Privacy

Last updated 2026–05–02.

What we store

When you upload a package, the following is stored on the server you’re currently signed in to:

• The original .zip file you uploaded.
• A row in the database recording the job: your email address (the one you used to sign in), the original filename, the time of upload, the WCAG standard you selected, and the resulting scorecard / violations.
• Server logs containing your IP address, user agent, and a record of each sign-in attempt (success or failure). These are kept for security and abuse investigation.

What we don’t store

We do not run third-party analytics or send your data to advertising networks. We do not analyze the contents of your packages for any purpose other than running the audit you requested.

How long it’s kept

Uploads and audit history are retained for the period configured by this instance’s operator (default: 30 days). Older entries are automatically deleted, including the underlying object in storage. If the bucket approaches its capacity, oldest terminal jobs are evicted earlier.

Who can see your data

Only you. The application enforces per-user isolation: your jobs aren’t visible in any other signed-in user’s list, and direct attempts to fetch another user’s job by id return 404. The instance operator has database access for backups and incident response.

How to delete your data

You can sign out at any time from the top right. To request deletion of your account and all associated jobs, email the operator of this instance. We’ll confirm by replying to the email you signed up with, then remove the rows and underlying objects within 30 days.

Security

In hosted mode, traffic is served over HTTPS. Sessions use signed, httpOnly, SameSite=Lax cookies. Magic-link tokens and session ids are hashed at rest. State-changing requests require a CSRF token. Allowlist-restricted sign-up keeps the user set bounded.

About · Terms