Skip to main content

Privacy Policy

Effective date: April 6, 2026

This policy describes what data we collect, why we collect it, who receives it, how long we keep it, and how you can delete it.

1. Data we collect

1.1 Account data

Your email address and a password. The password is hashed before storage. We never store or transmit your password in plain text.

1.2 Scan data

The URLs you submit for scanning, the publicly accessible HTML content of pages at those URLs (up to 100 pages per scan), and the scan results we generate (compliance score, violations, fix suggestions). Scan results are associated with your account.

We scan only publicly accessible pages. We do not access authenticated pages or collect cookies, tokens, form data, or credentials from the sites you scan.

1.3 Payment data

If you purchase a scan credit, payment processing is handled entirely by Stripe. We do not receive, store, or have access to your credit card number or bank account details. Stripe shares with us your Stripe customer ID and payment confirmation so we can add scan credits to your account. See Stripe's privacy policy.

1.4 Server logs

IP addresses, request timestamps, and request paths. Used for rate limiting, abuse prevention, and debugging. Not associated with your account.

2. Data we do not collect

We do not receive or store credit card numbers, bank account details, or other payment credentials. All payment processing is handled by Stripe. We do not use analytics, advertising trackers, or any third-party behavioral tracking.

3. Cookies

We set two cookies, both strictly necessary for authentication. Both are httpOnly (not accessible to JavaScript) and contain no personal information. We do not use analytics, advertising, or third-party tracking cookies.

4. How we use AI

After automated tools check your pages, we send a sanitized subset of page content to the Anthropic API (Claude) for contextual accessibility analysis.

Sent to the AI: Image elements (alt text, ARIA attributes), headings (text, nesting level), form elements (labels, input types), and links (text, ARIA attributes). Extracted from the public HTML of scanned pages.

Not sent to the AI: Your email or password, full page HTML, JavaScript, stylesheets, cookies or tokens from the scanned site, or any content behind login walls.

Anthropic does not use data sent through its commercial API to train models. Fix suggestions generated by AI are automated, have not been reviewed by a human expert, and should be verified before use.

5. Third-party services

Stripe: Payment processing. When you purchase a scan credit, Stripe receives the payment details you provide during checkout. We receive only your Stripe customer ID and payment confirmation. We do not receive or store your payment credentials. See Stripe's privacy policy for how they handle your payment data.

Anthropic: Receives sanitized page elements (Section 4). Does not receive account data.

Railway: Backend hosting. All account data, scan results, and server logs are stored on Railway infrastructure.

Vercel: Frontend hosting. Receives standard web server logs only. Does not store account data or scan results.

Sentry: Error monitoring. Receives error stack traces and request URLs when server errors occur. Does not receive email addresses, passwords, or scan results.

Supabase: Off-site backup storage. Receives a full database copy daily via automated backup, including email addresses, hashed passwords, and scan results. Stored in a private bucket with no public access. See Supabase's privacy policy.

We do not sell, rent, or share your data with any party not listed above.

6. Data retention

Account and scan data: Retained while your account exists. Deleted when you delete your account.

Stripe data: Deleting your CheckSiteADA account removes your unused scan credits. Stripe retains its own payment records according to their privacy policy.

Server logs: Up to 7 days, per Railway's Hobby plan retention policy.

Off-site backups: Rolling window of 7 daily backups. After account deletion, backups may retain your data for up to 7 days before rotation.

7. Deleting your data

Self-service: Log in, click "Delete account" in the navigation bar, and confirm. This immediately removes your account and all associated data from the live database.

By email: Send a request from your account email to support@checksiteada.com. Processed within 7 business days.

8. Security

Passwords are hashed. Authentication cookies are httpOnly and inaccessible to JavaScript. All connections use HTTPS. We enforce rate limiting on all authentication and scan endpoints.

9. Children

CheckSiteADA is not directed at children under 13. We do not knowingly collect information from children under 13. If you believe a child has created an account, contact support@checksiteada.com and we will delete it.

10. Changes to this policy

Material changes will be communicated via the email on your account before they take effect. The effective date above reflects the most recent revision.

11. Contact

Questions about this policy or your data: support@checksiteada.com