Privacy Policy.
This Privacy Policy explains how VantagePoint Networks
("we", "us", "Agent Audit") collects, uses, shares and protects personal
data when you use our website at agentaudit.co.uk, our APIs,
SDKs and the Agent Audit platform (collectively, the "Service").
Our processing of personal data is governed by the United Kingdom General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. For customers based in the European Economic Area, we apply equivalent standards under Regulation (EU) 2016/679 ("EU GDPR").
§ 1.Who we are
Agent Audit is a product of VantagePoint Networks, a United Kingdom business operating from London. For any privacy matter, contact info@vpnetworks.co.uk.
§ 2.Who controls your data
2.1 Our website & sign-up
When you visit our website or sign up for an account, we are the Controller of the personal data you give us — your email address, company name, role title, and any other information you choose to share.
2.2 Your customers' data flowing through the Service
When the Agent Audit platform processes receipts your agents generate, we are a Processor acting on your instructions. You remain the Controller of any personal data of your end users that you submit via the platform. Our processing of that data is governed by our Data Processing Addendum.
§ 3.What we collect and why
| Category | Examples | Lawful basis |
|---|---|---|
| Account data | Email, company name, role title, hashed API key, timestamps | Contract performance · UK GDPR Art. 6(1)(b) |
| Audit log | Request method, path, status code, hashed source IP, user agent | Legitimate interest · Art. 6(1)(f) — security & service integrity |
| Receipt metadata | Agent / session / trace identifiers, action types, hashes, redacted fields | Contract performance · Art. 6(1)(b) |
| Marketing email subscribers | Email address, given name, declared interests (optional) | Consent · Art. 6(1)(a) — withdrawable any time |
| Website analytics | Aggregated and pseudonymous traffic statistics | Legitimate interest · Art. 6(1)(f) — privacy-respecting, no cross-site tracking |
PII redaction at the SDK. Receipts ingested via the Agent Audit SDK are redacted of common categories of identifiable personal data (UK National Insurance numbers, postcodes, IBANs, email addresses, phone numbers, IP addresses, payment card numbers) at the SDK boundary, before transmission. Raw payloads are never transmitted, stored or accessed by us.
§ 4.What we do not collect
- We do not sell your personal data, ever.
- We do not share your personal data with advertising networks.
- We do not embed third-party trackers, fingerprinting tools, or session-replay tools on our website.
- We do not require cookies for the core service to function. The site uses functional storage (localStorage) only.
- We do not require you to consent to processing your data for purposes unrelated to the Service.
§ 5.Where your data lives
Customer data — including receipts, account records, and audit logs — is stored in the United Kingdom by default. Our principal sub-processors are:
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase Inc. | PostgreSQL hot store, magic-link authentication | UK / EU |
| Amazon Web Services | S3 cold storage, Parquet archive | eu-west-2 (London) |
| Vercel Inc. | Edge static delivery, Python serverless functions | UK edge |
| FreeTSA / Sectigo TSA | RFC 3161 timestamping (optional, per-tenant) | EU |
| Stripe Payments UK Ltd | Billing | UK / EU |
A current sub-processor list is also published on our Security & Trust page. We notify customers at least 30 days before appointing a new sub-processor.
§ 6.How long we keep things
Account data is retained for the lifetime of the account and for up to six months after deletion to handle billing reconciliations. Receipt data is retained per the retention policy attached to your tenant — by default seven years for receipts that touch financial or PCI-classified data, six months for ephemeral telemetry. You can configure retention per data class via the dashboard.
§ 7.Your rights under UK GDPR
You can exercise the following rights at any time by emailing info@vpnetworks.co.uk:
- Access — a copy of personal data we hold about you.
- Rectification — correction of inaccurate or incomplete data.
- Erasure — deletion (subject to legal retention obligations).
- Restriction — pause our processing while a query is reviewed.
- Data portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — for marketing emails, at any time.
- Complain to the Information Commissioner's Office: ico.org.uk.
We respond to subject access and erasure requests within 30 calendar days.
§ 8.Security
We apply technical and organisational measures appropriate to the risk: TLS 1.3 in transit, AES-256-GCM at rest, hashed API keys, row-level security and forced RLS on all tenant data tables, audit logging of every API call, and a documented incident response procedure. Full architectural detail is on the Security & Trust page.
§ 9.Data Processing Addendum
For customers processing personal data of their end users through the Service, our standard Data Processing Addendum forms part of the Terms of Service. The DPA covers UK GDPR Article 28 sub-processor terms, international transfers (UK IDTA and the EU Standard Contractual Clauses), security obligations, breach notification timelines, and audit rights. Email info@vpnetworks.co.uk to request a counter-signed copy.
§ 10.Changes to this policy
We may update this policy from time to time. Material changes will be announced in the dashboard and by email to account holders at least 14 days before they take effect. The version and last-updated date at the top of this page always reflects the current version. Historical versions are kept in our version control history at github.com/Kymeira-MrH/agent-audit (will become public on launch).
§ 11.Contact us
For any privacy matter — including subject access requests, DPA requests, security concerns, or supervisory authority engagement: info@vpnetworks.co.uk.