Privacy policy.

AuditCode AI is operated by Ibrahim Hashimov, a natural person acting as sole operator and established in Belgium. For the purposes of the EU General Data Protection Regulation (GDPR), Ibrahim Hashimov is the data controller of the personal data described in this policy.

Contact details: Ibrahim Hashimov, postal address available on written request to privacy@auditcode.ai for individuals exercising data-subject rights. The controller operates as a natural person under the Belgian Code of Economic Law; no company entity (BCE/KBO) has been registered at the date of this policy.

Data Protection Officer. A DPO has not been appointed because the controller's core activities do not involve large-scale processing of special-category data nor large-scale, regular monitoring of data subjects (GDPR Art. 37(1)). Data-protection questions are handled directly by the controller.

AuditCode AI operates the auditcode.ai website and the AuditCode Research site at /research and /research/methodology. Each surface collects the minimum data needed to operate.

AuditCode AI does not currently deploy page-view analytics, cookies, or any other automated visitor-tracking mechanism on the research surfaces. The only personal data we process is email correspondence you voluntarily send us.

Balancing test (Art. 6(1)(f)). For each processing operation grounded in legitimate interests, the controller has performed an interest-balancing assessment. The interests pursued — maintaining an auditable record of coordinated vulnerability disclosures — are necessary for the security-research function and could not be achieved through less intrusive means. The processing involves only data voluntarily provided by the data subject through email correspondence, and does not include profiling, automated decision-making, or special-category data. The 7-year retention ceiling for disclosure correspondence is informed by analogous reference to the general contractual limitation period under Belgian civil law (Civ. Code Art. 2262bis) and the documentary-retention period under the Belgian Code of Economic Law (Art. III.86, applied by analogy until the controller is registered as a commercial entity), and is necessary for the establishment, exercise, or defense of legal claims relating to a published advisory. Data subjects may object to processing under Art. 21 at any time; objections are evaluated against the documented balancing test.

CCPA category mapping (Cal. Civ. Code § 1798.140(v)). Email correspondence falls under "identifiers" (email address) and may contain "professional or employment-related information" if voluntarily provided by the sender. No category is sold or shared as those terms are defined in § 1798.140(ad)/(ah). No sensitive personal information (§ 1798.140(ae)) is collected.

We do not use:

• Tracking cookies for advertising or behavioral profiling.
• Third-party ad networks or pixel trackers.
• Cross-site tracking or browser fingerprinting libraries.
• Session-replay tools that capture keystrokes or mouse movements.
• Data brokers — under any circumstance.

We do not sell or share personal information as those terms are defined in California Civil Code § 1798.140. AuditCode AI recognizes the Global Privacy Control (GPC) browser signal as a valid opt-out request under CPRA Regs. § 7025. Because AuditCode AI does not sell or share personal information in the first instance, the signal is treated as already honored on receipt; no further opt-out steps are required of the user.

Operating the Service requires a small number of infrastructure providers. Each is contractually bound to data-processing terms equivalent to those in this policy.

Sub-processor list (last updated May 22, 2026):

• Cloudflare, Inc. (US, global edge network) — domain registrar and DNS resolution for auditcode.ai. Processes DNS query metadata and, at the network edge, visitor IP addresses. WHOIS registrant data is redacted by Cloudflare's registrar privacy by default. Cloudflare is EU–US Data Privacy Framework certified.
• Zoho Corporation — email infrastructure for the @auditcode.ai mailboxes. Hosted on the EU instance (mail.zoho.eu, data centers in the Netherlands), so email correspondence is processed within the EEA.
• Vercel Inc. (US / EU edge) — website hosting and content delivery.
• GitHub, Inc. (US) — repository hosting and security-advisory publication via the GitHub Security Advisories program.

If we add or change a sub-processor, this section will be updated and material changes announced per § 09. The current authoritative list is also available on request from privacy@auditcode.ai.

Depending on your jurisdiction, you have the right to:

• Access. See what personal data we hold about you (GDPR Art. 15).
• Rectification. Correct inaccurate personal data (GDPR Art. 16; CPRA correction right).
• Erasure. Request deletion ("right to be forgotten," GDPR Art. 17), subject to exceptions in Art. 17(3).
• Restrict processing. Ask us to pause processing while a dispute is resolved (GDPR Art. 18).
• Portability. Receive your data in a machine-readable format (GDPR Art. 20).
• Object. Opt out of any non-essential processing (GDPR Art. 21).
• Withdraw consent. Where processing is based on your consent, you may withdraw it at any time (GDPR Art. 7(3)); withdrawal does not affect prior processing.
• Not subject to solely automated decisions. No decision affecting you legally or significantly is made about you on a solely automated basis (GDPR Art. 22). The Service does not engage in profiling within the meaning of Art. 4(4).

EU/UK residents also have the right to lodge a complaint with their national data-protection authority (GDPR Art. 77). A list of EU supervisory authorities is maintained at edpb.europa.eu. The Belgian supervisory authority is the Data Protection Authority (APD/GBA).

California residents have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of sale or sharing of personal information. AuditCode AI does not sell or share personal information as defined in Cal. Civ. Code § 1798.140, and we do not discriminate against users who exercise their rights (§ 1798.125).

Requests are answered within 30 days where practicable, and in all cases within the statutory deadlines under GDPR (one month, extendable by two further months for complex requests) and CCPA (45 days, extendable to 90). Contact: privacy@auditcode.ai.

The Service is intended for security researchers and software professionals. We do not knowingly collect personal data from children under 16 (GDPR Art. 8) or under 13 (US COPPA, 15 U.S.C. § 6501). If you believe a child has provided personal data, contact privacy@auditcode.ai and we will delete it.

We are a security-focused organization. Encrypted transit (TLS) is mandatory for all data flows. Stored data is encrypted at rest by the underlying infrastructure providers listed in § 04.

In the event of a personal-data breach affecting your information, we will notify affected individuals and, where required, the relevant supervisory authority without undue delay and in accordance with applicable law (including GDPR Art. 33–34).

Our coordinated-disclosure contact for security vulnerabilities in AuditCode itself is documented at /.well-known/security.txt.

Email correspondence (the primary category of personal data we hold) is processed by Zoho on its EU instance (data centers in the Netherlands) and therefore remains within the European Economic Area. No transfer mechanism under Chapter V of the GDPR is required for that processing.

Other sub-processors listed in § 04 (Cloudflare, Vercel, GitHub) are US-based and may process limited operational metadata (DNS query and edge metadata including visitor IP addresses, server logs for hosting, repository metadata for advisory publication) outside the EEA. Where applicable to that processing, we rely on (a) the EU–US Data Privacy Framework where the recipient is DPF-certified (Cloudflare, Vercel, and GitHub/Microsoft are DPF-certified), or (b) the European Commission's Standard Contractual Clauses (Decision 2021/914) where it is not. A copy of the relevant safeguards is available on request from privacy@auditcode.ai.

Material changes to this policy will be announced on the AuditCode Research page at least 14 days before they take effect, and the "Effective" date at the top of this policy will be updated. This policy is reviewed at least annually. Prior versions are archived and available on request from privacy@auditcode.ai.

For privacy questions, data-subject requests, or anything else covered by this policy: privacy@auditcode.ai.

The data controller is Ibrahim Hashimov, sole operator trading as AuditCode AI, Belgium.