Legal

Privacy Policy

Last updated: 21 April 2026

Contents

  1. 1. Overview
  2. 2. Data We Collect
  3. 3. Legal Basis for Processing (GDPR)
  4. 4. Data Retention
  5. 5. Third Parties
  6. 6. Your Rights (GDPR)
  7. 7. Cookies
  8. 8. International Data Transfers
  9. 9. Security
  10. 10. Children
  11. 11. Changes to This Policy
  12. 12. Contact

1. Overview

AccessAudit ("we", "our", "us") is operated by the individual developer behind accessauditai.com. This Privacy Policy explains what personal data we collect, why we collect it, how we store it, and your rights under the EU General Data Protection Regulation (GDPR). By creating an account or using AccessAudit, you agree to this policy. If you do not agree, please do not use the service.

2. Data We Collect

2.1 Account data

When you register, we collect: • Full name • Email address • Password (stored as a bcrypt hash — we never store plain-text passwords) • Date and time of GDPR consent • Profile image URL (only when signing in with Google OAuth)

2.2 Session data

Our authentication system (Better Auth) automatically records: • IP address of the device used to sign in • Browser user-agent string • Session token (used to keep you logged in) • Session expiry timestamp This data is used solely for security and fraud prevention.

2.3 Scan data

When you run an accessibility scan, we store: • The URL you submitted for scanning • Accessibility violations detected on that page (including HTML snippets extracted from the scanned website) • Compliance score and violation counts • Date and time of the scan Important: HTML snippets extracted from third-party websites may incidentally contain personal data (e.g. names, emails visible in the page source). You are responsible for ensuring you have the right to scan the websites you submit.

2.4 Billing data

Payments are processed by Paddle (our Merchant of Record). We do not store your credit card details. Paddle provides us with: • Your Paddle customer ID • Your Paddle subscription ID • Plan type (Free, Dev, Agency) Paddle's own privacy policy applies to payment processing.

2.5 Data we do NOT collect

We do not use: • Third-party analytics (no Google Analytics, Mixpanel, etc.) • Advertising cookies or tracking pixels • Data brokers or data sharing with third parties for marketing purposes

4. Data Retention

• Account data: Retained for as long as your account is active. • Scan data (violations, HTML snippets, scores): Retained for 12 months from the date of the scan, then automatically deleted. • Session data (IP address, user-agent): Retained until the session expires or you sign out. • Billing data: Retained as required by Paddle and applicable tax law. When you delete your account, all your personal data is permanently erased within 30 days, except where retention is required by law.

5. Third Parties

We use the following third-party services to operate AccessAudit: • Supabase (PostgreSQL database) — stores your account data, scan data, and session data. Hosted in the EU. • Vercel (hosting) — serves the web application. • Railway.app (background worker) — processes accessibility scans. • Browserless.io — provides headless browser infrastructure for running scans. • Anthropic (AI) — generates AI fix suggestions for detected violations. HTML snippets from violations are sent to Anthropic's API for this purpose. • Paddle (payments) — handles billing and subscriptions. • Resend (email) — sends transactional emails (verification, password reset, alerts). • Google (OAuth) — enables "Sign in with Google". Only used if you choose this option. We do not sell your personal data to any third party.

6. Your Rights (GDPR)

As an EU resident, you have the following rights: • Right of access: You can request a copy of all personal data we hold about you. • Right to rectification: You can correct inaccurate data via your account Settings. • Right to erasure ("right to be forgotten"): You can delete your account and all associated data from Settings → Delete Account, or by contacting us. • Right to restriction: You can ask us to stop processing your data in certain circumstances. • Right to data portability: You can request your data in a machine-readable format. • Right to object: You can object to processing based on legitimate interests. • Right to withdraw consent: You can withdraw your GDPR consent at any time by deleting your account. To exercise any of these rights, contact us at: privacy@accessauditai.com We will respond within 30 days. If you believe we have violated your rights, you have the right to lodge a complaint with your national data protection authority.

7. Cookies

We use only the following cookies: • Session cookie: A single cookie to keep you logged in. This is strictly necessary for the service to function. It expires when your session expires or you sign out. We do not use advertising cookies, tracking cookies, or any third-party cookies for analytics purposes.

8. International Data Transfers

Some of our service providers (Anthropic, Vercel, Browserless.io) are based in the United States. When data is transferred outside the EU, we ensure adequate protection is in place through Standard Contractual Clauses (SCCs) or other GDPR-compliant transfer mechanisms.

9. Security

We implement the following security measures: • Passwords are hashed using bcrypt — never stored in plain text. • All data is transmitted over HTTPS. • Database access is restricted to authorized services only. • Session tokens are rotated on each login. Despite these measures, no system is completely secure. In the event of a data breach that poses a high risk to your rights, we will notify you and the relevant supervisory authority as required by GDPR.

10. Children

AccessAudit is not intended for use by persons under 18 years of age. We do not knowingly collect data from minors. If you believe a minor has created an account, please contact us and we will delete the account immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify you by email. Continued use of AccessAudit after changes constitutes acceptance of the updated policy.

12. Contact

For any privacy-related questions or requests: Email: privacy@accessauditai.com Website: https://accessauditai.com We aim to respond to all privacy requests within 30 days.

This Privacy Policy was written to be transparent and easy to understand. If anything is unclear, please reach out at privacy@accessauditai.com and we will be happy to clarify.