Privacy Policy

Welcome to PonoAudit, LLC ("PonoAudit," "we," "us," or "our"). We are committed to protecting the privacy and security of the personal and business information entrusted to us by our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application, mobile application, and related services (collectively, the "Services").

PonoAudit provides a security and IT auditing platform that enables organizations to manage, track, and conduct security assessments and IT audits. Given the sensitive nature of the data involved in security auditing, we take your privacy extremely seriously.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use our Services.

We collect information through various means when you interact with our Services. The types of information we collect fall into the following categories:

2.1 Information You Provide Directly

• Account Registration Information: Your name, email address, password (stored in hashed form), job title, company name, and phone number.
• Organization and Business Data: Company details, department information, team structures, and organizational hierarchies relevant to audit management.
• Audit Data: Security assessment records, IT audit findings, compliance documentation, risk assessments, remediation plans, vulnerability reports, and related audit artifacts that you upload or create within the platform.
• Communications: Messages, feedback, support requests, and any other content you send to us or share through the platform.
• Profile Information: Profile photos, biographical details, role assignments, and preferences you configure in your account settings.

2.2 Information Collected Automatically

• Device and Browser Information: Device type, operating system, browser type and version, screen resolution, and unique device identifiers.
• Usage Data: Pages visited, features used, actions taken within the platform, time spent on each page, clickstream data, and interaction patterns.
• Log Data: IP addresses, access times, referring URLs, error logs, and server response information.
• Location Data: General geographic location derived from your IP address (we do not collect precise GPS location unless you explicitly enable it on mobile).
• Cookies and Tracking Technologies: Information collected through cookies, web beacons, pixels, and similar technologies (see Section 8 for details).

2.3 Information from Third-Party Sources

• Single Sign-On (SSO) Providers: When you authenticate via Google SSO or other identity providers, we receive your name, email address, and profile picture as authorized by your identity provider settings.
• Cloud Service Integrations: If you connect third-party cloud services (such as AWS, Azure, or GCP) to PonoAudit for audit purposes, we may receive metadata and configuration data necessary to perform security assessments.
• AI and Analytics Partners: We may receive aggregated analytics data from third-party service providers who help us understand usage patterns and improve our Services.

We use the information we collect for the following purposes:

3.1 Service Delivery and Operations

• To create and manage your account and authenticate your identity.
• To provide, operate, maintain, and improve our security and IT auditing platform.
• To process and manage audit workflows, generate reports, and track remediation activities.
• To enable collaboration between team members within your organization.

3.2 AI-Powered Features

• To power AI-assisted audit analysis, risk scoring, and recommendation features using integrated AI/ML services.
• To provide intelligent suggestions for audit findings and remediation steps.
• To enhance search, categorization, and reporting capabilities through natural language processing.

Important: Your proprietary audit data is not used to train general-purpose AI models. AI processing is performed solely to deliver Services to you, and your data remains isolated from other customers’ data.

3.3 Communication

• To send service-related notifications, updates, and alerts.
• To respond to your support requests and inquiries.
• To send marketing communications (with your consent, where required by law).

3.4 Analytics and Improvement

• To analyze usage patterns and trends to improve the user experience.
• To conduct research and development for new features and services.
• To monitor and improve the performance, security, and reliability of our Services.

3.5 Legal and Compliance

• To comply with applicable laws, regulations, and legal processes.
• To enforce our Terms of Service and other agreements.
• To protect the rights, property, and safety of PonoAudit, our users, and the public.

We process your personal information based on the following legal grounds:

• Contractual Necessity: Processing is necessary to perform our contract with you (e.g., providing the Services you requested).
• Legitimate Interests: Processing is necessary for our legitimate business interests, such as improving our Services, preventing fraud, and ensuring security, provided these interests are not overridden by your rights.
• Consent: Where we rely on your consent, you have the right to withdraw it at any time without affecting the lawfulness of processing based on consent before withdrawal.
• Legal Obligation: Processing is necessary to comply with a legal obligation to which we are subject.

