AccessGlade

Legal

Privacy policy

Last updated: 2026-05-08. Plain-English summary lives in the help center.

The short version:AccessGlade scans the websites you tell it to, stores the resulting accessibility findings, and shows them back to you. We collect the minimum we need to operate, isolate every customer's data at the database layer, and never sell anything. The full text below is the formal commitment.

1. Who we are

AccessGlade is operated by [Legal entity name]("we," "us"), based in [country / state]. You can reach us at privacy@accessglade.com.

2. What we collect

Account data

  • Email address — used as your login identifier and for transactional email (magic links, invites, billing receipts).
  • Organization name, role (owner / admin / member / billing-admin), invitation history.
  • Optional: contact email you set on a property's crawl schedule (we put it in the User-Agent so site owners can reach you, not us).

Scan data

  • Accessibility findings produced by axe-core — rule key, severity, WCAG references, page URL, CSS selector.
  • A snippet (capped at 5KB) of the violating element and its enclosing landmark, used to detect components and group findings.
  • URL inventory — the set of URLs the crawler has discovered for each property you've added.
  • Job metadata — when scans started/finished, how many pages were visited, error messages.

What we do not collect

  • Full page HTML, screenshots, video, or rendered images of the pages we scan.
  • Cookies, localStorage values, or any user-entered form data on the pages we scan.
  • End-user identifiers from the sites you scan. We crawl as a logged-out visitor unless you explicitly configure auth.
  • Marketing or behavioural cookies on this website. We use one strictly-necessary cookie for authentication and that's it.

3. How we use it

  • To provide the product — run scans, render dashboards, send invitations, push to your Jira/Linear/GitHub on your request.
  • To send transactional email — magic-link sign-in, invitation links, billing receipts.
  • To investigate abuse — request logs and rate-limit signals are kept for up to 30 days.
  • Aggregate, de-identified product analytics — counts of scans, findings, and component patterns we've seen across the platform.

We do not use your scan data, account data, or any data we collect from your sites to train machine-learning models — ours or anyone else's.

4. Tenant isolation

Your data is isolated at the database layer using PostgreSQL Row-Level Security. A query made by a member of your organization is mathematically unable to return rows belonging to any other organization. The service role used by our scanner workers is never exposed to the browser; admin-style operations happen in trusted server code, behind explicit membership checks, and are audit-logged.

5. Retention

  • Findings: retained per the plan you're on (Free 7 days, Starter 90 days, Business 2 years, Enterprise custom).
  • Account data: retained while your account is active. Deleted within 30 days of account closure unless we're legally required to retain it longer (e.g., for tax records).
  • Backups: automated daily backups for 30 days. After 30 days, deleted records are gone from backups too.

6. Sub-processors

We use the following companies to operate AccessGlade. Each is bound by a written data processing agreement.

  • Supabase (database + authentication) — data stored in [region].
  • Vercel (web hosting + CDN).
  • Fly.io (scanner workers).
  • Resend (transactional email).
  • Stripe (payments — only when you upgrade to a paid plan).

We'll publish 30 days' notice in this section before adding or replacing any sub-processor.

7. Where data is stored

Default region for all customer data is [US-East / EU / etc.]. Enterprise customers can elect data residency in US, EU, or AU; contact hello@accessglade.com to discuss.

8. Your rights

Depending on where you're based, you may have the right to access, correct, export, or delete personal data we hold about you. Email privacy@accessglade.comfrom the address on your account and we'll honour the request within 30 days. EU/UK users: you also have the right to lodge a complaint with your supervisory authority.

9. Security

  • All traffic is HTTPS with modern TLS.
  • Passwords are not used (magic-link auth) — when we add password auth, hashes use Argon2.
  • Integration tokens (Jira / Linear / GitHub) are encrypted at rest with AES-256 keyed off a Supabase Vault secret.
  • The service role key never leaves the server side; UI traffic uses anon-key + JWT only.

Report a security issue to security@accessglade.com. We aim to respond within one business day.

10. Children

AccessGlade is a B2B product. We don't knowingly collect data from anyone under 16.

11. Changes to this policy

Material changes are notified via email to the primary owner of each organization at least 30 days before they take effect. Minor wording changes are noted by bumping the "last updated" date at the top of the page.

12. Contact

Questions, requests, complaints: privacy@accessglade.com.