Privacy Policy
Last updated: May 21, 2026
This Privacy Policy describes how AllyProof ("we", "us", "our"), operated as a sole proprietorship registered in Ukraine, collects, uses, and protects your personal data when you use the AllyProof platform, including the AllyProof browser extension for Chrome, Microsoft Edge, and Firefox (collectively, the "Service").
We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).
1. Data Controller
AllyProof is the data controller for the personal data we collect through the Service. For billing-related data, Paddle.com Market Limited acts as an independent data controller. See Paddle's Privacy Policy for details on how they handle payment data.
Contact: legal@allyproof.com
2. Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address — for authentication, communication, and account recovery
- Full name — for display in the application and team features
- Profile picture URL — if you sign in via Google or GitHub OAuth
- Organization name — for multi-tenant workspace management
2.2 Service Usage Data
When you use the Service, we collect:
- Site URLs — websites you add for accessibility scanning
- Scan results — accessibility violations found, including page URLs, violation details, and HTML code snippets
- Reports and VPATs — documents generated from scan results
- API key metadata — key names, scopes, and usage timestamps (keys are stored as SHA-256 hashes)
- Activity logs — actions taken within the platform for audit purposes
2.3 Technical Data
We automatically collect:
- IP address — for security, rate limiting, and abuse prevention
- Browser and device information — user agent string for compatibility
- Cookies — essential cookies for authentication and session management (see Section 7)
2.4 Data We Do Not Collect
- We do not collect personal data from the websites you scan. Our scanner accesses publicly available pages only.
- We do not collect payment card numbers, bank details, or financial information. All payment processing is handled by Paddle.
- We do not use tracking cookies, advertising pixels, or analytics that track you across other websites.
3. How We Use Your Data
Data processing purposes and GDPR legal basis| Purpose | Legal Basis (GDPR) |
|---|
| Provide and operate the Service | Performance of contract |
| Send transactional emails (scan results, alerts, account notifications) | Performance of contract |
| Send weekly digest emails (if opted in) | Consent |
| Generate AI-powered fix suggestions | Performance of contract |
| Prevent abuse and enforce terms of service | Legitimate interest |
| Respond to support requests | Performance of contract |
| Improve the Service | Legitimate interest |
4. Sub-Processors
We use the following third-party services to operate the platform:
Third-party sub-processors, purpose, and data location| Provider | Purpose | Location |
|---|
| Supabase | Database, authentication, file storage | EU (AWS eu-central-1) |
| Paddle | Payment processing, invoicing, tax handling | UK / US |
| Anthropic (Claude) | AI-powered accessibility fix suggestions | US |
| Resend | Transactional email delivery | US |
| Hetzner Cloud | Application hosting | EU (Germany) |
| Cloudflare | CDN, DDoS protection, DNS | Global |
| Cloudflare R2 | Report and document storage | EU |
| Google | OAuth authentication (if chosen by user) | US |
| GitHub | OAuth authentication (if chosen by user) | US |
For US-based sub-processors, data transfers are conducted under appropriate safeguards including Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework where applicable.
5. Data Retention
- Account data — retained while your account is active and for 30 days after deletion
- Scan results and reports — retained while your account is active; deleted within 30 days of account deletion
- Activity logs — retained for 90 days
- API key hashes — retained while the key is active; deleted when revoked
- Email delivery logs — retained by Resend per their retention policy
- Billing data — retained by Paddle per their retention policy and tax law requirements
6. Your Rights
Under GDPR (EU/EEA residents)
You have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing of your data
- Data portability — receive your data in a structured, machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time (for consent-based processing)
- Lodge a complaint with your local data protection authority
Under CCPA/CPRA (California residents)
You have the right to:
- Know what personal information we collect and how it is used
- Delete your personal information
- Opt out of the sale or sharing of personal information (we do not sell your data)
- Non-discrimination for exercising your privacy rights
To exercise any of these rights, email us at legal@allyproof.com. We will respond within 30 days. You may also delete your account directly from the Settings page, which triggers an email-verified deletion process.
7. Cookies
We use only essential cookies required for the Service to function:
Essential cookies used by the Service| Cookie | Purpose | Duration |
|---|
| Supabase auth cookies | Authentication and session management | Session / 7 days |
| Active organization cookie | Remember which organization workspace is selected | 1 year |
| Theme preference | Remember light/dark mode preference | 1 year |
We do not use advertising cookies or tracking pixels. Because we only use strictly necessary cookies, the ePrivacy Directive does not require a consent banner for the cookies listed above.