We do not sell your personal information. We may share your information in the following limited circumstances:

5.1 Service Providers and Subprocessors

We engage trusted third-party service providers who perform services on our behalf, including:

• Cloud hosting and infrastructure providers (e.g., Amazon Web Services, Google Cloud Platform).
• Authentication and identity management services (e.g., Google SSO providers).
• AI and machine learning service providers for powering intelligent audit features.
• Analytics and monitoring services for understanding and improving our platform.
• Email delivery and communication services.

All service providers are contractually obligated to process data only as instructed by us and to maintain appropriate security measures.

5.2 Within Your Organization

Information you provide may be visible to other authorized users within your organization’s PonoAudit account, based on the roles and permissions configured by your organization’s administrator.

5.3 Legal Requirements

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to comply with applicable law, respond to a court order, judicial or regulatory subpoena, or similar legal process.

5.4 Business Transfers

If PonoAudit is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our Services before your information becomes subject to a different privacy policy.

5.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

• Account Information: Retained for the duration of your account and for up to 30 days after account deletion to allow for recovery.
• Audit Data: Retained in accordance with your organization’s data retention settings and applicable regulatory requirements. You or your organization administrator may delete audit data at any time.
• Usage and Analytics Data: Retained in anonymized or aggregated form for up to 24 months for analytical purposes.
• Communication Records: Support correspondence is retained for up to 36 months for quality assurance and legal purposes.
• Log Data: Server logs are retained for up to 12 months for security monitoring and incident response purposes.

When data is no longer required, it is securely deleted or anonymized in accordance with our data destruction procedures.

Given the sensitive nature of security audit data, we implement robust technical and organizational measures to protect your information:

7.1 Technical Safeguards

• Encryption: All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
• Access Controls: Role-based access control (RBAC) with principle of least privilege, multi-factor authentication (MFA), and session management.
• Infrastructure Security: Our cloud infrastructure is hosted in SOC 2 Type II certified data centers with network segmentation, intrusion detection, and continuous monitoring.
• Application Security: Regular penetration testing, static and dynamic code analysis, secure development lifecycle (SDLC) practices, and vulnerability management.
• Database Security: Encrypted database connections, parameterized queries to prevent injection attacks, and regular security patches.

7.2 Organizational Safeguards

• Employee background checks and security training for all personnel with access to customer data.
• Strict data access policies with audit logging of all administrative actions.
• Incident response plan with defined procedures for breach notification.
• Regular third-party security audits and compliance assessments.
• Data Processing Agreements (DPAs) with all subprocessors.

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incident.

We use cookies and similar tracking technologies to enhance your experience, analyze usage, and deliver relevant content. The types of cookies we use include:

8.1 Essential Cookies

These are necessary for the Services to function properly and cannot be disabled. They include authentication tokens, session identifiers, and security cookies (e.g., CSRF protection).

8.2 Performance and Analytics Cookies

These help us understand how users interact with our Services by collecting anonymous usage data. We use these to identify trends, troubleshoot issues, and improve the platform.

8.3 Functional Cookies

These remember your preferences and settings (such as language, theme, and dashboard layout) to provide a personalized experience.

8.4 Managing Cookies

You can manage your cookie preferences through your browser settings or through our cookie consent banner when you first visit our platform. Please note that disabling certain cookies may limit your ability to use some features of our Services.

On our mobile application, similar tracking technologies may be used, and you can adjust your tracking preferences in the app settings or through your device’s operating system settings.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

9.1 General Rights

• Right to Access: You may request a copy of the personal information we hold about you.
• Right to Rectification: You may request correction of inaccurate or incomplete personal information.
• Right to Erasure: You may request deletion of your personal information, subject to certain legal exceptions.
• Right to Data Portability: You may request a machine-readable copy of your personal information.
• Right to Restrict Processing: You may request that we limit the processing of your personal information under certain circumstances.
• Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.

