IT-AuditDirectory
Back to homepage

Privacy Policy

Last updated: March 2026

1. Data Controller

IT-Audit Directory (“we”, “us”, “our”) operates the website itauditdirectory.com (the “Platform”). We act as the data controller within the meaning of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 with respect to the personal data we process through the Platform.

For any questions regarding data protection you may contact us at: privacy@itauditdirectory.com.

2. Personal Data We Collect

We may collect and process the following categories of personal data:

a) Data you provide directly

  • Full name, email address, telephone number and company name (when submitting a quote request)
  • Name, email address, job title and company details (when creating or claiming an auditor profile)
  • Any additional information you voluntarily include in messages or forms

b) Data collected automatically

  • IP address (anonymised where technically feasible)
  • Browser type and version, operating system, device type
  • Pages visited, date and time of access, referring URL
  • Cookies and similar technologies (see Section 9)

c) Data from third parties

  • Publicly available company information from official registers (e.g. Companies House) used to populate auditor profiles

3. Legal Basis for Processing

We process your personal data on the following legal grounds (Article 6 UK GDPR):

  • Consent (Art. 6(1)(a)): Where you have given explicit consent, for example for non-essential cookies or marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
  • Performance of a contract (Art. 6(1)(b)): Processing necessary to perform the service you have requested, such as forwarding your quote request to the selected audit firm, or managing your auditor subscription.
  • Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, including platform security, fraud prevention, service improvement and website analytics, provided these interests are not overridden by your rights and freedoms.
  • Legal obligation (Art. 6(1)(c)): Processing necessary for compliance with a legal obligation to which we are subject, such as tax and accounting requirements.

4. Purposes of Processing

We process your personal data for the following specific purposes:

  • Facilitating and forwarding quote requests to the relevant audit firm(s)
  • Creating, managing and displaying auditor profiles on the Platform
  • Processing subscription payments and managing auditor accounts
  • Communicating with you about your account, requests or enquiries
  • Monitoring and improving the security, performance and functionality of the Platform
  • Generating anonymised, aggregated statistics for internal analysis
  • Complying with legal and regulatory obligations
  • Establishing, exercising or defending legal claims

5. Sharing of Personal Data

We may share your personal data with the following categories of recipients:

  • IT audit firms: When you submit a quote request, your contact details and the information you have provided in the request form are shared with the audit firm(s) you have selected. Those firms become independent data controllers for the data they receive.
  • Service providers (processors): Third-party providers who assist us in operating the Platform, including hosting (Supabase Inc., Railway Corp.), email delivery, payment processing, and analytics. These providers process data solely on our behalf and under contractual data processing agreements.
  • Professional advisers: Lawyers, accountants and insurers where necessary for legal, regulatory or insurance purposes.
  • Authorities: Government bodies or law enforcement agencies where required by law or to protect our legal rights.

We do not sell, rent or trade your personal data to any third party for marketing purposes.

6. International Data Transfers

Some of our service providers are based outside the United Kingdom. Where personal data is transferred to a country outside the UK that does not benefit from an adequacy decision by the Secretary of State, we ensure appropriate safeguards are in place, such as:

  • The International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses
  • Binding Corporate Rules where applicable

You may request a copy of the relevant safeguards by contacting us at the address above.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Quote request data: 12 months after submission, unless required longer for legal claims
  • Auditor account data: Duration of the subscription plus 24 months thereafter
  • Invoice and payment data: 7 years as required by tax legislation
  • Analytics data: Anonymised and aggregated; not considered personal data
  • Correspondence and support data: 24 months after the last communication

Upon expiry of the retention period, data is securely deleted or irreversibly anonymised.

8. Your Rights

Under the UK GDPR and the Data Protection Act 2018 you have the following rights:

  • Right of access (Art. 15): Obtain confirmation of whether we process your data, and a copy of it.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data where there is no compelling reason for continued processing.
  • Right to restriction (Art. 18): Request that we restrict processing in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent: Where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decision-making (Art. 22): We do not currently make decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, contact us at privacy@itauditdirectory.com. We will respond within one calendar month. If we require an extension, we will notify you within that period with reasons.

9. Cookies and Similar Technologies

We use strictly necessary (functional) cookies that are essential for the Platform to operate correctly. These cookies do not require your consent under applicable cookie legislation.

We do not use:

  • Third-party advertising or tracking cookies
  • Social media plug-in cookies
  • Cross-site tracking technologies

Should we introduce non-essential cookies or analytics cookies in the future, we will obtain your prior consent through a clearly visible cookie banner, in compliance with the Privacy and Electronic Communications Regulations 2003 (PECR).

10. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These measures include, but are not limited to:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Access controls and role-based permissions
  • Regular security assessments and monitoring
  • Secure hosting infrastructure with industry-standard certifications

While we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

11. Children's Data

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.

12. Third-Party Links

The Platform may contain links to external websites operated by audit firms or other third parties. We are not responsible for the privacy practices or content of those websites. We encourage you to read their privacy policies before submitting any personal data.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, in accordance with Article 33 UK GDPR. Where the breach is likely to result in a high risk, we will also inform you directly without undue delay (Article 34 UK GDPR).

14. Complaints

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113

We would, however, appreciate the opportunity to address your concerns before you approach the ICO. Please contact us first at privacy@itauditdirectory.com.

15. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology or legal requirements. Material changes will be communicated by a prominent notice on the Platform or by email where appropriate. The “Last updated” date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.