Last updated: April 4, 2026
Privacy Policy
This Privacy Policy explains what data Accesseon ("we," "our," "the Service") collects, why we collect it, how we use it, and what rights you have. We believe in plain language — no 50-page legalese.
1. Data Controller
Accesseon is the data controller for the personal data processed through the Service.
Contact: legal@accesseon.com
2. Data We Collect
Account Data (if you sign up)
- Email address — used for login, transactional emails, and account recovery
- Password — hashed by Supabase Auth (bcrypt); we never see or store your plaintext password
- Google account info — if you sign up with Google OAuth, we receive your email and display name from Google
Scan Data
- URLs you submit — stored in our database, associated with your account (or your IP hash for anonymous scans)
- Scan results — scores, violations, pass results, AI-generated fix suggestions. Stored in our database.
- Page HTML — processed in memory during the scan. Not stored after scan completion.
- HTML snippets from violations — small code fragments (e.g., a single
<img>tag) sent to Anthropic's Claude API to generate fix suggestions. These do not contain personal data.
Payment Data
We do not collect or store credit card numbers, bank account details, or payment credentials. All payment processing is handled by LemonSqueezy (our Merchant of Record). LemonSqueezy collects your payment information directly. We receive only: subscription status, plan type, and billing period dates.
Usage Data
- IP address — used for rate limiting and anonymous scan attribution. Not shared with third parties.
- Browser user-agent — included in standard server access logs.
- Pages visited and features used — server-side only, no client-side tracking scripts.
3. How We Use Your Data
- Provide the Service — scanning websites, generating reports, storing your scan history
- Generate AI fix suggestions — HTML snippets from violations sent to Anthropic's Claude API
- Send transactional emails — welcome email, scan reports (paid users), trial reminders (via Resend)
- Enforce limits — rate limiting by IP, plan-based scan limits by account
- Prevent abuse — blocking malicious URLs, private IPs, and excessive requests
- Improve scan accuracy — aggregate, anonymized statistics (e.g., "average score across all scans"). We do not analyze individual scan results for this purpose.
We do not sell your data. We do not use your data for advertising. We do not share your data with data brokers. We do not use your data to train AI models.
4. Legal Basis for Processing (GDPR)
- Contractual necessity — processing required to provide the Service you signed up for (Art. 6(1)(b))
- Legitimate interest — abuse prevention, service improvement via anonymized aggregates (Art. 6(1)(f))
- Legal obligation — where required by applicable law (Art. 6(1)(c))
5. Third-Party Processors
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database, authentication | Email, password hash, scan results | EU (London) |
| Anthropic (Claude API) | AI fix suggestions | Small HTML code snippets from violations (no personal data) | US |
| LemonSqueezy | Payment processing (Merchant of Record) | Email, billing info (collected directly by LemonSqueezy) | US |
| Resend | Transactional email delivery | Email address, email content | US |
| Railway | Application hosting | Server access logs (IP, user-agent) | EU/US |
| Cloudflare | DNS, CDN, email routing | DNS queries, email forwarding | Global |
6. Data Retention
- Scan results — retained for 12 months, then automatically deleted
- Account data — retained while your account is active. Deleted within 30 days of account deletion.
- Anonymous scans (no account) — retained for 12 months, associated only with an IP address hash
- Server logs — retained for up to 30 days by our hosting provider
7. Your Rights
GDPR (EU/EEA/UK residents)
Under the General Data Protection Regulation, you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Portability — receive your data in a structured, machine-readable format
- Restrict processing — limit how we use your data
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent
- Lodge a complaint — with your local data protection authority
CCPA (California residents)
Under the California Consumer Privacy Act, you have the right to:
- Know — what personal information we collect and how we use it
- Delete — request deletion of your personal information
- Opt out of sale — we do not sell personal information, so this right is already satisfied
- Non-discrimination — we will not treat you differently for exercising your rights
LGPD (Brazil residents)
Under Brazil's Lei Geral de Proteção de Dados, you have rights similar to GDPR including access, correction, deletion, portability, and information about sharing.
Exercising your rights
To exercise any of these rights, email legal@accesseon.com. We will respond within 30 days. We may ask you to verify your identity before processing your request. You will not be charged a fee for exercising your rights.
8. Cookies
We use essential cookies only:
- Supabase authentication cookies — session tokens for keeping you logged in. Strictly necessary for the Service to function. These are httpOnly, secure, and SameSite=Lax.
We do not use analytics cookies, tracking cookies, advertising cookies, or any third-party cookie-based tracking. No cookie consent banner is required because we only use strictly necessary cookies exempt under GDPR Article 5(3) and the ePrivacy Directive.
9. International Data Transfers
Your data may be processed in the United States. For EU/EEA/UK users:
- Our database (Supabase) is hosted in the EU (London, eu-west-2).
- Some processors (Anthropic, LemonSqueezy, Resend) are based in the US. These transfers are protected by Standard Contractual Clauses (SCCs) or other approved mechanisms provided by those processors.
- We do not transfer data to countries without adequate data protection unless appropriate safeguards are in place.
10. Security
We protect your data with:
- HTTPS/TLS encryption for all data in transit
- AES-256 encryption at rest (via Supabase)
- Bcrypt password hashing (via Supabase Auth)
- Row-Level Security (RLS) policies on the database
- Server-side session validation (no localStorage tokens)
- Security headers: CSP, X-Frame-Options, X-Content-Type-Options
- Non-root container execution in production
No system is 100% secure. If we discover a data breach that affects your personal data, we will notify you by email within 72 hours of confirmation, as required by GDPR Article 33.
11. Children
Accesseon is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us at legal@accesseon.com and we will delete it.
12. Changes to This Policy
We may update this policy from time to time. We will notify active account holders by email at least 14 daysbefore material changes take effect. The "Last updated" date at the top reflects the most recent version.
13. Contact
Questions about your data or this policy? Contact us at:
- Privacy & legal: legal@accesseon.com
- General support: hello@accesseon.com