Privacy Policy

AccessBridge ("we", "our", or "us") operates the website at accessbridge.app and the associated scanning platform (collectively, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have over it.

The short version: we collect only what is necessary to run the Service, we never sell your personal information, we never share it with advertisers, and we give you meaningful control over your own data.

This policy covers all users of the Service regardless of location. Where law grants you additional rights — including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) — those additional rights are described explicitly below.

For the purposes of GDPR and equivalent privacy laws, AccessBridge is the data controller for all personal data processed through the Service. If you have any questions about this policy or wish to exercise your rights, contact us at:

Account and identity data

When you create an account we collect your name, email address, and a hashed password. Authentication is managed by Clerk (see Third-Party Services below). We do not store your password in plain text — ever.

Scan and accessibility data

When you run a scan, we collect and store:

• The URLs you submit for scanning
• The HTML content fetched from those URLs (used in-memory only; not stored)
• Violation records: rule ID, WCAG criteria, impact level, CSS selector, HTML snippet, and help URL
• AI-generated explanations and fix suggestions associated with violations
• Fix status you set on violations (open, fixed, ignored)
• Generated reports (PDF and CSV files stored in Vercel Blob)

Important: AccessBridge scans only the public HTML output of URLs you provide. We do not access, store, or process the underlying source code, databases, or any backend infrastructure of the websites you scan. Authenticated scanning credentials you provide are used solely to fetch pages and are stored encrypted.

Payment data

Subscription billing is handled entirely by Stripe. AccessBridge never receives or stores your full credit card number, CVV, or bank account details. We store only the Stripe customer ID and subscription status returned by Stripe's API.

Team and organisation data

If you invite team members, we store their email addresses and the role you assign them. Invited users receive an email from us and can choose whether to accept.

Usage and log data

Our servers automatically record standard log data including IP address, browser type, pages visited, timestamps, and HTTP status codes. This data is used for security monitoring, rate limiting, and debugging. It is not used for advertising or sold to third parties.

Communications

If you contact us by email, we retain that correspondence to provide support. If you opt in to product update emails, we store your email address for that purpose and include an unsubscribe link in every message.

We use the data we collect for the following purposes:

We do not sell, rent, or trade your personal information. We do not share your data with advertisers or data brokers. We share data only with the service providers listed below, each of which is under contract to protect it and use it only on our behalf.

We may also disclose personal data if required to do so by law, court order, or government authority, or where we believe disclosure is necessary to protect the rights, property, or safety of AccessBridge, our users, or the public.

We retain personal data for as long as necessary to fulfil the purposes in this policy:

• Account data — retained while your account is active. Deleted within 30 days of account closure on request.
• Scan and violation data — retained for the lifetime of your account so you can access historical results. Deleted when your account is deleted.
• Generated reports — stored in Vercel Blob. Deleted when you delete the report or close your account.
• Payment records — retained for 7 years to comply with tax and accounting legal requirements, even after account closure.
• Server logs — retained for 90 days for security monitoring, then automatically deleted.
• Support emails — retained for 3 years to provide consistent support, then deleted unless a legal hold applies.

You may request early deletion of your data at any time (see Your Rights below). Deletion requests are processed within 30 days, subject to legal retention requirements.

Regardless of where you are located, you may contact us at any time to exercise any of the rights below. We will respond within 30 days and will never charge a fee unless a request is manifestly unfounded or excessive.

Rights available to all users

• AccessRequest a copy of the personal data we hold about you.
• CorrectionAsk us to correct inaccurate or incomplete data.
• DeletionAsk us to delete your personal data. We will do so within 30 days, except where retention is required by law.
• PortabilityReceive a copy of your data in a structured, machine-readable format (JSON or CSV).
• Withdraw consentWithdraw consent for marketing emails at any time by clicking the unsubscribe link or emailing us.

Additional rights for EU / UK residents (GDPR / UK GDPR)

• RestrictionAsk us to restrict processing of your data while a dispute is resolved.
• ObjectionObject to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds.
• Lodge a complaintYou have the right to lodge a complaint with your national supervisory authority (e.g. the ICO in the UK or your EU member state's DPA).

Additional rights for California residents (CCPA / CPRA)

California residents have the right to:

• Know what categories of personal information we collect and how we use it
• Delete personal information we have collected (subject to certain exceptions)
• Correct inaccurate personal information
• Opt out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising, so there is nothing to opt out of
• Limit use of sensitive personal information — we do not use sensitive personal information beyond what is necessary to provide the Service
• Non-discrimination — we will not discriminate against you for exercising your privacy rights

To exercise any CCPA right, email privacy@accessbridge.app with "CCPA Request" in the subject line. We will verify your identity before processing the request.

AccessBridge uses a minimal set of cookies:

We do not use advertising cookies, third-party tracking pixels, or analytics services (such as Google Analytics). The cookies listed above are strictly necessary for the Service to function or to remember your preferences.

We apply industry-standard technical and organisational measures to protect your personal data, including:

• All data in transit encrypted via TLS 1.2+ (HTTPS enforced)
• All data at rest encrypted by our database and storage providers
• Passwords hashed by Clerk; we never receive or store plain-text passwords
• API keys stored as salted SHA-256 hashes; the full key is shown only once on creation
• Rate limiting on all API endpoints to prevent abuse
• SSRF guards preventing the scanner from accessing internal infrastructure
• Access to production systems restricted to authorised personnel only
• Immutable audit logs of all sensitive actions within the platform

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to privacy@accessbridge.app. We are committed to addressing valid reports promptly.

AccessBridge is hosted on infrastructure primarily located in the United States and European Union. If you are based in the EU or UK, your personal data may be transferred to and processed in the United States.

When we transfer data outside the EEA or UK, we rely on appropriate safeguards:

• Clerk — EU Standard Contractual Clauses (SCCs) and EU–US Data Privacy Framework certified
• Stripe — EU–US Data Privacy Framework certified and SCCs
• Vercel — SCCs and EU deployment options
• Anthropic — SCCs under our commercial API agreement

You may request a copy of the relevant safeguards by contacting us at privacy@accessbridge.app.

The Service is intended for users who are at least 16 years old (or 18 in jurisdictions where 16 is insufficient). We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@accessbridge.app and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes — such as adding new categories of data collection or new third-party sharing — we will:

• Update the "Effective Date" at the top of this page
• Send an email notification to registered account holders at least 30 days before the change takes effect
• Display a notice inside the application on your next login

Continued use of the Service after the effective date constitutes acceptance of the revised policy. If you do not agree with a material change, you may delete your account before it takes effect.

For any privacy-related questions, data subject requests, or concerns about how we handle your personal data, please contact:

We aim to respond to all privacy requests within 5 business days, and to complete data subject requests within 30 days (extendable to 60 days for complex requests under GDPR, with notification).

If you are not satisfied with our response, EU and UK residents have the right to lodge a complaint with their national data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO).