Privacy Policy

WCAG Repair ("we," "us," or "our") operates the website wcagrepair.com and all related products and services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.

1. Information We Collect

1.1 Information You Provide

• URLs submitted for scanning — the web addresses you enter for accessibility audits.
• Email address — when you provide one for guide delivery, scan result delivery, monitoring alerts, or the email capture form on scan results pages.
• Payment information — when you purchase a remediation guide, site audit bundle, or subscribe to monitoring. Payment details (credit card numbers, billing address) are collected and processed directly by Stripe and are never stored on our servers.
• Support communications — when you contact us via email, we retain the content of your messages to respond and improve the Service.

1.2 Information Collected Automatically

• IP address — collected with each request for rate limiting, abuse prevention, and security monitoring. Your IP address may be stored in server access logs and in our application database in connection with scans and purchases.
• Session cookies — Flask session cookies used to maintain your browsing session (see Section 5).
• Scan results — the accessibility issues, page data, severity scores, and platform information identified during your scan are stored alongside the URL you submitted.
• Analytics data — we use Umami, a privacy-focused, cookieless analytics service, to understand aggregate usage patterns. Umami does not use cookies, does not collect personally identifiable information, and does not track you across websites. Analytics data includes page views, referrer sources, browser type, device type, and country of origin — all in aggregate form. See Section 5 for details.

2. How We Use Your Information

We use the information we collect to:

• Perform WCAG 2.1 accessibility audits on the URLs you submit
• Generate and deliver AI-powered remediation guides, site audit bundles, and security reports
• Process payments through Stripe for purchases and subscriptions
• Send monitoring alerts, fix reports, and scan completion notifications to subscribers via email
• Send you your scan results by email when you provide your email address on the results page
• Send marketing communications about our services and related products (you may unsubscribe at any time)
• Enforce rate limits and prevent abuse of the Service
• Detect and block automated scraping, bot activity, and unauthorized access
• Improve and maintain the Service, including analyzing aggregate usage patterns
• Respond to support requests and communications

3. AI-Generated Content and Data Processing

Our remediation guides, diagnostic reports, and fix recommendations are generated using artificial intelligence technology provided by Anthropic (Claude). When you purchase a guide or trigger AI-generated content:

• Your scan results (accessibility issues, page structure, detected platform) are sent to Anthropic's API for processing
• We send only the technical scan data necessary to generate your guide — no payment information, email addresses, or other personal data is shared with Anthropic
• Anthropic processes this data under their Privacy Policy and does not use API inputs to train their models
• The generated guide content is stored on our servers and delivered to you

4. Data Storage and Security

All application data (URLs, email addresses, scan results, and purchase records) is stored in a PostgreSQL database on servers located in the United States. We implement reasonable administrative, technical, and physical safeguards to protect your information, including:

• All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS)
• Database access is restricted, authenticated, and limited to authorized systems
• Payment data is handled entirely by Stripe (PCI DSS Level 1 certified) and never touches our servers
• Server infrastructure is protected by firewalls (nftables) with IP-based access controls
• Access to production systems is restricted to authorized personnel only
• We conduct regular security reviews of our infrastructure and application code

No method of transmission over the Internet or electronic storage is completely secure. While we take reasonable precautions, we cannot guarantee absolute security.

5. Cookies, Analytics, and Tracking

5.1 Session Cookie

We use a single, strictly necessary session cookie set by Flask to maintain your browsing session. This cookie:

• Is essential for the Service to function (CSRF protection, session management)
• Does not track you across other websites
• Does not contain personally identifiable information
• Expires when you close your browser or after 1 hour of inactivity

5.2 Analytics (Umami)

We use Umami, a privacy-focused analytics platform, to understand aggregate usage patterns. Umami is fundamentally different from tracking-based analytics services:

• No cookies — Umami does not set any cookies on your device
• No personal data — Umami does not collect IP addresses, device fingerprints, or any personally identifiable information
• No cross-site tracking — Umami does not track you across websites
• Aggregate only — all data is aggregated and cannot be used to identify individual visitors
• Self-hosted — our Umami instance runs on our own infrastructure, not a third-party cloud

Because Umami is cookieless and does not collect personal data, no cookie consent banner is required for its use under GDPR, ePrivacy Directive, or CCPA.

5.3 What We Do Not Use

We do not use Google Analytics, Facebook Pixel, advertising cookies, tracking pixels, browser fingerprinting, or any invasive tracking technology.

6. We Do Not Sell Your Data

We will never sell, rent, lease, trade, or otherwise commercially transfer your personal information to any third party. This is a core principle of our business, not a conditional policy that may change.

