Privacy Policy

This Privacy Policy explains how Audicity Inc. (“Audicity”, “we”, “us”, “our”) collects, uses, and protects personal information when you visit audicity.io (the “Site”) or contact us through it.

We are committed to processing personal information lawfully, fairly, and transparently. This policy is written to reflect what we actually do, not to describe practices we do not have. Where this policy describes a category of data, processing, or sharing, that category exists. Where this policy is silent on a practice, that practice does not occur.

We are the controller of any personal information we collect through the Site within the meaning of the General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”), the United Kingdom General Data Protection Regulation (the “UK GDPR”), and applicable United States privacy laws including the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, the “CCPA”).

We collect personal information only through two channels: the contact form and the brief submission form on our Site. We do not run analytics, we do not use tracking cookies, and we do not collect data through any other means on the Site.

Contact form. When you submit the contact form, we collect the information you provide, which typically includes your name, email address, and the content of your message.

Brief submission form. When you submit a brief through the Site, we collect the information you provide, which typically includes your name, email address, your organisation, and the details of the project or engagement you are enquiring about.

Server logs. Like any internet service, our hosting provider maintains technical server logs for the purpose of operating the Site and protecting it against abuse. These logs contain limited technical information including IP addresses, timestamps, and request data. They are retained for a short period and used solely for security and operational purposes.

Cookies. The Site uses only strictly necessary cookies required for the Site to function correctly, including session and security cookies. We do not set analytics cookies, advertising cookies, or any other cookies that track you across the Site or to other sites. Because we do not use non-essential cookies, no cookie consent banner is required under Article 22 of the ePrivacy Directive or its UK equivalent.

We do not collect special category personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation) and we ask that you do not include such information in any communications you send to us.

We process personal information for the following purposes only:

To respond to your enquiry or brief. When you submit a form, we process the information you provide in order to respond to you, evaluate the potential engagement, and conduct any necessary pre-contractual discussions. The lawful basis under the GDPR and UK GDPR is Article 6(1)(b), performance of a contract or steps taken at the request of the data subject prior to entering into a contract.

To operate and protect the Site. Server logs are processed for the purpose of operating the Site securely and protecting it against unauthorised access or abuse. The lawful basis is Article 6(1)(f), legitimate interests, specifically our legitimate interest in operating the Site securely. We have considered the rights and interests of data subjects and assessed that this processing does not override them.

To comply with legal obligations. Where we are required to retain or disclose personal information by law, we will do so. The lawful basis is Article 6(1)(c), compliance with a legal obligation.

We do not use personal information for marketing purposes. We do not profile data subjects. We do not make automated decisions with legal or similarly significant effects.

Within Audicity. Personal information submitted through the Site is received by authorised personnel of Audicity Inc. and is used only for the purposes described in Section 3.

Outside Audicity. We do not sell personal information. We do not share personal information with third parties for marketing or advertising purposes. We do not use third-party form processors, third-party CRMs, or third-party analytics providers. Form submissions are delivered directly to Audicity’s own email infrastructure.

The only third parties with potential access to personal information are:

• Our hosting provider, which operates the infrastructure on which the Site runs and may have technical access to data transiting that infrastructure. They act as a data processor on our behalf and are bound by contractual confidentiality and data protection obligations.
• Our email provider, through which form submissions are received and stored. They act as a data processor on our behalf and are bound by contractual confidentiality and data protection obligations.
• Legal, accounting, or professional advisors, where access is necessary for them to provide services to us under duties of confidentiality.
• Law enforcement, regulators, or courts, where we are legally required to disclose information.

Audicity is a United States entity, and personal information submitted through the Site is processed in the United States. If you are located in the European Economic Area, the United Kingdom, or another jurisdiction whose data protection laws restrict international transfers, you should understand that submitting information to us involves a transfer of personal data outside your jurisdiction to the United States.

We rely on the following transfer mechanisms for personal information transferred from the EEA or UK to the United States:

• For transfers from the EEA, we rely on the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework where applicable, and on the Standard Contractual Clauses approved by the European Commission as a fallback.
• For transfers from the UK, we rely on the UK Extension to the EU-U.S. Data Privacy Framework where applicable, and on the UK International Data Transfer Agreement or the UK Addendum to the Standard Contractual Clauses as a fallback.

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, including any legal, accounting, or reporting requirements.

