Privacy Policy
Effective date: 2 July 2026 · Node Logic, trading as AuditSchedule
1. Data Controller
The controller of your personal data is:
Node Logic, trading as AuditSchedule
Keurenplein 41, Box C3118
1069 CD Amsterdam, the Netherlands
KVK: 42046427
Email: support@auditschedule.com
Node Logic has assessed that appointment of a Data Protection Officer (DPO) is not currently required under GDPR Art. 37(1). We review this assessment if our processing activities, customer base, or risk profile materially change. Should a DPO become required, contact details will be published here.
2. Data We Collect and Why
2.1 Website visitors
We measure aggregate usage of our public website to understand overall traffic. We do not use third-party analytics services, advertising networks, or social media tracking pixels, and we never store your IP address or full user-agent. For each public page request we record only the page path, an external referring website (where present), and a one-way hashed visitor token, as described below.
By default (no analytics cookie): the visitor token is a daily, one-way hash derived from your IP address and browser type. The daily salt means it cannot be linked to you across days or reversed, producing anonymous aggregate statistics such as page views and approximate per-day unique-visitor counts. Legal basis: Art. 6(1)(f) GDPR - our legitimate interest in understanding overall website usage; because the data is anonymous, no consent is required.
If you accept analytics cookies: we set a first-party cookie (as_vid) containing a random identifier, and the visitor token becomes a stable one-way hash of that identifier. This lets us count unique and returning visitors more accurately. We store only the hashed token, never the raw identifier, and it is not linked to any workspace account. Legal basis: Art. 6(1)(a) GDPR - your consent, which you give on the cookie notice and can withdraw at any time by clearing the cookie in your browser; see our Cookie Policy. Ordinary website visits are not used to create marketing prospect records.
2.2 Marketing contacts and prospects
We may process business contact information collected independently of website visits, such as company name, contact name, business email address, notes, campaign recipient records, unsubscribe status, and email interaction events such as opens, registration-link clicks, and unsubscribe clicks.
Purpose: business-to-business outreach, campaign administration, measuring whether a message was delivered or engaged with, and respecting unsubscribe requests. Legal basis: Art. 6(1)(f) GDPR - our legitimate interest in relevant B2B marketing, unless consent or another legal basis is required by applicable law. You may object or unsubscribe at any time using the unsubscribe link in our emails or by contacting us.
2.3 Registered workspace users
When you create or use an AuditSchedule workspace, we process:
- Identity and authentication data - name, email address, authentication provider, password-based account data where used, password reset status, and workspace access settings
- Workspace data - people records (name, email, team, role, city, country, colour, active status), project assignments, events, capabilities, certifications, leave and travel entries, and role/permission settings configured by you or your administrator
- Audit log data - in-app changelog recording the user name, email, action type, affected entity, and timestamp of changes made in the workspace
- Billing data - billing contact details, subscription status, invoice metadata, and Stripe customer/subscription IDs. Payment card details are held by Stripe and are not stored on our servers.
Legal basis: Art. 6(1)(b) GDPR - processing is necessary for the performance of the contract to provide the AuditSchedule service. Some security, billing, and audit-log processing may also be based on legal obligations or legitimate interests.
2.4 Customer-controlled sensitive data
AuditSchedule is not designed to require special categories of personal data under GDPR Art. 9, such as health information. Customers control the content entered into workspace notes, leave records, travel records, and other free-text fields. Customers should avoid entering special-category data unless they have a lawful basis and appropriate safeguards. If special-category data is entered, the Customer remains responsible for determining the lawful basis and any required data protection impact assessment (DPIA); Node Logic will provide reasonable processor assistance as described in the Terms.
2.5 In-app help assistant (AI)
AuditSchedule includes an optional in-app help assistant that answers questions about how the product works. When you send it a message, only the text you type is transmitted to our AI sub-processor (Anthropic), together with our fixed product manual. No workspace data - people, projects, allocations, leave, travel, capabilities, or any records stored in AuditSchedule - is sent to the assistant, and the assistant is read-only: it can explain features and suggest a page to open, but it cannot see or change your data. Anthropic processes the message solely to generate a reply and, under its commercial terms, does not use inputs or outputs submitted through its API to train its models. Legal basis: Art. 6(1)(b) GDPR - processing necessary to provide the help feature you request.
