.
  • Support communications are retained for 3 years.

8. Security measures

We implement appropriate technical and organisational measures (TOMs) to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Hashed and salted password storage
  • Role-based access control with least-privilege principles
  • Regular security reviews and dependency updates
  • Supabase Row Level Security (RLS) enforced on all data tables

9. Data breach notification

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, as required by Article 33 GDPR. Where the breach is likely to result in high risk, we will also notify affected individuals without undue delay.

10. Supervisory authority

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with your local supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (AP). You may also contact the supervisory authority in your country of residence.

11. Contact

For all GDPR-related queries, requests, or concerns: info@lynxaudit.com.

    GDPR — LynxAudit