Privacy Policy
Last updated: April 2, 2026
1. Data Controller
The data controller for WCAGAlert is: WCAGAlert, operated by Mostafa Abbas, Sweden. Contact: info@wcagalert.com. For GDPR purposes, we are the data controller when processing your account data, and data processor when scanning websites on your behalf (see our Data Processing Agreement).
2. What We Collect
Account data: email address, full name, organization name. Site data: URLs submitted for scanning, scan configurations. Scan results: HTML snippets, CSS selectors, WCAG violation data, accessibility scores, performance and SEO metrics. Usage data: login timestamps, scan history, audit logs. Technical data: IP address hashes (SHA-256) for rate limiting — raw IP addresses are never stored. Payment data: processed by Stripe — we do not store credit card numbers. Free audit data: URL scanned, results, IP hash (auto-deleted after 30 days).
3. Legal Basis for Processing
We process your data based on: Contract performance (Art. 6(1)(b) GDPR) — to provide the WCAGAlert service you signed up for. Legitimate interest (Art. 6(1)(f) GDPR) — for security, fraud prevention, and service improvement. Consent (Art. 6(1)(a) GDPR) — where explicitly requested, such as marketing communications.
4. How We Use Your Data
We use your data solely to provide the WCAGAlert service: scanning websites for accessibility issues, generating reports, sending scan notifications and alerts, processing payments, and providing customer support. We do not sell, rent, or share your personal data with third parties for marketing purposes.
5. Sub-processors and International Transfers
We use the following sub-processors: Supabase Inc. (database, authentication — EU Frankfurt). Stripe Inc. (payment processing — USA, protected by EU Standard Contractual Clauses). Vercel Inc. (application hosting — USA, EU SCCs). Railway Corp. (scan worker infrastructure — USA, EU SCCs). Brevo/Sendinblue (transactional email — EU France). Where data is transferred outside the EEA, it is protected by EU Standard Contractual Clauses (SCCs) maintained by each sub-processor.
6. Scanning
When you scan a website, our worker visits the publicly accessible pages using a headless browser. We only scan URLs you explicitly provide. We do not access pages behind authentication unless you configure it. Scanned page content is processed temporarily and only WCAG violation data is stored.
7. Data Retention
Account data: retained while your account is active, deleted within 30 days of account deletion. Scan results: retained while your account is active, deleted with your account. Free audit results: automatically deleted after 30 days. Audit logs: retained for 12 months for compliance purposes. Payment records: managed by Stripe under their retention policies.
8. Cookies
We use only essential cookies: Supabase authentication session cookie (required for login) and language preference cookie. We do not use tracking cookies, analytics cookies, or third-party advertising cookies. No cookie consent is required for strictly necessary cookies under the ePrivacy Directive, but we inform you here for transparency.
9. Your Rights (GDPR)
Under GDPR, you have the right to: access your personal data, rectify inaccurate data, erase your data ('right to be forgotten'), restrict processing, data portability (export your data), object to processing, and withdraw consent at any time. To exercise these rights, contact us at info@wcagalert.com. We will respond within 30 days.
10. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For Sweden: Integritetsskyddsmyndigheten (IMY), imy.se. For other EU countries, contact your local data protection authority.
11. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via email at least 14 days before taking effect. The 'last updated' date at the top indicates the most recent revision.
12. Contact
For privacy-related questions: info@wcagalert.com