7.1 Optional analytics cookies and your choice
If we enable product analytics in the future, we will set those cookies only after you give consent through the cookie banner that appears at the bottom of the page on your first visit. The banner lets you:
- Accept all — allow strictly necessary and analytics cookies.
- Reject non-essential — only strictly necessary cookies are set.
- Customise — toggle each non-essential category on or off individually.
Your choice is stored in a first-party cookie named aap_cc for twelve months and is not shared with any third party. You can change your decision at any time by selecting Cookie preferences in the page footer. Withdrawing consent is as easy as giving it, and we never set non-essential cookies before you have made a choice.
8. Data Security
We implement appropriate technical and organizational measures to protect your data:
- All data in transit is encrypted via TLS (HTTPS)
- Database access is restricted by Row Level Security (RLS) policies
- API keys are stored as SHA-256 hashes, never in plaintext
- Authentication uses Supabase Auth with PKCE flow and secure session cookies
- Content Security Policy (CSP) headers protect against XSS attacks
- Infrastructure is hosted in EU data centers (Hetzner, Germany)
- Account deletion requires email verification
9. AI Data Processing
When generating fix suggestions, we send accessibility violation data (violation type, HTML code snippet, and WCAG criterion) to Anthropic's Claude API. We do not send your personal data, account information, or full page content to the AI provider.
Per Anthropic's data policy, API inputs are not used to train their models.
10. Children's Privacy
The Service is designed for business use and is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.
11. International Data Transfers
Your data may be processed in the EU and the US depending on which Service features you use. Our primary database is hosted in the EU (Germany). When data is transferred to US-based sub-processors, we ensure appropriate safeguards are in place as described in Section 4.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before they take effect. The "last updated" date at the top indicates the most recent revision.
13. Browser Extension
The AllyProof browser extension is a distribution channel for the Service. By default it operates entirely on your device — no account is required, no data is sent to AllyProof, and no analytics or telemetry are collected.
13.1 Data Stored Locally in Your Browser
The extension uses the following Chrome storage areas:
- chrome.storage.session — current scan result and (if signed in) the short-lived access token. Cleared when the browser restarts.
- chrome.storage.local — extension settings (theme, dock-mode preference, API base), the most recent 50 scan results for the current device, and (if signed in) a refresh token used to renew access tokens.
- chrome.storage.sync is never used. We deliberately avoid syncing tokens or scan history across your other Chrome devices to reduce the blast radius of a single compromised device.
13.2 Data Sent to AllyProof — Only When You Sign In and Take Action
The extension never phones home automatically. The following data is sent only in response to an explicit action you take while signed in:
- Save to dashboard— when you click "Save to dashboard" on a scan result, we send the page URL, page title, scan duration, score, severity counts, and the violation list (including HTML snippets of failing elements) to your AllyProof account.
- Crawl this site — when you initiate a multi-page crawl from the extension, we send the site origin to start a server-side scan.
- AI fix suggestion— when you click "Generate AI fix", we send the violation type, WCAG criterion, and the HTML snippet of the single failing element. We do not send full page content, surrounding markup, or any personal data found on the page.
- Sign-in (magic link) — when you sign in via the extension, a one-time link mints session tokens that are returned to the extension. Account credentials are never entered into the extension itself.
13.3 Browser Permissions
- activeTab— inject the accessibility scanner into the active tab when you click the toolbar icon or the "Scan this page" button. Granted on user gesture and revoked when you navigate away.
- tabs — read tab URL and title across tabs so the side panel can display the scan for whichever tab you are currently viewing as you switch between tabs. This grants tab metadata only; it does notgrant access to read or modify any page's content. The same permission is requested by axe DevTools, WAVE, and Lighthouse for the same reason.
- storage — the chrome.storage buckets described in 13.1.
- sidePanel — open the in-browser results panel docked to the side of the page.
- scripting— programmatically inject the same axe-core scan-runner content script into the active tab when you click "Scan this page", in cases where the auto-injected version is not present (tabs that were open before the extension was installed or reloaded). The script path is read from the extension's own manifest at runtime; this permission is never used to inject arbitrary code, only the bundled scanner.
- We do not request the
<all_urls>host permission. The extension cannot read or modify the contents of any tab without an explicit user gesture (clicking the toolbar icon or the "Scan this page" button), cannot run in background tabs without your action, and cannot read your full browsing history.
13.4 What the Extension Does Not Do
- It does not load remote scripts (no eval'd code from the network).
- It does not include third-party analytics, tracking pixels, or ad SDKs.
- It does not collect telemetry by default; an optional opt-in is off out of the box.
- It does not transmit scan results to AllyProof unless you sign in and explicitly save them.
14. Contact
For privacy-related questions or to exercise your data rights, contact us at: legal@allyproof.com