Score ARENA Express privacy.
This page describes what is stored, what isn't, and what control you have. Auditor tone: we only state what is active today.
What we store when you complete the questionnaire
- Your eleven scoring answers + two calibrators (sector and revenue band).
- The generated score and the full report in JSON.
- Your answer to the optional open question (only if you fill it).
- Timestamp (ISO) and locale (es/en).
- Engine and questionnaire versions that produced the report.
Company identification
Before you start the questionnaire we ask you to identify the company we are about to read. We store: legal or trade name, corporate website URL, contact person's first and last name, work email, and the two-letter ISO country code derived from the CDN. Without this identification the report is not generated.
We only accept corporate emails. The form blocks the most common free email domains (Gmail, Hotmail, Outlook, Yahoo, iCloud, Proton, AOL and similar). The reason is that this audit is associated with a real company, not an individual.
Retention: 12 months from the last activity on the linked report. After that, identification data is automatically deleted. You can request earlier deletion by emailing privacy@barroaudit.com.
Reading of your public evidence
The identification form includes an optional checkbox, unchecked by default, authorising BARRO to read the public pages of the indicated website to add a Public Evidence Web Layer to the report. This layer does not affect the score or the verdict: it produces a separate visible block describing what your web projects outward.
The reading runs only if the checkbox is explicitly ticked. Without your authorisation, the public layer does not run and no evidence is persisted.
What we do when you authorise
- We read public pages of the indicated domain, accessible to any visitor.
- We honour
robots.txt. If your robots disallows reading, we do not read. - One-off reading of up to 12 pages, tied exclusively to your report.
- The agent identifies itself with the User-Agent
BARROBot/1.0 (+https://barroaudit.com/bot). - Operational details on the bot page.
What we do not do
- We do not access private areas or login-protected content.
- We do not use cookies, log in, or submit forms.
- We do not execute JavaScript or render dynamic pages in a headless browser.
- We do not perform continuous tracking or periodic rounds: each reading is one-off.
- We do not use external sources in this version: no LinkedIn, no Google, no Apollo, no Hunter, no commercial contact databases.
What is persisted after the reading
- Structured signals (presence of products, cases, solutions, support pages, etc.).
sha256hashes of the content read, as internal reference.- Public URLs visited, their HTTP code and robots outcome, for operational traceability.
- Process metadata (date, number of pages, technical errors), without personal data.
Full HTML and full page contents are not persisted. Neither is PDF content nor external sources. Signal-associated text is limited to short fragments without personal information.
This layer may enrich the web report with a visible block when there is enough public evidence. It measures public projection, not operational reality: a company with a solid commercial system may have a limited public footprint. The layer never accuses by absence.
You can request deletion of the public evidence associated with your report at any time by writing to privacy@barroaudit.com.
Aggregate cohort · checkbox prepared
Next to the web-reading checkbox, the form includes a second optional checkbox, unchecked by default, authorising future uses of cohorts and aggregate readings. In this version that authorisation is stored but not exploited: for now, stored data is used only to serve your own report.
Email · only if you ask for it
On the report page you will find an optional block to receive the PDF and the permanent link by email. The block is optional. If you do not use it, we do not store an email.
If you do, we store your email address linked to that specific ULID and use it only to send you that report. We do not subscribe you to any list, there is no newsletter, no automated commercial nurturing, no open or click tracking. The email is sent once per request, with a maximum of five resends per report to prevent abuse.
What we do NOT store
- Personal user identifiers beyond the contact declared in the identification (no login, no session cookies).
- Full IP address or geolocation data at city or coordinates level (only ISO country).
- Browser fingerprinting or detailed telemetry.
- Email open metrics, click metrics or tracking pixels in the email.
- Data from Apollo, Hunter, LinkedIn or other external contact databases.
Local persistence in your browser
While you answer the questionnaire, your answers are saved in your browser's localStorage so you can continue later. That local persistence is not sent to any server until you click "Close questionnaire and generate report". It expires 14 days after the start. It is automatically cleared on successful submission.
Sharing with third parties
We do not sell or commercially share your responses. Active technical infrastructure today is:
- Supabase · report database. EU hosting (Ireland). Only receives the data of the report you generate.
- Vercel · site server. EU hosting (Frankfurt).
- Resend · email delivery service used only when you explicitly request it. Receives only your email address, the email subject, the email body and the PDF report attached. Resend is not used until you press the send button. Resend operates under standard contractual clauses (SCC) and a standard DPA.
- DonDominio · DNS provider for the score.barroaudit.com subdomain. Does not process report content.
What is NOT active in this version
In this version we do not send your answers or your report to any language model provider, nor to third-party web analytics systems (Google Analytics or similar). Email delivery via Resend only occurs if you press the send button on your report page; otherwise, your email never leaves our database. If we later enable AI-assisted narrative, we will announce it explicitly and allow opt-out before any transmission.
Permanent report URL
On submission, a 26-character random ULID is generated (2128 search-space entries). The report is available at a URL of the form score.barroaudit.com/{locale}/r/{ulid}. Anyone with that URL can read the report. The URL is practically impossible to guess; you decide with whom to share it.
Aggregate cohort
Your answers are not added to the aggregate cohort dataset without your explicit authorization. The infrastructure for that opt-in authorization is planned but not active in this version: for now, stored data is used only to serve your own report.
Open question and declared calibrators (v2.8)
When the declared methodology is enabled, the questionnaire adds two calibrators: demand-effort distribution and loss reasons (Q14 and Q15). Together with the open question (Q13), these fields are processed by a deterministic thematic detector server-side that extracts topics and per-phase signals. That layer is linked to your report and used to contextualise the narrative, but does not modify the score, the leak or the archetype computed by the structural engine.
The raw text of Q13 is stored truncated to 500 characters. It is not sent to third parties without your authorisation. Recommendation: do not include client names, sensitive financial data or intellectual property in that field.
Right to deletion
You can request full deletion of your report by emailing privacy@barroaudit.com with the permanent URL (format /r/{ulid}). Deletion is executed within 72 hours.
Regulatory framework
We apply the General Data Protection Regulation (EU 2016/679) and the Spanish Organic Law 3/2018 on Personal Data Protection. Data controller is BARRO Audit Int. SL.
Changes to this policy
This policy is updated when something material changes: new integrations, new third parties, new storages. Previous versions are archived with their date. If we activate a service that receives report content (for example generative AI or transactional email), it will be announced here before going live.
BARRO · Last updated · 8 May 2026
