Bunch
Home

Privacy Policy

Last updated: 2026-02-28

1. Introduction

Bunch Audit ("we", "us", "our") provides automated ISO 27001 evidence mapping and documentation support tools. This Privacy Policy explains how we collect, use, and protect personal and uploaded data.

2. Data We Collect

We collect:

  • Account information (email address, password hash)
  • Uploaded documents provided for audit analysis
  • Payment information (processed securely via Stripe)
  • Technical usage data (logs, timestamps, IP address)

We do not collect payment card details directly.

3. Purpose of Processing

We process data to:

  • Provide ISO 27001 evidence mapping services
  • Generate audit exports
  • Process payments
  • Send transactional emails (verification, export-ready notifications)

4. File Storage

Uploaded documents are stored in secure S3-compatible object storage.

  • Storage provider: [AWS S3 / specify region]
  • Files are private and accessible only via presigned URLs
  • Access is restricted per authenticated user

5. AI Processing

If AI-assisted evaluation is enabled, uploaded document excerpts may be processed by OpenAI API for evidence analysis.

We do not use customer data to train models.

6. Retention

  • Audit exports are automatically deleted after 3 days.
  • Uploaded files remain stored until deleted by the user.
  • Users may delete files at any time.
  • Account data may be deleted upon request.

7. Security

We implement:

  • Encrypted connections (HTTPS)
  • Password hashing with bcrypt
  • JWT-based authentication
  • File ownership enforcement
  • Stripe webhook signature validation
  • Private object storage with presigned access

8. Third-Party Processors

We use:

  • Stripe (payment processing)
  • AWS S3 or compatible storage provider
  • Resend (transactional email delivery)
  • OpenAI (optional AI evidence analysis)

Each provider processes data according to their privacy terms.

9. Legal Basis (EU GDPR)

We process personal data based on:

  • Contract performance
  • Legitimate interest
  • Legal obligations

10. Your Rights

Under GDPR, you may request:

  • Access to your data
  • Correction
  • Deletion
  • Restriction of processing

Contact: support@bunchaudit.org

11. Contact

Bunch Audit

Email: support@bunchaudit.org