Privacy Policy

Introduction

WCAGIO ("we," "our," or "us") is committed to protecting your privacy and ensuring transparency in how we collect, use, and safeguard your personal information. This Privacy Policy explains our data practices in clear, accessible language.

We are fully compliant with the General Data Protection Regulation (GDPR) and other applicable privacy laws. This policy applies to all users of our WCAG compliance reporting platform.

Your privacy is our priority. We collect only the data necessary to provide and improve our services, and we never sell your personal information to third parties.

Data We Collect

We collect different types of information to provide you with our accessibility compliance services. Here's what we collect and why:

Personal Data You Provide

When you interact with our platform, you may provide us with the following information:

Email addresses - collected with your explicit consent when you sign up for early access notifications or create an account
Communication data - messages you send us through contact forms or support channels

Legal Basis: We process this data based on your consent (for email signups) and contractual necessity (for account creation and service delivery).

Automatically Collected Data

When you use our platform, we automatically collect certain technical information:

IP addresses - used for security purposes, fraud prevention, and threat detection
Browser type and version - helps us optimize our platform for different browsers
Device information - device type, operating system, and screen resolution for responsive design
Usage data - pages visited, features used, and interaction patterns via privacy-friendly analytics
Error logs - technical information about errors to help us debug and improve the platform

Legal Basis: We process this data based on our legitimate interest in providing a secure, functional, and optimized service.

How We Use Your Data

We use your personal data only for specific, legitimate purposes:

Service Delivery - to provide you with accessibility compliance reports and platform features
Communication - to send you early access notifications, service updates, and respond to your inquiries
Security & Fraud Prevention - to protect our platform and users from malicious activity, bots, and abuse
Analytics & Improvement - to understand how users interact with our platform and identify areas for enhancement
Legal Compliance - to meet our legal obligations and respond to lawful requests from authorities
Error Monitoring - to detect, diagnose, and fix technical issues that affect user experience

We do not use your data for automated decision-making or profiling that produces legal effects or similarly significant impacts on you.

Data Storage and Security

Where We Store Your Data

Your data is stored securely using enterprise-grade cloud infrastructure with data centers located in the United States and European Union. We use industry-leading database hosting services that comply with GDPR and other international data protection standards.

Encryption in transit - all data transmission uses TLS 1.3 or higher
Access controls - strict authentication and authorization mechanisms limit data access
Regular backups - automated backups ensure data recovery capabilities

Security Measures

We implement comprehensive security measures to protect your personal data:

Advanced threat detection - automated security monitoring identifies and blocks malicious activity
Bot protection - machine learning-based systems prevent automated abuse
Rate limiting - protects against brute force attacks and service abuse
Input validation - all user inputs are validated and sanitized to prevent injection attacks
Security audits - regular security assessments and penetration testing
Incident response - documented procedures for handling security incidents

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR.

Your Rights Under GDPR

As a user, you have comprehensive rights regarding your personal data under GDPR:

Your Data Rights

Right to Access - request a copy of all personal data we hold about you
Right to Rectification - request correction of inaccurate or incomplete data
Right to Erasure ("Right to be Forgotten") - request deletion of your personal data
Right to Restrict Processing - request that we limit how we use your data
Right to Data Portability - receive your data in a machine-readable format to transfer to another service
Right to Object - object to processing based on legitimate interests or for direct marketing
Rights Related to Automated Decision-Making - we do not use automated decision-making that produces legal effects

How to Exercise Your Rights

To exercise any of these rights, please contact us using the information in the Contact section below. We will:

Respond to your request within 30 days (or explain why we need more time)
Verify your identity to protect your data from unauthorized access
Provide the requested information or action free of charge (unless requests are excessive or unfounded)
Explain our reasoning if we cannot fulfill your request

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your data appropriately.

Third-Party Services

We use carefully selected third-party services to operate our platform. All service providers are GDPR compliant or have appropriate data protection safeguards in place.