9.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request details about the categories and specific pieces of personal information collected, the sources of collection, the purposes for collection, and the categories of third parties with whom it is shared.
• Right to Delete: You may request deletion of personal information collected from you, subject to certain exceptions.
• Right to Opt-Out of Sale/Sharing: PonoAudit does not sell personal information. We do not share personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use of sensitive personal information to what is necessary to provide the Services.

9.3 European Economic Area, UK, and Swiss Residents (GDPR/UK GDPR)

If you are located in the EEA, UK, or Switzerland, you have the rights described in Section 9.1 above under the General Data Protection Regulation (GDPR) or UK GDPR. You also have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

9.4 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@ponoaudit.com. We will respond to your request within the timeframe required by applicable law (typically 30 days for GDPR and 45 days for CCPA requests). We may need to verify your identity before processing your request.

PonoAudit is operated from the United States. If you access our Services from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, and other legally recognized transfer mechanisms.

We ensure that any international data transfer is subject to appropriate safeguards to protect your personal information in accordance with this Privacy Policy and applicable data protection laws.

Our Services may integrate with third-party services and contain links to third-party websites or applications. This Privacy Policy does not apply to third-party services, and we are not responsible for the privacy practices of these third parties.

11.1 Single Sign-On (SSO)

When you use Google SSO or other identity providers to log in, we receive limited profile information as authorized by those providers. We encourage you to review the privacy policies of your identity provider to understand what information is shared with us.

11.2 Cloud Service Integrations

If you connect external cloud services to PonoAudit for audit purposes, the data exchanged is governed by both this Privacy Policy and the terms of the connected service. We only access the minimum data necessary to perform the requested audit functions.

11.3 AI Service Providers

We use third-party AI services to power certain intelligent features. Data sent to AI service providers is processed under strict data processing agreements and is not used to train their general-purpose models. We apply data minimization principles and, where possible, anonymize or pseudonymize data before AI processing.

Our Services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete such information promptly. If you believe a child has provided personal information to us, please contact us immediately at the email address provided below.

In the event of a data breach that affects your personal information, we will notify you and the relevant supervisory authorities as required by applicable law. Our notification will include:

• The nature of the breach and the types of data affected.
• The measures we have taken or propose to take to address the breach.
• Recommendations for steps you can take to protect yourself.
• Contact information for our privacy team for further inquiries.

We aim to notify affected individuals within 72 hours of becoming aware of a qualifying breach, consistent with GDPR requirements and in compliance with all applicable breach notification laws.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on our website and, where appropriate, sending you a notification via email or through the platform.

The "Last Updated" date at the top of this Privacy Policy indicates when it was most recently revised. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

Your continued use of the Services after any changes to this Privacy Policy constitutes your acceptance of the updated terms.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

PonoAudit, LLC

Email: privacy@ponoaudit.com

Website: https://www.ponoaudit.com

For data protection inquiries in the European Economic Area, you may also contact our designated Data Protection Officer (DPO) at the email address above.

If you are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with your local data protection authority.

16.1 Mobile Application

When you use the PonoAudit mobile application, we may collect additional information specific to mobile use, including device identifiers, mobile network information, and push notification tokens. You can control push notification permissions and other mobile-specific data collection through your device settings.

16.2 Data Processor Role

When PonoAudit processes data on behalf of your organization (such as audit data uploaded by your company), we act as a data processor under GDPR. Your organization is the data controller and is responsible for ensuring it has appropriate legal bases for processing the data it submits to our platform. We process such data only as instructed by your organization and in accordance with our Data Processing Agreement.

16.3 Aggregate and De-Identified Data

We may create aggregate or de-identified data from the information we collect. Aggregate and de-identified data is not considered personal information and may be used for any lawful purpose, including research, analytics, and improving our Services.

16.4 Do Not Track Signals

Our Services do not currently respond to "Do Not Track" (DNT) signals from web browsers. However, you can manage your tracking preferences through the cookie settings described in Section 8.