A11YO
Legal

Privacy Policy

Last updated: 31 March 2026

1. Who we are

A11YO is operated by Ferg Flannery (“we”, “us”, “our”). We provide website accessibility scanning and reporting services at a11yo.com.

For any privacy-related queries, contact us at hello@a11yo.com.

2. What data we collect

Account data

When you create an account: your email address and a hashed password. We do not store your password in plain text.

Scan data

URLs you submit for scanning, scan results (accessibility issues found, compliance score), and scan timestamps. This data is associated with your account and used to provide scan history and trend charts.

Payment data

If you purchase a paid plan, payment is processed by Stripe. We store your Stripe customer ID and subscription status only — we never see or store your card details.

Usage data

We log a hashed (SHA-256) version of your IP address for rate limiting purposes. This hash cannot be reversed to your original IP address. We do not use it for tracking or profiling.

Chrome extension

If you use the A11YO Chrome extension, your JWT token is stored locally in chrome.storage.local on your device. We do not have access to your browser storage.

3. How we use your data

  • To provide the scanning and reporting service
  • To maintain your scan history and compliance trends
  • To process payments and manage your subscription via Stripe
  • To send transactional emails (welcome, subscription confirmation, password reset) via Resend
  • To enforce fair-use rate limits
  • To improve the product based on aggregated, anonymised usage patterns

We do not sell your data. We do not use your data for advertising.

4. Third-party services

SupabaseAuthentication and database (hosted in EU)Policy →
StripePayment processingPolicy →
VercelHosting and serverless functionsPolicy →
ResendTransactional email deliveryPolicy →
Anthropic ClaudeAI-generated alt text suggestions (tool only, not stored)Policy →

5. Data retention

We retain your account data and scan history for as long as your account is active. If you delete your account, all associated data (profile, scan history, reports) is permanently deleted. Stripe retains transaction records as required by financial regulations — contact Stripe directly to exercise rights over payment records.

6. Your rights (GDPR)

If you are based in the EU or EEA, you have the following rights under GDPR:

  • Right of access — request a copy of the data we hold about you
  • Right to rectification — ask us to correct inaccurate data
  • Right to erasure — request deletion of your account and all associated data
  • Right to data portability — receive your data in a machine-readable format
  • Right to object — object to processing of your data

To exercise any of these rights, email us at hello@a11yo.com. You can also delete your account directly from your account settings. We will respond within 30 days.

7. Cookies

We use a single session cookie set by Supabase to keep you logged in. We do not use advertising cookies, analytics cookies, or third-party tracking cookies.

8. Changes to this policy

We may update this policy from time to time. We will notify you by email if we make material changes. The date at the top of this page reflects the most recent update.

9. Contact

Questions about this policy? Email us at hello@a11yo.com.