Categories of Third-Party Services

Analytics & Performance Monitoring - Vercel Analytics and Vercel Speed Insights provide privacy-friendly, cookie-free analytics to help us understand platform usage and performance
Security Services - Advanced security platforms protect against bots, abuse, and malicious activity
Error Monitoring - Error tracking services help us identify and fix technical issues quickly
Database Hosting - Secure, enterprise-grade database infrastructure stores your data with encryption and access controls
Infrastructure Services - Cloud hosting and content delivery services ensure fast, reliable platform access

Cookies and Tracking Technologies

No Cookie Consent Banner Required: We use privacy-friendly analytics that do not require cookie consent under GDPR.

Our Privacy-Friendly Analytics Approach

We have deliberately chosen analytics tools that respect your privacy:

Vercel Analytics - does not use cookies, does not track users across sites, and is GDPR compliant by design
Vercel Speed Insights - monitors performance without cookies or personal data collection
No third-party advertising cookies - we do not use any advertising or marketing cookies
No cross-site tracking - we do not track your activity on other websites

Browser Storage We Use

We use minimal browser storage for essential functionality:

Theme Preference - localStorage stores your light/dark mode preference for a better user experience
Session Management - sessionStorage may be used for temporary session data (when logged in)

You can clear this data at any time through your browser settings. Clearing this data will reset your theme preference but will not affect your account or data.

Your Control Over Tracking

You have full control over tracking and data collection:

Browser Settings - configure your browser to block cookies or clear storage
Do Not Track - we respect the Do Not Track (DNT) browser signal
Ad Blockers - our platform functions normally with ad blockers enabled
Privacy Extensions - browser privacy extensions will not interfere with core functionality

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

Retention Periods by Data Type

Email Signups - retained until you unsubscribe or request deletion
Account Data - retained while your account is active
Analytics Data - aggregated and anonymized data retained indefinitely for statistical purposes
Security Logs - IP addresses and security-related data retained for 90 days for incident investigation
Error Logs - technical error information retained for 30 days for debugging purposes
Communication Records - support inquiries and correspondence retained for 3 years for quality assurance

Data Deletion Process

When data reaches the end of its retention period or you request deletion:

Automated deletion processes remove data from active systems
Backup data is securely overwritten during the next backup cycle
Anonymized data may be retained for statistical purposes (cannot be linked back to you)
Legal obligations may require us to retain certain data longer (e.g., financial records)

You can request immediate deletion of your data at any time by contacting us.

International Data Transfers

Our platform operates globally, which may involve transferring your data across international borders:

Data Transfer Locations

Your data may be transferred to and processed in:

European Union - primary data storage location for EU users
United States - cloud infrastructure and service providers
Other countries where our service providers operate

Safeguards for International Transfers

When we transfer data outside the EU/EEA, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) - EU-approved contracts that ensure GDPR-level protection
Adequacy Decisions - transfers to countries deemed adequate by the European Commission
Service Provider Certifications - providers with recognized data protection certifications
Additional Security Measures - encryption, access controls, and monitoring for international transfers

By using our service, you consent to these international data transfers under the safeguards described above.

Children's Privacy

Our service is not directed at children under the age of 16, and we do not knowingly collect personal data from children.

Age Requirement - users must be at least 16 years old to use our platform
No Knowing Collection - we do not intentionally collect data from children under 16
Parental Rights - parents or guardians can contact us if they believe we have collected data from their child
Immediate Deletion - if we discover we have collected data from a child under 16, we will delete it immediately

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How We Notify You of Changes

Last Updated Date - we display the last updated date prominently at the top of this policy
Platform Notification - we may display a notice on our platform when significant changes are made
Version History - we maintain a record of policy versions and major changes

Your Choices After Updates

When we update this policy:

Continued Use - your continued use of our platform after the effective date constitutes acceptance of the updated policy
Right to Object - you can object to material changes by contacting us or discontinuing use of the service
Account Closure - if you disagree with changes, you can close your account and request data deletion

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

Contact Information

Our Response Commitment

Initial Response - we will acknowledge your inquiry within 3 business days
Full Response - we will provide a complete response within 30 days
Complex Requests - if we need more time, we will explain why and provide an estimated timeline
Identity Verification - for data access or deletion requests, we may need to verify your identity to protect your privacy

Supervisory Authority

If you are located in the European Union and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

You can find your local supervisory authority contact information at: https://edpb.europa.eu/about-edpb/board/members_en