Foxy Audit is a compliance-evidence platform. The single most important thing to know: we never store the raw content of your AI prompts or responses. Our audit ledger records only a cryptographic SHA-256 fingerprint of each interaction plus the AI-judge's verdict โ enough to prove nothing was tampered with, without ever holding your sensitive text.
Who this covers
This policy describes how Foxy Audit ("we", "us") handles information for the customer dashboard at app.foxyaudit.tech, the marketing site at foxyaudit.tech, and the @foxy.audit SDK. It applies to account holders and the visitors of our sites.
What we collect
- Account & organization data โ your name, email, organization name, and role. If you sign in with Google, we store your Google account's stable identifier and verified email (never your Google password).
- API keys โ stored only as a salted HMAC-SHA256 hash; the plaintext key is shown to you once and never retained.
- Audit records โ for each AI interaction your SDK reports: a SHA-256 hash of the prompt, a SHA-256 hash of the response, token counts, a policy tag, the model/agent name, the AI-judge's verdict, and non-identifying signals about whether personal data patterns were detected. The raw prompt and response text are hashed on your side and are never transmitted to or stored by us.
- Usage & billing โ daily counts of logs, tokens, and breaches, plus billing records synced from Stripe.
- Security telemetry โ request metadata for rate-limiting and abuse prevention. Client IP addresses and user-agent strings are stored only as one-way hashes, never in raw form.
What we do NOT collect
- The raw text of your prompts or your AI models' responses.
- The contents of the data your AI systems process.
- We do not sell your data, and we do not use it to train models.
How we use it
- To run the service: build and verify your tamper-evident audit chain, grade interactions against your policy, and generate compliance passports.
- To operate accounts, authentication, billing, and support.
- To secure the platform (rate-limiting, abuse detection, tenant isolation).
Sub-processors we share data with
We use a small set of trusted providers strictly to deliver the service:
- Google (Gemini API) โ grades interaction metadata against your policy. Raw prompts/responses are not sent.
- Stripe โ payment processing and invoices.
- Google Identity โ optional "Sign in with Google".
- Brevo โ transactional email (verification, password resets, alerts).
- Cloud hosting โ the servers that run the platform.
Data retention
Audit records are retained for as long as your workspace is active so your compliance history stays intact. You can export your records at any time (the Compliance Passport) and delete your workspace, which removes access and schedules your data for deletion. Hashed security telemetry is retained for a limited window (by default 90 days) and then purged.
Security
- All traffic is encrypted in transit (TLS).
- Secrets and API keys are stored only as salted hashes; IPs/user-agents are hashed.
- Strict per-organization isolation is enforced at the database level (row-level security) as well as in application code.
- Optional public-chain anchoring lets you prove your ledger's integrity to an external, independent source.
Your rights & controls
- Access & export โ download your records via the Compliance Passport.
- Deletion โ delete your workspace from the dashboard.
- Data controls โ your organization's Policy settings let you configure PII handling and enforcement in the dashboard.
- Depending on your location, you may have additional rights (access, correction, erasure, portability). Contact us to exercise them.
Cookies
We use a single, first-party session cookie to keep you signed in. We do not use third-party advertising or cross-site tracking cookies.
Changes
We'll update this page when our practices change and revise the "last updated" date above. Material changes will be communicated to account holders.
Contact
Questions about privacy or a data request? Email privacy@foxyaudit.tech.