Privacy Policy

Last updated: March 2026

a11yVault is a WCAG 2.2 accessibility auditing tool. We are committed to protecting your privacy and handling your data responsibly. This policy explains what data we collect, how we use it, and your rights regarding that data.

a11yVault is designed with privacy by default. We minimize data collection to only what is necessary for accessibility scanning and reporting.

What Data We Store

Account Information

  • Your name and email address (provided by your Google or Microsoft account during sign-in)
  • Your organization name (provided during onboarding)
  • Profile image URL from your OAuth provider
  • Stripe customer ID and subscription status (for billing)

Scan Data

  • URLs of pages you scan
  • Accessibility violation details including rule IDs, WCAG criteria, and impact levels
  • HTML code snippets around detected issues (with PII automatically redacted)
  • Page scores and compliance assessments
  • Generated fix suggestions
  • Manual review notes you provide

What We Do NOT Store

  • Passwords (we use OAuth sign-in via Google and Microsoft, so no passwords are stored)
  • Full page HTML content (only small snippets around violations)
  • Login credentials for sites you scan (used in-memory only, never persisted)
  • Cookies or session tokens from scanned sites
  • Personal information found on scanned pages (automatically scrubbed)

Cookies & Sessions

a11yVault uses a single essential session cookie to keep you signed in. This cookie is strictly necessary for authentication, expires after 7 days of inactivity, is HTTP-only and secure (cannot be accessed by JavaScript), and contains only a session identifier, not personal data.

We do not use any analytics cookies, tracking pixels, or third-party advertising cookies. We do not use Google Analytics, Meta Pixel, or any similar services.

Data Retention

Scan data (audits, pages, violations, and reports) is automatically deleted based on your plan tier. Auto-deletion runs daily during off-peak hours.

  • Free Scans: 30 days
  • Starter: 1 year
  • Team / Agency: 2 years
  • Enterprise: Unlimited

You may also manually delete any audit and all its associated data at any time from the History page. Manual deletion is immediate and permanent.

Account information (name, email, organization) is retained for as long as your account exists.

PII Scrubbing

Before storing any HTML snippets from scanned pages, a11yVault automatically scrubs personally identifiable information (PII) including email addresses, phone numbers, Social Security Numbers (SSN patterns), form input values, dates of birth and medical record numbers (health context patterns), and US ZIP codes in form/label contexts.

This scrubbing occurs before data reaches the database, ensuring that sensitive information from scanned pages is never persisted.

Third-Party Services

Authentication: Google & Microsoft

We use Google OAuth and Microsoft Entra ID for sign-in. When you authenticate, your identity provider shares your name, email address, and profile image with a11yVault. We do not receive or store your password.

Enhanced Analysis

a11yVault uses a leading American frontier model to generate fix suggestions for accessibility violations. We send only the violation rule ID and description, the PII-scrubbed HTML snippet, and the CSS selector of the affected element. We do not send any user account information, full page content, or personally identifiable information to this service.

Billing: Stripe

We use Stripe to process payments and manage subscriptions. Stripe receives your email address and payment information. We do not store credit card numbers. All payment data is handled directly by Stripe.

Email: Resend

We use Resend to deliver scan report emails. When you request an email report, we share your email address and the report content with Resend for delivery.

No Other Third-Party Sharing

Beyond the services listed above, a11yVault does not share, sell, or transfer your data to any third parties. We do not use any third-party analytics or advertising services.

Your Rights

  • Access: View all data associated with your account via the Dashboard, History, and Settings pages
  • Deletion: Delete any audit and all associated data at any time from the History page
  • Account Deletion: Contact us to have your entire account and associated data permanently deleted
  • Data Minimization: We only collect and store what is strictly necessary for accessibility auditing
  • Transparency: This policy, our methodology page, and in-app disclosures explain exactly how your data is handled