Specifically:

• We do not sell your data to data brokers, advertisers, marketing companies, or any other entity
• We do not share your email address, scan results, or usage data with third parties for their marketing, profiling, or advertising purposes
• We do not monetize your data in any way other than providing the Service you paid for
• We do not participate in data cooperatives, data exchanges, or any form of data sharing arrangement for commercial gain

7. Third-Party Services

We share the minimum necessary information with the following third-party service providers, solely as required to operate the Service:

• Stripe — payment processing. Stripe receives your payment details and email address to process transactions. We do not store your credit card number, CVC, or full billing details. Stripe Privacy Policy.
• Anthropic — AI content generation. Anthropic receives technical scan data (accessibility issues, page structure) to generate remediation guides. No personal information is sent. Anthropic Privacy Policy.
• Cloudflare — CDN, DDoS protection, and DNS. Cloudflare processes request data (IP addresses, headers) to provide security and performance services. Cloudflare Privacy Policy.
• MXRoute (SMTP) — email delivery for sending remediation guides, monitoring alerts, and marketing communications. MXRoute processes your email address solely for the purpose of message delivery.

Each third-party provider is bound by their own privacy policies and applicable data protection regulations. We select providers that maintain appropriate security standards.

8. Email Communications

We may send you the following types of email:

8.1 Transactional Emails

Purchase receipts, guide delivery, scan result delivery, subscription renewal confirmations, and cancellation confirmations. These are necessary for the Service and cannot be opted out of while you have active purchases or subscriptions.

8.2 Service Notifications

Monitoring alerts, new issue notifications, and fix reports for active subscribers.

8.3 Marketing Communications

Information about our services, related products (including Abby SEO, AI-Signed, SiteDialect, and NewSiteLead), and accessibility best practices. You may unsubscribe from marketing communications at any time using the unsubscribe link included in every email. Unsubscribe requests are processed promptly and are permanent unless you re-subscribe.

9. Cross-Site Promotions

Our website may display links, recommendations, or promotional content for related services, including Abby SEO, AI-Signed, SiteDialect, and NewSiteLead. These are separately operated services with their own privacy policies. Clicking a cross-promotion link takes you to that service's website, which is governed by its own privacy practices. We do not share your personal data with these related services for their independent use.

10. Data Retention and Deletion

We retain your data only as long as necessary for the purposes described in this policy:

• Free scan results: Retained for a limited period to allow access to your reports, then automatically deleted. You may request earlier deletion at any time.
• Purchased products: Guide and report records are retained for the duration of your relationship with us plus a reasonable period for support and re-delivery purposes.
• Subscription data: Retained for the duration of your subscription plus a reasonable period thereafter for legal and accounting purposes.
• Email addresses: Retained as long as you have an active purchase, subscription, or marketing consent. Removed upon unsubscribe or deletion request.
• IP addresses: Application-level IP logs used for rate limiting and abuse prevention are retained for 7 days. Server access logs are retained for up to 30 days.
• Payment records: Retained as required by tax and financial reporting obligations (typically 7 years). Managed by Stripe.
• Analytics data: Umami analytics data is aggregated and does not contain personal information. Aggregate data is retained indefinitely.

11. Your Rights

Regardless of where you are located, we extend the following rights to all users:

• Right of access: You may request a copy of all personal data we hold about you.
• Right to rectification: You may request correction of any inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): You may request that we delete all your personal data.
• Right to restrict processing: You may request that we limit how we use your data.
• Right to data portability: You may request your data in a structured, machine-readable format.
• Right to object: You may object to our processing of your data for specific purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time.

11.1 For EU/EEA Residents (GDPR)

Our legal bases for processing your data are: (a) performance of a contract (providing the Service you requested), (b) legitimate interests (abuse prevention, security, service improvement), and (c) consent (where applicable, such as marketing email communications). You have the right to lodge a complaint with your local data protection authority.

11.2 For California Residents (CCPA/CPRA)

You have the right to know what personal information we collect, request deletion, and opt out of the sale of your personal information. As stated in Section 6, we do not sell your personal information and have never sold personal information. You also have the right to non-discrimination for exercising your privacy rights.

11.3 Exercising Your Rights

To exercise any of these rights, you may:

• Submit a Data Deletion Request through our self-service form
• Email us at privacy@wcagrepair.com

We will respond to all requests within 30 days. We may ask you to verify your identity before processing your request to protect your privacy.

12. International Data Transfers

Our servers are located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We take reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

13. Children's Privacy

The Service is not directed to individuals under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under the applicable age, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@wcagrepair.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page. For significant changes that affect how we handle your data, we will make reasonable efforts to notify you via email (if we have your email address) or through a prominent notice on the Service. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.