Mataki Labs LLC (“AuditStore,” “we,” “us,” or “our”), a Wyoming limited liability company, operates the auditstore.dev website, the AuditStore Cloud platform, and related services (collectively, the “Services”). This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Services.

By using our Services, you agree to the collection and use of information as described in this policy.

Information We Collect

Information You Provide

When you create an account, subscribe to a plan, or contact us, we may collect:

  • Account information: Name, email address, password (hashed), and company or organization name
  • Billing information: Payment method details are collected and processed by our payment processor (Stripe). We do not store full credit card numbers on our servers.
  • Communications: Any information you include when you contact us via email or support tickets, including your name, email address, and message content
  • API keys and configuration: Ledger configurations, retention policies, legal hold settings, and other content you create through the Services
  • Audit event data: The Events your applications emit to the Services via the API or SDK, including actor identifiers, action names, resource identifiers, timestamps, metadata, and context fields. This data is stored in your Ledgers as immutable, hash-chained records.

Information Collected Automatically

When you use our Services, we automatically collect:

  • Usage data: API call volumes, event ingestion rates, query volumes, export activity, and feature usage metrics
  • Server logs: IP address, browser type and version, operating system, referring URL, pages visited, timestamps, and request/response metadata
  • Performance data: Page load times, API response latencies, event ingestion latencies, and error logs used to maintain service reliability
  • Device information: Device type, screen resolution, and timezone

How We Use Information

We use the information we collect to:

  • Provide and maintain the Services: Ingest audit events, compute hash chains, maintain Ledgers, execute queries, generate integrity proofs, process exports, manage your account, and handle billing
  • Hash chain and integrity operations: Compute SHA-256 chain hashes, build Merkle trees, and generate integrity proofs as part of the core functionality of the Services
  • Improve the Services: Analyze usage patterns to identify bugs, optimize performance, and develop new features
  • Ensure security: Detect and prevent fraud, abuse, and unauthorized access to accounts, Ledgers, or APIs
  • Communicate with you: Send transactional emails (account verification, billing receipts, usage alerts), respond to support requests, and provide product updates you have opted into
  • Comply with legal obligations: Respond to lawful requests from government authorities and comply with applicable laws

We do not sell your personal information to third parties.

Important: We process your audit event data solely to provide the Services. We do not mine, analyze, aggregate, or use the content of your Events for any purpose beyond event ingestion, hash-chain computation, query execution, integrity verification, and data export. Your audit trail is your data — we are custodians, not consumers.

Information Sharing and Disclosure

We share information only in the following circumstances:

Service Providers

We use third-party service providers to help operate our Services, including:

  • Stripe for payment processing
  • Cloud infrastructure providers (AWS) for hosting and data storage
  • Transactional email providers (Postmark) for account notifications

These providers access information only as necessary to perform their services and are bound by contractual obligations to protect your information. A complete list of sub-processors is maintained at auditstore.dev/legal/sub-processors.

Audit Event Data

We do not share, transmit, or expose your audit event data to any third party, except to the cloud infrastructure providers that host the Services. Your Events are stored encrypted at rest and are accessible only through the authenticated API using your API keys.

We may disclose information if required to do so by law or in response to valid legal process, including subpoenas, court orders, or government requests. We will notify you of such requests when legally permitted to do so.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our website before your information becomes subject to a different privacy policy.

Data Retention

  • Audit events are retained according to your Ledger’s configured Retention Policy (30 days for Dev tier, 1 year for Launch, configurable for Scale, unlimited for Enterprise). When a Retention Policy triggers, events are archived to your specified cold storage destination and replaced with tombstone records that preserve hash-chain integrity.
  • Legal Holds override Retention Policies. Events under Legal Hold are retained regardless of the Ledger’s retention configuration until the hold is released.
  • Account data is retained for as long as your account is active. Upon account deletion, we will remove your personal information within 30 days, except where retention is required by law.
  • Billing records are retained for 7 years as required by applicable tax and accounting regulations.
  • Server logs are retained for 90 days for security and debugging purposes.

Data Security

We implement security measures designed for the compliance-grade nature of audit trail infrastructure:

  • Encryption at rest: All audit events and Ledger data are encrypted using AES-256 before storage.
  • Encryption in transit: All API communications use TLS 1.3. Older TLS versions are not supported.
  • Hash-chain integrity: Each Event is cryptographically linked to its predecessor via SHA-256. Any modification to a stored Event is detectable through chain verification.
  • Merkle tree proofs: Events are organized into Merkle trees enabling efficient, independently verifiable integrity proofs without downloading the entire chain.
  • Per-Ledger isolation: Ledgers are logically isolated at the database level. Cross-Ledger access requires explicit authorization.
  • Key management: Encryption keys are managed through cloud-native key management services with automatic rotation.
  • Access controls: Employee access to production systems is restricted, logged, and follows the principle of least privilege. Administrative access requires multi-factor authentication.
  • Events never logged: The content of audit events is never written to application logs, error reports, or monitoring systems.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Delete your personal information (subject to legal retention requirements and the immutability of the audit ledger — note that Events in active Ledgers cannot be individually deleted due to hash-chain integrity constraints, but Ledgers themselves can be deleted upon account termination)
  • Export your data in a portable format, including all audit events via the API export functionality (JSON Lines, CSV, or Parquet)
  • Withdraw consent for optional data processing activities

To exercise any of these rights, contact us at privacy@auditstore.dev. We will respond to your request within 30 days. If we need additional time to fulfill your request, we will notify you of the delay and the reason for it.

Data Residency

By default, all data is stored in the United States (AWS us-east-1 and us-west-2). Enterprise customers may request custom data residency configurations to meet specific regulatory requirements.

Data residency is configured at the Ledger level and applies to all Events within that Ledger.

Cookies and Tracking

The AuditStore dashboard uses strictly necessary cookies to maintain your authenticated session. We do not use third-party advertising trackers, social media pixels, or cross-site tracking cookies. For more information, see our Cookie Policy at auditstore.dev/legal/cookies.

Children’s Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

International Data Transfers

Mataki Labs LLC is based in the State of Wyoming, United States. If you access our Services from outside the United States, your information may be transferred to and processed in the United States, unless you have elected an alternative data residency option. By using our Services, you consent to such transfer and processing.

For customers who require specific transfer mechanisms (such as Standard Contractual Clauses), please contact us to discuss available options. See also our Data Processing Addendum at auditstore.dev/legal/dpa.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we will provide additional notice via email to the address associated with your account.

Governing Law

This Privacy Policy is governed by the laws of the State of Wyoming, United States, without regard to its conflict of law provisions.

Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Mataki Labs LLC State of Wyoming Email: privacy@auditstore.dev