Privacy Policy

Last updated: June 25, 2026

Important: this draft reflects how the product works but has not yet been reviewed by a licensed attorney. Have your own lawyer review it before relying on it in production.

EAA Compliance Scanner ("we", "us") respects your privacy. This Policy explains the personal data we process, why, how long we keep it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).

Data controller

The controller responsible for your personal data is [PLACEHOLDER: registered company name], [PLACEHOLDER: registered address]. For any privacy matter, contact privacy@eaacompliant.com.

Information we collect

Account data: your email address, an optional display name, and a hashed password if you set one. Authentication data: session records including IP address and browser user-agent. Billing data: handled by our payment processor; we receive only the order outcome, plan, amount, and currency — never your full card number. Scan data: the website URLs you submit, the pages we crawl from them, accessibility scan results (WCAG criteria, rule identifiers, element selectors), full-page screenshots of the pages you scan, generated VPAT reports and accessibility statements, and any white-label branding (such as a logo) you upload. Technical data: timestamps, request metadata, and — only if you opt in and analytics is enabled — anonymous product-analytics events. We do NOT collect special-category personal data and we do not ask for government identifiers.

Why we use it (legal bases)

To deliver the scanning, reporting, and monitoring you requested (performance of a contract); to bill you and prevent fraud (legitimate interest and legal obligation); to send transactional emails such as magic sign-in links, receipts, monitoring alerts, and security notices (performance of a contract); to comply with accounting and legal obligations (legal obligation); and, where required, on your opt-in consent for product analytics or marketing email.

Screenshots and scanned content

To show you where issues occur, we capture and store screenshots and structural data of the pages you submit. These may incidentally include any personal data that is publicly visible on those pages. We process this content solely to provide the scan and its results, and you are responsible for ensuring you are entitled to have those pages scanned.

Who we share it with

We use a small set of sub-processors, each receiving only what they need and bound by confidentiality and data-protection obligations: Polar Software Inc. (payments and merchant of record), Resend (transactional email delivery), our managed PostgreSQL and Redis hosting providers (application database and cache), our S3-compatible object-storage provider (screenshots and generated PDFs), and, if enabled, Google Analytics (anonymous product analytics, no personal data). A full, current list is on our Sub-processors page. We do not sell your personal data or share it with advertising networks.

Do Not Sell or Share (CCPA)

We do not sell or share your personal information for cross-context behavioral advertising, and we never have. California residents have the right to confirm this and to opt out at any time by emailing privacy@eaacompliant.com — though there is nothing to opt out of.

Retention and deletion

Account, scan, and report data is retained while your account is active and for up to 30 days after closure to handle disputes and chargebacks, then deleted. Screenshots and generated PDFs follow the same lifecycle. Billing records are kept as long as the law requires. You may request immediate deletion (GDPR Art. 17 / CCPA right to delete) by emailing privacy@eaacompliant.com; we will process within 30 days, subject to legal retention obligations.

Your rights

Subject to applicable law you have the right to access, rectify, port, restrict, object to processing, and request erasure of your personal data. EU/UK residents may lodge a complaint with a supervisory authority. To exercise any right, email privacy@eaacompliant.com from the address on file; we will verify the request and respond within 30 days.

Security

Personal data is encrypted in transit (TLS 1.2+) and at rest. Passwords are stored only as salted hashes. Access to production data is limited to staff who need it for support and security, and our sub-processors are bound by their own security commitments.

International transfers

Our infrastructure and sub-processors may process data outside your country, including in the United States. Where required, we rely on Standard Contractual Clauses (SCCs) and equivalent safeguards for transfers from the European Economic Area, the United Kingdom, and Switzerland.

Contact

Privacy questions or requests: privacy@eaacompliant.com. If you believe we have not addressed your concern, you may contact your local data-protection authority.

This page is informational only and does not constitute legal advice, nor a guarantee of WCAG or EU Accessibility Act conformance. Automated testing finds a subset of accessibility issues; please consult a qualified accessibility or legal professional before relying on it.

Questions? Email legal@eaacompliant.com.