← AuditSchedule

Privacy Policy

Effective date: 2 July 2026  ·  Node Logic, trading as AuditSchedule


1. Data Controller

The controller of your personal data is:

Node Logic, trading as AuditSchedule
Keurenplein 41, Box C3118
1069 CD Amsterdam, the Netherlands
KVK: 42046427
Email: support@auditschedule.com

Node Logic has assessed that appointment of a Data Protection Officer (DPO) is not currently required under GDPR Art. 37(1). We review this assessment if our processing activities, customer base, or risk profile materially change. Should a DPO become required, contact details will be published here.

2. Data We Collect and Why

2.1 Website visitors

We measure aggregate usage of our public website to understand overall traffic. We do not use third-party analytics services, advertising networks, or social media tracking pixels, and we never store your IP address or full user-agent. For each public page request we record only the page path, an external referring website (where present), and a one-way hashed visitor token, as described below.

By default (no analytics cookie): the visitor token is a daily, one-way hash derived from your IP address and browser type. The daily salt means it cannot be linked to you across days or reversed, producing anonymous aggregate statistics such as page views and approximate per-day unique-visitor counts. Legal basis: Art. 6(1)(f) GDPR - our legitimate interest in understanding overall website usage; because the data is anonymous, no consent is required.

If you accept analytics cookies: we set a first-party cookie (as_vid) containing a random identifier, and the visitor token becomes a stable one-way hash of that identifier. This lets us count unique and returning visitors more accurately. We store only the hashed token, never the raw identifier, and it is not linked to any workspace account. Legal basis: Art. 6(1)(a) GDPR - your consent, which you give on the cookie notice and can withdraw at any time by clearing the cookie in your browser; see our Cookie Policy. Ordinary website visits are not used to create marketing prospect records.

2.2 Marketing contacts and prospects

We may process business contact information collected independently of website visits, such as company name, contact name, business email address, notes, campaign recipient records, unsubscribe status, and email interaction events such as opens, registration-link clicks, and unsubscribe clicks.

Purpose: business-to-business outreach, campaign administration, measuring whether a message was delivered or engaged with, and respecting unsubscribe requests. Legal basis: Art. 6(1)(f) GDPR - our legitimate interest in relevant B2B marketing, unless consent or another legal basis is required by applicable law. You may object or unsubscribe at any time using the unsubscribe link in our emails or by contacting us.

2.3 Registered workspace users

When you create or use an AuditSchedule workspace, we process:

Legal basis: Art. 6(1)(b) GDPR - processing is necessary for the performance of the contract to provide the AuditSchedule service. Some security, billing, and audit-log processing may also be based on legal obligations or legitimate interests.

2.4 Customer-controlled sensitive data

AuditSchedule is not designed to require special categories of personal data under GDPR Art. 9, such as health information. Customers control the content entered into workspace notes, leave records, travel records, and other free-text fields. Customers should avoid entering special-category data unless they have a lawful basis and appropriate safeguards. If special-category data is entered, the Customer remains responsible for determining the lawful basis and any required data protection impact assessment (DPIA); Node Logic will provide reasonable processor assistance as described in the Terms.

2.5 In-app help assistant (AI)

AuditSchedule includes an optional in-app help assistant that answers questions about how the product works. When you send it a message, only the text you type is transmitted to our AI sub-processor (Anthropic), together with our fixed product manual. No workspace data - people, projects, allocations, leave, travel, capabilities, or any records stored in AuditSchedule - is sent to the assistant, and the assistant is read-only: it can explain features and suggest a page to open, but it cannot see or change your data. Anthropic processes the message solely to generate a reply and, under its commercial terms, does not use inputs or outputs submitted through its API to train its models. Legal basis: Art. 6(1)(b) GDPR - processing necessary to provide the help feature you request.

3. Cookies and Local Storage

We use cookies and local storage that are strictly necessary to authenticate users, maintain sessions, remember a selected remember-me duration, and remember your cookie choice. With your consent we also set a single first-party analytics cookie to measure website visits more accurately; it is optional, set only after you opt in, and can be withdrawn at any time. We do not use advertising or cross-site tracking cookies. See our Cookie Policy for the full list.

4. Sub-processors and Service Providers

We use the following providers to deliver, secure, and administer AuditSchedule:

ProviderPurposeLocationSafeguard
SupabaseDatabase, authentication, and file/session infrastructureEU (Frankfurt)EU hosting and data processing terms
StripeCheckout, payment processing, invoicing, tax and subscription recordsUS / globalStandard Contractual Clauses and Stripe data processing terms
ResendTransactional email, password/reset emails, import-error reports, and marketing email deliveryUSStandard Contractual Clauses and data processing terms
GoogleOptional Google OAuth sign-inUS / globalStandard Contractual Clauses and Google data processing terms
UpstashRate limiting for signup, password reset, and other security-sensitive endpoints where configuredCloud region configured by Node LogicData processing terms and applicable transfer safeguards
AnthropicPowers the in-app AI help assistant; receives only the message you type plus our product manual, never workspace dataUSStandard Contractual Clauses and Anthropic commercial/data processing terms; API data is not used for model training
jsDelivrDelivery of public Bootstrap and icon assets used by the application interfaceGlobal CDNPublic asset delivery; no workspace content is sent intentionally

5. International Data Transfers

Where personal data is transferred to providers outside the European Economic Area (EEA), we use appropriate safeguards such as Standard Contractual Clauses adopted by the European Commission pursuant to Art. 46(2)(c) GDPR, supplemented by provider security commitments where required.

6. Data Retention

DataRetention period
Account data (name, email, authentication records)Until account deletion; purged from backups within 30 days where technically feasible
Workspace data (people, projects, events, leave, travel, capabilities, certifications)Until the organisation's workspace is deleted, subject to any agreed export period
Audit log / changelogUp to 2 years from creation unless a shorter period is configured or required
Website page-view statistics (anonymous, or pseudonymous where you accept analytics cookies; aggregate)Configurable; 180 days by default, after which records are deleted automatically
Help assistant messages sent to our AI sub-processorDeleted by the sub-processor within 30 days by default; not used for model training
Billing records7 years where required by Dutch fiscal retention rules
Marketing prospect and campaign dataUntil no longer needed for B2B outreach, until objection/unsubscribe where applicable, or up to 2 years after the last campaign interaction

7. Your Rights

As a data subject in the EEA, you have the following rights under the GDPR:

To exercise any of these rights, email support@auditschedule.com. We will respond without undue delay and in any event within one month of receipt. We may ask you to verify your identity before acting on your request. For workspace data where a Customer is the controller, we may forward your request to that Customer.

8. Children

AuditSchedule is not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us so we can delete it promptly.

9. Supervisory Authority

You have the right to lodge a complaint with the Dutch data protection supervisory authority:

Autoriteit Persoonsgegevens (AP)
Bezuidenhoutseweg 30, 2594 AV Den Haag
www.autoriteitpersoonsgegevens.nl

10. Changes to This Policy

If we make material changes to this policy, we will notify affected users by email or via an in-app notice at least 14 days before the changes take effect where practicable. The effective date at the top of this page will reflect the most recent version.


Questions? support@auditschedule.com · Terms of Service · Cookie Policy ·