3. Cookies and Local Storage
We use cookies and local storage that are strictly necessary to authenticate users, maintain sessions, remember a selected remember-me duration, and remember your cookie choice. With your consent we also set a single first-party analytics cookie to measure website visits more accurately; it is optional, set only after you opt in, and can be withdrawn at any time. We do not use advertising or cross-site tracking cookies. See our Cookie Policy for the full list.
4. Sub-processors and Service Providers
We use the following providers to deliver, secure, and administer AuditSchedule:
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Database, authentication, and file/session infrastructure | EU (Frankfurt) | EU hosting and data processing terms |
| Stripe | Checkout, payment processing, invoicing, tax and subscription records | US / global | Standard Contractual Clauses and Stripe data processing terms |
| Resend | Transactional email, password/reset emails, import-error reports, and marketing email delivery | US | Standard Contractual Clauses and data processing terms |
| Optional Google OAuth sign-in | US / global | Standard Contractual Clauses and Google data processing terms | |
| Upstash | Rate limiting for signup, password reset, and other security-sensitive endpoints where configured | Cloud region configured by Node Logic | Data processing terms and applicable transfer safeguards |
| Anthropic | Powers the in-app AI help assistant; receives only the message you type plus our product manual, never workspace data | US | Standard Contractual Clauses and Anthropic commercial/data processing terms; API data is not used for model training |
| jsDelivr | Delivery of public Bootstrap and icon assets used by the application interface | Global CDN | Public asset delivery; no workspace content is sent intentionally |
5. International Data Transfers
Where personal data is transferred to providers outside the European Economic Area (EEA), we use appropriate safeguards such as Standard Contractual Clauses adopted by the European Commission pursuant to Art. 46(2)(c) GDPR, supplemented by provider security commitments where required.
6. Data Retention
| Data | Retention period |
|---|---|
| Account data (name, email, authentication records) | Until account deletion; purged from backups within 30 days where technically feasible |
| Workspace data (people, projects, events, leave, travel, capabilities, certifications) | Until the organisation's workspace is deleted, subject to any agreed export period |
| Audit log / changelog | Up to 2 years from creation unless a shorter period is configured or required |
| Website page-view statistics (anonymous, or pseudonymous where you accept analytics cookies; aggregate) | Configurable; 180 days by default, after which records are deleted automatically |
| Help assistant messages sent to our AI sub-processor | Deleted by the sub-processor within 30 days by default; not used for model training |
| Billing records | 7 years where required by Dutch fiscal retention rules |
| Marketing prospect and campaign data | Until no longer needed for B2B outreach, until objection/unsubscribe where applicable, or up to 2 years after the last campaign interaction |
7. Your Rights
As a data subject in the EEA, you have the following rights under the GDPR:
- Access - request a copy of personal data we hold about you
- Rectification - request correction of inaccurate or incomplete data
- Erasure - request deletion of your personal data ("right to be forgotten")
- Data portability - receive your data in a structured, commonly used, machine-readable format
- Restriction - request that we limit how we process your data in certain circumstances
- Object - object to processing based on legitimate interests, including B2B marketing
To exercise any of these rights, email support@auditschedule.com. We will respond without undue delay and in any event within one month of receipt. We may ask you to verify your identity before acting on your request. For workspace data where a Customer is the controller, we may forward your request to that Customer.
8. Children
AuditSchedule is not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us so we can delete it promptly.
9. Supervisory Authority
You have the right to lodge a complaint with the Dutch data protection supervisory authority:
Autoriteit Persoonsgegevens (AP)
Bezuidenhoutseweg 30, 2594 AV Den Haag
www.autoriteitpersoonsgegevens.nl
10. Changes to This Policy
If we make material changes to this policy, we will notify affected users by email or via an in-app notice at least 14 days before the changes take effect where practicable. The effective date at the top of this page will reflect the most recent version.
Questions? support@auditschedule.com · Terms of Service · Cookie Policy ·