Skip to main content

Privacy Policy

Last updated: April 2026

1. Who we are

AccessiProof provides web accessibility auditing and monitoring services to European web agencies. This policy explains how we collect, use, transfer, and protect personal data when you use our website and services. Our legal entity, address, and register details are published on the Imprint page.

2. Our role: controller vs processor

We are the controller for personal data you give us directly: the name, email, and payment contact details you submit when requesting a free scan, purchasing a paid audit, or corresponding with us. We decide the purpose and means of that processing and this policy governs it.

We are a processor when we scan websites on behalf of an agency or business customer and produce reports for them. In that role, our customer is the controller and we only process the data under their documented instructions, governed by our Data Processing Addendum.

3. Data we collect

When you request a free scan: We collect the URL you submit and your email address. Lawful basis: performance of your scan request (Art. 6(1)(b) GDPR) and our legitimate interest in showing the result of a tool you asked us to run (Art. 6(1)(f)).

When you order a paid audit or monthly retainer: Payment is processed by Stripe. We receive your name, email, billing address, and payment confirmation. We do not store card details. Lawful basis: performance of the contract (Art. 6(1)(b)) and compliance with tax and accounting law (Art. 6(1)(c)).

Scan data: When we scan a website, we access only publicly available pages. We store accessibility issue data (HTML snippets, element selectors, WCAG violations, screenshots) to generate reports. Where captured HTML incidentally contains personal data that a site renders publicly (for example a comment signed with a name), we process it only for the purpose of producing the report and retain it only as long as the report is needed.

Operator accounts: For our internal dashboard, we log authentication events, IP address, and user-agent. Lawful basis: our legitimate interest in securing access to operational systems (Art. 6(1)(f)).

Analytics: See Section 8 below for the specific vendors and what they see.

4. How we use your data

  • To perform accessibility scans you request
  • To generate and deliver reports, including via email
  • To communicate about your scans, reports, and account
  • To process payments via Stripe and comply with tax law
  • To secure, monitor, and improve our services
  • To defend or pursue legal claims where necessary

We do not sell your data. We do not use your data for third-party advertising. We do not create behavioural profiles of visitors. We share data only with the sub-processors necessary to deliver the service — see the full list at /legal/subprocessors.

5. International transfers

Our primary application database (Neon) and scanner worker (Hetzner) are hosted in the European Union. Some sub-processors we rely on operate in the United States — notably Vercel (application hosting and cookie-less analytics), Stripe (payments), Resend (transactional email), and Anthropic (the Claude API we use internally to accelerate report production). These transfers are protected by the European Commission's Standard Contractual Clauses (Decision 2021/914) together with supplementary measures including TLS encryption in transit, encryption at rest, and data minimisation. The full list and each transfer basis is published at /legal/subprocessors.

6. Security and breach notification

We use TLS 1.2+ for all connections, encryption at rest for our managed database, role-based access control, tokenised report sharing with revocation, and principle-of-least- privilege credentials for internal systems. Report links use unguessable random tokens and do not require authentication to view — share them only with intended recipients, and revoke them in the dashboard when no longer needed.

If we become aware of a personal data breach affecting your data, we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it (Art. 33 GDPR). Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Art. 34 GDPR). Full security measures are described in Annex A of our Data Processing Addendum.

7. Your rights (GDPR)

Under the GDPR, you have the right to access, correct, delete, or export your personal data, restrict or object to processing, and — where processing is based on consent — withdraw that consent at any time without affecting earlier processing. To exercise these rights, contact us at office@accessiproof.com. We respond within 30 days (Art. 12(3) GDPR). You also have the right to lodge a complaint with your national supervisory authority. For Romania, the competent authority is ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal — dataprotection.ro). Customers in other EU member states may contact their own national authority (see the Imprint).

8. Analytics and cookies

We use strictly necessary cookies only: the authentication session cookie for the operator dashboard and, where applicable, a short-lived checkout cookie set by Stripe. No consent banner is displayed because we set no cookies that require one under the ePrivacy Directive as implemented locally.

We use the following cookie-less analytics and performance telemetry:

  • Vercel Web Analytics — aggregate page-view counts and referrers, no cookies, no cross-site tracking, no device fingerprinting.
  • Vercel Speed Insights — aggregate Core Web Vitals measurements, no cookies, no personal data.
  • Umami(optional, self-hosted configuration) — cookie-less, EU-hosted analytics; disabled unless the site administrator provides an ID at deploy time.

If we ever add cookies or trackers that are not strictly necessary, we will first introduce a consent banner conforming to the ePrivacy Directive.

9. Use of AI (Anthropic Claude)

We use the Anthropic Claude API internally to accelerate the production of human-reviewed reports — for example, to draft executive summaries and phrase remediation guidance. Only aggregated accessibility findings (issue types, counts, selectors, HTML snippets stripped of user-identifying content) are submitted to Claude. We do not send account data, billing data, or end-user personal data to the model. We do not use AI to issue compliance determinations; every report is reviewed by a human before delivery. Anthropic is a contractual sub-processor and is listed on our sub-processor page.

10. Data retention

Free-scan data is retained for up to 12 months to allow re-delivery and support. Paid audit and monthly-monitoring data is retained for the duration of your active service and for up to 12 months after termination, unless you request earlier deletion or a longer retention period is required by tax or accounting law (typically 10 years for invoicing records under Romanian Codul Fiscal Art. 25 and OMFP 2634/2015, or equivalent local rules). You may request deletion at any time by contacting us.

11. Automated decision-making

We do not engage in automated decision-making, including profiling, that produces legal or similarly significant effects for you within the meaning of Article 22 GDPR.

12. Changes to this policy

We will post material changes to this policy on this page and update the "last updated" date. If changes are material we will also notify active customers by email at least 30 days before the change takes effect.

13. Contact

For privacy-related questions, to exercise your rights, or to report a suspected breach, contact us at office@accessiproof.com. Our postal address and legal representative are listed on the Imprint.

Related legal documents: Data Processing Addendum, Sub-processors, Imprint, Terms of Service.