Auctra ("Auctra", "we", "us") respects your privacy. This Privacy Policy describes how we collect, use, disclose, and protect personal data when you visit auctra.tech, use the operator console at console.auctra.tech, integrate with our API or SDK, or contact us.
This policy should be read together with our Terms of Service, Cookie Policy, and Security page.
1. Who we are
Auctra is the data controller for personal data collected through our marketing website and for account administration data needed to operate the Services. For organization content you submit through the Services (see Section 2), your organization is typically the data controller and Auctra acts as a data processor, handling that content only to provide the Services per your instructions and our Terms.
Privacy contact: privacy@auctra.tech
2. Data we collect
- Account data: name, email, organization name, role, authentication identifiers, and invite metadata.
- Authority data: agent registrations, delegations, policies, action evaluations, approvals, sponsors, and audit events your organization creates in the product. This may include identifiers and metadata about third parties referenced in your workflows.
- Technical data: IP address, browser type, device information, request logs, API usage metadata, and error diagnostics.
- Website analytics: on auctra.tech only, aggregated page views and referral data via Google Analytics (see our Cookie Policy). We do not use Google Analytics on the operator console.
- Billing data: subscription plan, billing status, and transaction references. Payment card details are collected and stored by our payment processor, not by Auctra.
- Communications: support requests, sales inquiries, and email correspondence.
3. How we use data
- Provide, operate, secure, and improve the Services.
- Authenticate users, enforce role-based access, and prevent abuse.
- Process subscriptions, send transactional messages, and handle billing inquiries.
- Respond to support requests and communicate product updates.
- Comply with legal obligations and enforce our Terms and policies.
- Detect fraud, security incidents, and platform misuse.
- Analyze aggregated marketing-site traffic to improve content and performance.
We do not use your authority data or audit logs to train third-party AI models. We do not sell personal data.
4. Legal bases (EEA, UK, and Switzerland)
Where GDPR or equivalent law applies, we rely on the following bases:
- Contract: providing the Services, account management, and billing you request.
- Legitimate interests: securing the platform, preventing abuse, improving reliability, and limited marketing-site analytics, balanced against your rights.
- Consent: where required for non-essential cookies or optional communications; you may withdraw consent at any time.
- Legal obligation: tax, accounting, and lawful requests from authorities.
5. Sharing and subprocessors
We share personal data with service providers that process data on our behalf under contractual safeguards. Current subprocessors include:
- Supabase — Authentication, database, and encrypted data storage (United States)
- Vercel — Marketing website hosting and content delivery (United States)
- Render — Operator console, API, and application hosting (United States)
- Resend — Transactional email delivery (United States)
- Creem — Payment processing and merchant of record (Varies by transaction)
- Google Analytics — Aggregated website analytics on auctra.tech only (United States)
We may update subprocessors from time to time. Enterprise customers may request a Data Processing Addendum (DPA) covering processor obligations by contacting privacy@auctra.tech.
We may also disclose information if required by law, to protect rights and safety, in connection with a merger or acquisition, or with your direction (for example, integrations you configure).
6. International transfers
We are based in the United States. Data may be processed in the United States and other countries where our providers operate. Where required, we use appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms for transfers from the EEA, UK, or Switzerland.
7. Retention
We retain account and authority data while your organization maintains an active subscription or as needed to provide the Services. Audit logs may be retained for the period required by your plan, configuration, or applicable law. Backup copies may persist for a limited period after deletion. We retain billing and legal records as required for tax and compliance purposes.
You may request deletion of personal data subject to lawful retention requirements and technical constraints (for example, immutable audit chains your organization created).
8. Security
We implement technical and organizational measures described on our Security page, including encryption in transit, role-based access, and hash-chained audit integrity.
9. Your rights
Depending on your location, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to certain processing. EEA, UK, and Swiss residents may lodge a complaint with their local supervisory authority.
California residents (CCPA/CPRA): You have the right to know what personal information we collect, request deletion or correction, and opt out of the sale or sharing of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising as defined under California law. To exercise your rights, email privacy@auctra.tech. We will not discriminate against you for exercising these rights.
Organization members should contact their organization administrator for authority data controlled by your employer or customer. We will assist controllers with data subject requests where required by law.
10. Automated processing
Auctra's policy engine evaluates agent actions against rules you configure. Decisions may trigger human approval workflows. We do not make solely automated decisions that produce legal or similarly significant effects about individuals without human involvement in the approval paths you define.
11. Marketing communications
We may send product updates and optional marketing email to account holders. You can unsubscribe using the link in any marketing message or by contacting privacy@auctra.tech. Transactional messages (security alerts, billing, support) are not marketing and may continue while you use the Services.
12. Cookies and similar technologies
We use cookies, local storage, and similar technologies as described in our Cookie Policy.
13. Children
The Services are not directed to children under 18, and we do not knowingly collect personal data from children.
14. Data breaches
We maintain incident response procedures. If we become aware of a personal data breach likely to result in risk to your rights, we will notify affected customers and, where required, supervisory authorities without undue delay in accordance with applicable law.
15. Changes
We may update this Privacy Policy from time to time. Material changes will be posted on this page with a revised effective date. Where required, we will provide additional notice.
16. Contact
Privacy inquiries and data subject requests: privacy@auctra.tech
Auctra