1. Controller
Oh My Audit is operated by (주) 오드리바드리 / ODEURIBADEURI Inc.. The service name is Oh My Audit, and ODBD is a brand name used by the operator.
Privacy, deletion, access, correction, and security questions can be sent to contact@ohmyaudit.app.
2. Data we collect
Depending on how you use the service, we may collect:
- Account data: email address, password hash, email verification status, session records, and account timestamps.
- Submission data: app name, name, email address, service URL, selected plan, project context, original file name, file size, upload reference, and submission status.
- Analysis data: score, risk level, scanner summaries, findings selected for review, review notes, and report output.
- Messages: emails we send or receive about verification, uploads, payments, support, deletion, and refunds.
- Technical data: server logs, error logs, request metadata, and security events needed to operate and protect the service.
3. Source uploads
Uploaded source archives are stored privately and referenced by an internal upload ID. The archive is not published, indexed, or placed behind a public download URL by Oh My Audit.
For analysis, the worker may copy files into temporary local workspaces. Automated scans run in Oh My Audit's worker environment using open-source security scanners and internal heuristics. The source archive is not uploaded to a hosted scanner SaaS as part of the current self-serve score flow. Temporary scanner workspaces are deleted after the scan finishes.
Do not upload secrets, credentials, customer data, or third-party code unless you have the right to submit it for review. More detail is available in the Data Handling Policy.
4. Payments
Payments are handled by Polar, which acts as the Merchant of Record. We may receive payment status, product, customer email, checkout identifiers, receipt, tax, refund, and transaction metadata needed to grant credits, confirm purchases, and handle refunds.
We do not store full card numbers or card security codes on Oh My Audit servers.
5. How we use data
We use collected data to:
- create and secure accounts;
- store uploads and run requested scans or reviews;
- deliver scores, reports, emails, support, and payment confirmations;
- review scanner noise, duplicate signals, and obvious false positives;
- debug failures, prevent abuse, and improve the service;
- meet accounting, tax, security, and legal obligations.
We do not sell uploaded source code. We do not use uploaded source code to train public AI models. We do not publish customer findings or project names without permission.
6. Legal basis for processing
Where the EU/UK GDPR applies, we rely on the following legal bases:
- Contract: to create your account and provide the score, review, or audit you request.
- Consent: for marketing email and for analytics cookies; you can withdraw consent at any time.
- Legal obligation: to meet tax, accounting, and record-keeping requirements, handled together with Polar as Merchant of Record.
- Legitimate interests: to secure the service, prevent abuse, debug failures, and improve the product, balanced against your rights.
7. Providers and scanner tooling
We use infrastructure and service providers to run the product. Depending on configuration, this can include hosting, database, object storage, email delivery, and payment providers such as Fly.io, Cloudflare R2, Resend, and Polar.
Automated scanning currently uses open-source tooling in our worker environment. We do not intentionally send your source archive to a hosted scanner SaaS product as part of the current self-serve score flow. Some dependency vulnerability checks may use package names and version information to query public vulnerability data.
Providers may process data in other countries. We use them only for the purposes described in this policy and the service they provide to Oh My Audit.
9. International processing and transfers
Some providers may process or store data outside your country, including outside the European Economic Area (EEA) and the Republic of Korea, depending on their infrastructure and the region used. Where such transfers require it, we rely on reputable providers and appropriate safeguards. This can include hosting, object storage, email delivery, payment processing, logs, and support records. We use these providers only to operate Oh My Audit and provide the services described in this policy.
10. Retention and deletion
Uploaded source archives are automatically deleted after 7 days. Score, report, payment, analysis, and support records may be kept for as long as needed to provide the service, preserve score history, troubleshoot issues, prevent abuse, and meet legal or accounting requirements.
You can ask us to delete an uploaded archive sooner, or to delete an account or related personal data. We will delete or anonymize what we can, unless we need to keep limited records for payment, tax, fraud prevention, security, or legal reasons.
11. Security
We use private storage references, server-generated file names, password hashing, session tokens, limited operator access, and temporary scanner workspaces. No system is perfectly secure, but we design the service to avoid public exposure of uploaded archives.
12. Your rights and choices
Subject to applicable law, you have the right to access, rectify, erase, restrict, or port your personal data, to object to certain processing, and to withdraw consent (for marketing email or analytics) at any time without affecting processing already carried out.
To exercise any of these, email us at the contact address below. We may need to verify your email address first, and we aim to respond within 30 days.
If you are in the EU/EEA, you may lodge a complaint with your local data protection authority; in the UK, with the Information Commissioner's Office (ICO); in Korea, with the Personal Information Protection Commission (PIPC).
You can also choose not to upload files that contain unnecessary personal data, secrets, logs, or third-party material.
13. Contact
For privacy, deletion, access, or security questions, email contact@ohmyaudit.app.