Privacy Policy

Last updated: April 17, 2026

This Privacy Policy describes how AllyProof ("we", "us", "our"), operated as a sole proprietorship registered in Ukraine, collects, uses, and protects your personal data when you use the AllyProof platform ("Service").

We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).

1. Data Controller

AllyProof is the data controller for the personal data we collect through the Service. For billing-related data, Paddle.com Market Limited acts as an independent data controller. See Paddle's Privacy Policy for details on how they handle payment data.

Contact: legal@allyproof.com

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Email address — for authentication, communication, and account recovery
  • Full name — for display in the application and team features
  • Profile picture URL — if you sign in via Google or GitHub OAuth
  • Organization name — for multi-tenant workspace management

2.2 Service Usage Data

When you use the Service, we collect:

  • Site URLs — websites you add for accessibility scanning
  • Scan results — accessibility violations found, including page URLs, violation details, and HTML code snippets
  • Reports and VPATs — documents generated from scan results
  • API key metadata — key names, scopes, and usage timestamps (keys are stored as SHA-256 hashes)
  • Activity logs — actions taken within the platform for audit purposes

2.3 Technical Data

We automatically collect:

  • IP address — for security, rate limiting, and abuse prevention
  • Browser and device information — user agent string for compatibility
  • Cookies — essential cookies for authentication and session management (see Section 7)

2.4 Data We Do Not Collect

  • We do not collect personal data from the websites you scan. Our scanner accesses publicly available pages only.
  • We do not collect payment card numbers, bank details, or financial information. All payment processing is handled by Paddle.
  • We do not use tracking cookies, advertising pixels, or analytics that track you across other websites.

3. How We Use Your Data

Data processing purposes and GDPR legal basis
PurposeLegal Basis (GDPR)
Provide and operate the ServicePerformance of contract
Send transactional emails (scan results, alerts, account notifications)Performance of contract
Send weekly digest emails (if opted in)Consent
Generate AI-powered fix suggestionsPerformance of contract
Prevent abuse and enforce terms of serviceLegitimate interest
Respond to support requestsPerformance of contract
Improve the ServiceLegitimate interest

4. Sub-Processors

We use the following third-party services to operate the platform:

Third-party sub-processors, purpose, and data location
ProviderPurposeLocation
SupabaseDatabase, authentication, file storageEU (AWS eu-central-1)
PaddlePayment processing, invoicing, tax handlingUK / US
Anthropic (Claude)AI-powered accessibility fix suggestionsUS
ResendTransactional email deliveryUS
Hetzner CloudApplication hostingEU (Germany)
CloudflareCDN, DDoS protection, DNSGlobal
Cloudflare R2Report and document storageEU
GoogleOAuth authentication (if chosen by user)US
GitHubOAuth authentication (if chosen by user)US

For US-based sub-processors, data transfers are conducted under appropriate safeguards including Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework where applicable.

5. Data Retention

  • Account data — retained while your account is active and for 30 days after deletion
  • Scan results and reports — retained while your account is active; deleted within 30 days of account deletion
  • Activity logs — retained for 90 days
  • API key hashes — retained while the key is active; deleted when revoked
  • Email delivery logs — retained by Resend per their retention policy
  • Billing data — retained by Paddle per their retention policy and tax law requirements

6. Your Rights

Under GDPR (EU/EEA residents)

You have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing of your data
  • Data portability — receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (for consent-based processing)
  • Lodge a complaint with your local data protection authority

Under CCPA/CPRA (California residents)

You have the right to:

  • Know what personal information we collect and how it is used
  • Delete your personal information
  • Opt out of the sale or sharing of personal information (we do not sell your data)
  • Non-discrimination for exercising your privacy rights

To exercise any of these rights, email us at legal@allyproof.com. We will respond within 30 days. You may also delete your account directly from the Settings page, which triggers an email-verified deletion process.

7. Cookies

We use only essential cookies required for the Service to function:

Essential cookies used by the Service
CookiePurposeDuration
Supabase auth cookiesAuthentication and session managementSession / 7 days
Active organization cookieRemember which organization workspace is selected1 year
Theme preferenceRemember light/dark mode preference1 year

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Because we only use strictly necessary cookies, consent banners are not required under the ePrivacy Directive.

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • All data in transit is encrypted via TLS (HTTPS)
  • Database access is restricted by Row Level Security (RLS) policies
  • API keys are stored as SHA-256 hashes, never in plaintext
  • Authentication uses Supabase Auth with PKCE flow and secure session cookies
  • Content Security Policy (CSP) headers protect against XSS attacks
  • Infrastructure is hosted in EU data centers (Hetzner, Germany)
  • Account deletion requires email verification

9. AI Data Processing

When generating fix suggestions, we send accessibility violation data (violation type, HTML code snippet, and WCAG criterion) to Anthropic's Claude API. We do not send your personal data, account information, or full page content to the AI provider.

Per Anthropic's data policy, API inputs are not used to train their models.

10. Children's Privacy

The Service is designed for business use and is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.

11. International Data Transfers

Your data may be processed in the EU and the US depending on which Service features you use. Our primary database is hosted in the EU (Germany). When data is transferred to US-based sub-processors, we ensure appropriate safeguards are in place as described in Section 4.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before they take effect. The "last updated" date at the top indicates the most recent revision.

13. Contact

For privacy-related questions or to exercise your data rights, contact us at: legal@allyproof.com