Privacy Policy

WCAG Repair ("we," "us," or "our") operates the website wcagrepair.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.

1. Information We Collect

Information You Provide

• URLs submitted for scanning — the web address you enter for an accessibility audit.
• Email address — if you optionally provide one for guide delivery or monitoring alerts.
• Payment information — when you purchase a remediation guide or subscribe to monitoring. Payment details (credit card numbers, billing address) are collected and processed directly by Stripe and are never stored on our servers.

Information Collected Automatically

• IP address — collected with each scan request for rate limiting and abuse prevention.
• Session cookies — Flask session cookies used to maintain your browsing session (see Section 4).
• Scan results — the accessibility issues and page data identified during your scan are stored alongside the URL you submitted.

2. How We Use Your Information

We use the information we collect to:

• Perform WCAG 2.1 accessibility audits on the URLs you submit.
• Generate and deliver AI-powered remediation guide PDFs.
• Process payments through Stripe for guide purchases and subscriptions.
• Send monitoring alerts and fix reports to subscribers via email.
• Enforce rate limits and prevent abuse of the Service.
• Improve and maintain the Service.

3. Data Storage and Security

Scan data (URLs, IP addresses, email addresses, and scan results) is stored in a PostgreSQL database. We implement reasonable administrative, technical, and physical safeguards to protect your information. However, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.

Payment information is handled entirely by Stripe. We do not store credit card numbers or full payment details on our servers. Please refer to Stripe's Privacy Policy for information on how they handle your payment data.

4. We Do Not Sell Your Data

We will never sell, rent, lease, trade, or otherwise commercially transfer your personal information to any third party. This is a core principle of our business, not a conditional policy that may change.

Specifically:

• We do not sell your data to data brokers, advertisers, marketing companies, or any other entity.
• We do not share your email address, scan results, or usage data with third parties for their marketing, profiling, or advertising purposes.
• We do not monetize your data in any way other than providing the Service you paid for.
• We do not participate in data cooperatives, data exchanges, or any form of data sharing arrangement for commercial gain.

The only third parties that receive your data are our essential service providers (Stripe for payments, MXRoute for email delivery), and only the minimum data necessary for them to perform their function on our behalf.

5. Cookies and Tracking

We use a single, strictly necessary session cookie set by Flask to maintain your browsing session. This cookie:

• Is essential for the Service to function (CSRF protection, session management).
• Does not track you across other websites.
• Does not contain personally identifiable information.
• Expires when you close your browser or after 1 hour of inactivity.

We may in the future implement privacy-focused analytics (such as Umami) to understand aggregate usage patterns. If we do, we will update this policy and provide you with the ability to opt out via a cookie consent banner. We will never use advertising cookies, tracking pixels, fingerprinting, or any invasive tracking technology.

We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts.

6. Third-Party Services

We share the minimum necessary information with the following third-party service providers, solely as required to operate the Service:

• Stripe — payment processing. Stripe receives your payment details and email address to process transactions. We do not store your credit card number, CVC, or full billing details. Stripe Privacy Policy.
• MXRoute (SMTP) — email delivery for sending remediation guides and monitoring alerts to the email address you provide. MXRoute processes your email address solely for the purpose of message delivery.

Each third-party provider is bound by their own privacy policies and applicable data protection regulations. We select providers that maintain appropriate security standards and do not use your data for purposes beyond the services they provide to us.

7. Data Retention and Deletion

We retain your data only as long as necessary:

• Scan results: Retained indefinitely to allow access to your reports. You may request deletion at any time.
• Email addresses: Retained as long as you have an active purchase or subscription. Deleted upon request.
• IP addresses: Used for rate limiting in real time. Not stored in long-term logs beyond what is necessary for abuse prevention.
• Payment records: Retained as required by tax and financial reporting obligations (typically 7 years).

Right to deletion: You may request deletion of all your personal data at any time by emailing support@wcagrepair.com. We will process your request within 30 days and confirm deletion by email. Note that deletion of scan data is permanent and cannot be undone.

8. Your Rights (GDPR, CCPA, and Other Regulations)

Regardless of where you are located, we extend the following rights to all users:

• Right of access: You may request a copy of all personal data we hold about you.
• Right to rectification: You may request correction of any inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): You may request that we delete all your personal data.
• Right to restrict processing: You may request that we limit how we use your data.
• Right to data portability: You may request your data in a structured, machine-readable format.
• Right to object: You may object to our processing of your data for specific purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time.

For EU/EEA residents (GDPR): Our legal basis for processing your data is: (a) performance of a contract (providing the Service you requested), (b) legitimate interests (abuse prevention, service improvement), and (c) consent (where applicable, such as optional email communications). You have the right to lodge a complaint with your local data protection authority.

For California residents (CCPA/CPRA): You have the right to know what personal information we collect, request deletion, and opt out of the sale of your personal information. As stated in Section 4, we do not sell your personal information and have never sold personal information.

To exercise any of these rights, contact us at support@wcagrepair.com. We will respond within 30 days.

9. International Data Transfers

Our servers are located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We take reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at support@wcagrepair.com.

11. Security

We implement industry-standard security measures to protect your data, including:

• All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS).
• Database access is restricted and authenticated.
• Payment data is handled entirely by Stripe (PCI DSS Level 1 certified) and never touches our servers.
• Access to production systems is restricted to authorized personnel only.
• We conduct regular security reviews of our infrastructure and application code.

While we take reasonable precautions, no system is 100% secure. If you discover a security vulnerability, please report it responsibly to support@wcagrepair.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date. For significant changes that affect how we handle your data, we will make reasonable efforts to notify you via email (if we have your email address) or through a prominent notice on the Service. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.