Form submissions that result in an engagement. Personal information is retained for the duration of the engagement and for seven years thereafter, in line with our legal and accounting record-keeping obligations.

Form submissions that do not result in an engagement. Personal information is retained for twenty-four months from the date of submission, after which it is deleted or anonymised. We retain it for this period because commercial discussions in our sector often resume after extended periods and earlier deletion would harm legitimate prospective relationships.

Server logs. Retained for ninety days from creation, after which they are deleted or anonymised.

We will retain personal information for longer than the periods stated above only where we are required to do so by law, where it is necessary to establish, exercise, or defend legal claims, or where you have specifically requested that we do so.

The rights available to you depend on your jurisdiction.

7.1 If you are in the EEA or the United Kingdom

Under the GDPR and the UK GDPR, you have the following rights:

• Right of access (Article 15): to obtain confirmation of whether we are processing your personal data and, if so, to receive a copy of that data and information about the processing.
• Right to rectification (Article 16): to have inaccurate personal data corrected and incomplete personal data completed.
• Right to erasure (Article 17): to have your personal data deleted where one of the grounds in Article 17(1) applies.
• Right to restriction of processing (Article 18): to have processing of your personal data restricted in certain circumstances.
• Right to data portability (Article 20): to receive your personal data in a structured, commonly used, machine-readable format, where the processing is based on consent or contract and carried out by automated means.
• Right to object (Article 21): to object to processing based on legitimate interests, including profiling.
• Right to lodge a complaint with a supervisory authority (Article 77): if you believe our processing infringes the GDPR or UK GDPR, you may complain to the supervisory authority in your country of residence, place of work, or place of the alleged infringement. In the United Kingdom, this is the Information Commissioner’s Office (ico.org.uk).

To exercise any of these rights, contact us using the details in Section 10. We will respond within one month of receipt of your request, as required by Article 12(3), and may extend this by two further months for complex or numerous requests, in which case we will notify you within the first month.

7.2 If you are in California

Under the CCPA, you have the following rights:

• Right to know what personal information we have collected about you, including the categories, sources, purposes, and recipients.
• Right to delete personal information we have collected from you, subject to certain exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. We do not sell or share personal information as those terms are defined under the CCPA, so this right does not produce any change in our processing, but you may still exercise it.
• Right to limit the use of sensitive personal information. We do not collect sensitive personal information as defined under the CCPA.
• Right to non-discrimination for exercising your rights.

To exercise these rights, contact us using the details in Section 10. We will verify your identity before responding to substantive requests, as required by the CCPA regulations.

7.3 If you are in another jurisdiction

If you are in a jurisdiction with comprehensive privacy laws not covered above (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana), comparable rights may apply. Contact us using the details in Section 10 and we will respond in accordance with applicable law.

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, alteration, disclosure, or destruction, including:

• Encryption of data in transit using TLS.
• Access controls limiting personnel access to personal information to those who require it.
• Hosting infrastructure with industry-standard physical and logical security controls.
• Email infrastructure with multi-factor authentication enforced for all accounts.
• Regular review of access permissions and security practices.

No system of electronic transmission or storage can be guaranteed to be one hundred percent secure. While we apply reasonable measures, we cannot guarantee the absolute security of personal information transmitted to or stored by us.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will notify the relevant supervisory authority without undue delay and, where feasible, within seventy-two hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk, we will also notify affected data subjects in accordance with Article 34.

The Site is directed at businesses and professionals, not at children. We do not knowingly collect personal information from individuals under the age of sixteen. If we become aware that we have collected personal information from a child without parental consent, we will delete it.

For any question about this policy, to exercise any of the rights described above, or to raise any concern about how we handle personal information, contact us:

We may update this policy from time to time. The effective date at the top of this policy indicates when it was last revised. Material changes will be communicated by posting a notice on the Site. Continued use of the Site or continued communication with us after changes take effect constitutes acceptance of the revised policy.

For material changes that affect existing data subjects (for example, changes to how we use information you have already submitted), we will provide notice and, where required by law, obtain consent.

This Privacy Policy is governed by and construed in accordance with the laws of the State of Wyoming and the United States, except where the rights of data subjects under the GDPR, UK GDPR, CCPA, or other applicable privacy laws provide otherwise. Nothing in this policy excludes or limits any right that cannot be excluded or limited under applicable law.