Privacy Policy

1. Introduction

Appable, LLC (“we,” “us,” or “our”) operates Auditable, a web accessibility scanning platform. We are committed to protecting your privacy and being transparent about how we collect, use, and share your information.

This Privacy Policy applies to all information collected through our website, application, and related services (collectively, the “Service”). By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

Account Information: When you create an account through our authentication provider (Clerk), we collect:

• Email address
• Name (if provided)
• Authentication credentials managed by Clerk
• Profile information you choose to provide

Website Information: To provide scanning services, you provide:

• URLs of websites you want to scan
• Website names and descriptions
• Scan configuration preferences

Payment Information: Payment processing is handled by Stripe. We do not store your payment card information. We receive from Stripe:

• Subscription status and billing information
• Transaction records for accounting purposes
• Last four digits of payment methods for account management

2.2 Information We Collect Automatically

Usage Information: We collect information about how you use our Service:

• Pages visited and features used
• Time spent on different sections
• Scan frequency and patterns
• Error logs and performance metrics

Device and Technical Information:

• IP address and approximate location
• Browser type and version
• Operating system
• Device identifiers
• Referring URLs

2.3 Scan Data

When scanning your websites, we temporarily collect:

• Website content necessary for accessibility analysis
• DOM structure and HTML markup
• CSS styling information
• JavaScript functionality relevant to accessibility
• Image and media file metadata

Important: This data is processed temporarily for scan analysis and is not permanently stored beyond what’s necessary for generating your accessibility reports.

3. How We Use Your Information

We use the information we collect to:

3.1 Provide Our Service

• Perform accessibility scans on your specified websites
• Generate detailed accessibility reports and compliance documentation
• Maintain your scan history and track compliance progress
• Provide technical support and customer service
• Process payments and manage subscriptions

3.2 Improve Our Service

• Analyze usage patterns to improve user experience
• Develop new features and functionality
• Optimize scanning accuracy and performance
• Troubleshoot technical issues and bugs

3.3 Communication

• Send important service updates and security notifications
• Respond to your inquiries and support requests
• Provide educational content about web accessibility (with your consent)
• Send billing and subscription-related communications

3.4 Legal and Security

• Comply with legal obligations and law enforcement requests
• Protect against fraud, abuse, and security threats
• Enforce our Terms of Service
• Protect our rights and property

4. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

4.1 Service Providers

We work with trusted third-party service providers who help us operate our Service:

• Clerk: Authentication and user management services
• Convex: Database hosting and data storage
• Stripe: Payment processing and subscription management
• PostHog: Analytics and product insights (anonymized data)
• Vercel: Web hosting and content delivery
• Fly.io: Backend service hosting and infrastructure

These providers are contractually obligated to protect your information and use it only to provide services to us.

4.2 Legal Requirements

We may disclose your information when required by law or to:

• Comply with legal processes, court orders, or government requests
• Protect our rights, property, or safety
• Protect the rights, property, or safety of our users or others
• Investigate potential violations of our Terms of Service

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such transfer and any choices you may have regarding your information.

5. Data Security

We implement appropriate technical and organizational security measures to protect your information against unauthorized access, alteration, disclosure, or destruction:

• Encryption: Data in transit is encrypted using TLS/SSL protocols
• Access Controls: Strict access controls limit who can access your data
• Authentication: Multi-factor authentication for administrative access
• Monitoring: Continuous monitoring for security threats and vulnerabilities
• Regular Updates: Regular security updates and patches
• Incident Response: Documented procedures for handling security incidents

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as necessary to provide our Service and comply with legal obligations:

• Account Information: Retained while your account is active and for up to 90 days after account deletion
• Scan Results: Retained while your account is active and according to your subscription tier’s data retention limits
• Website Content: Temporarily processed data is deleted immediately after scan completion
• Usage Logs: Retained for up to 12 months for service optimization and security purposes
• Payment Information: Billing records retained for up to 7 years for tax and accounting compliance

You may request deletion of your data at any time by contacting us. Upon account deletion, we will delete your information within 30 days, except where retention is required by law.

7. Your Rights and Choices

7.1 Account Management

You can:

• Access and update your account information through your dashboard
• Modify your notification preferences
• Delete websites and scan data from your account
• Cancel your subscription at any time
• Request account deletion

7.2 GDPR Rights (European Users)

If you are located in the European Economic Area, you have additional rights under GDPR:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data (“right to be forgotten”)
• Portability: Request a copy of your data in a structured, machine-readable format
• Restriction: Request limitation of processing in certain circumstances
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent for processing where consent is the legal basis

7.3 California Privacy Rights (CCPA)

California residents have additional privacy rights:

• Right to know what personal information we collect and how it’s used
• Right to delete personal information (with some exceptions)
• Right to opt-out of the sale of personal information (note: we do not sell personal information)
• Right to non-discrimination for exercising privacy rights

8. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our Service. For detailed information about our use of cookies, please see our Cookie Policy.

8.1 Essential Cookies

These cookies are necessary for the Service to function:

• Authentication session cookies from Clerk
• Security tokens and CSRF protection
• Load balancing and performance optimization

8.2 Analytics Cookies

With your consent, we use analytics cookies to understand Service usage:

• PostHog analytics for product insights (anonymized)
• Performance monitoring and error tracking
• User experience optimization

9. International Data Transfers

Our Service is hosted primarily in the United States. If you are accessing our Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States.

We ensure appropriate safeguards are in place for international transfers, including:

• Standard contractual clauses approved by the European Commission
• Adequacy decisions where applicable
• Other lawful transfer mechanisms under applicable data protection laws

10. Children’s Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Privacy Policy on our website
• Sending email notification to your registered address
• Displaying a prominent notice in the Service

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

12. Legal Basis for Processing (GDPR)

For European users, our legal basis for processing personal information includes:

• Contractual Necessity: Processing necessary to provide the Service under our Terms of Service
• Legitimate Interests: Service improvement, security, and fraud prevention
• Consent: Analytics and marketing communications (where obtained)
• Legal Compliance: Fulfilling legal obligations and regulatory requirements

13. Contact Information

For questions about this Privacy Policy, to exercise your privacy rights, or to report a privacy concern, please contact us:

EU Representative: For European users with GDPR-related inquiries, you may also contact our EU representative at privacy@auditable.dev.

Response Time: We will respond to privacy-related inquiries within 30 days (or as required by applicable law).