A11yWard
Sign inGet early access

Privacy Policy

Effective June 1, 2026

Draft — the contracting legal entity and governing law are being finalized and will be confirmed in writing before any paid engagement or data-processing agreement.

This Privacy Policy describes how A11yward (a Ward Labs product) ("A11yward", "we", "us") processes personal data when you use our web accessibility scanning and monitoring platform (the "Service"). It applies to data we process as a controller about you (e.g. when you visit our website, create an account, or pay for a plan). A11yward scans your own web pages for accessibility (WCAG) issues; it is not designed to collect personal data about your end users.

1. What we collect

1.1 Account data (controller)

  • Email address (required to create an account and sign in)
  • Name / display name
  • Password, stored only as a scrypt hash — we never store the plaintext
  • Organization name and team-membership metadata
  • Authentication metadata: session cookies, IP, and user-agent on sign-in
  • Billing contact details (when you upgrade to a paid plan)

1.2 Monitoring configuration (controller)

  • The site URLs and labels you choose to monitor
  • Scan settings and, for authenticated (login-behind) scanning, credentials you choose to supply so we can reach pages behind your login

1.3 Scan results (controller)

When the Service crawls your public (or, where you opt in, login-behind) web pages, it records the accessibility issues it finds against WCAG success criteria — element selectors, rule identifiers, severity, and snippets of the offending markup. These are findings about your site, not personal data about your visitors. In the normal scan path A11yward does not collect your end users' personal data. If your page markup happens to contain personal data, it may incidentally appear in a captured snippet; you control which URLs are scanned and can exclude pages.

1.4 Usage data (controller, aggregated)

  • Pages viewed, features used, error logs
  • Aggregate, de-identified product analytics — no personal content

2. Why we process it

  • Provide the Service — authentication, crawling your sites, generating accessibility reports and evidence.
  • Improve the Service — aggregate, de-identified analytics on feature usage.
  • Security and abuse prevention — rate limiting, SSRF protection, anomaly detection, incident response.
  • Communications — service-related emails (sign-in, billing, scan alerts and digests, security notices). Marketing emails only with separate opt-in.
  • Legal obligations — compliance with tax, accounting, and regulator requests.

3. Legal bases (GDPR Art. 6)

  • Contract performance — to provide the Service you signed up for.
  • Legitimate interests — product analytics and security, balanced against your privacy rights.
  • Consent — marketing communications (revocable any time).
  • Legal obligation — when required by law.

4. Who we share data with

We do not sell personal data. We share with vetted sub-processors as needed to operate the Service:

  • Fly.io — cloud hosting and primary data storage (EU/Frankfurt)
  • Resend — transactional email delivery
  • Stripe — payment processing (paid plans only)

The complete, current list — with purpose, location, and transfer mechanism — is published at /security and in Annex B of our DPA, and is updated at least 30 days before material changes.

5. International transfers

Customer account data, monitoring configuration, and scan results are processed primarily in the EU/EEA (Fly.io, Frankfurt). Where transfer to a third country is necessary (e.g. to a US-based sub-processor such as our email provider), we rely on Standard Contractual Clauses (SCCs) and supplementary measures as described in our DPA.

6. Retention

  • Account data: while your account is active, plus up to 90 days after deletion for backup hygiene.
  • Scan results: retained per your plan and configuration, and deleted on request or account closure.
  • Authentication logs: 90 days.
  • Billing records: 7 years (required by tax law in most jurisdictions).

7. Your rights

You may, subject to applicable law:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion (right to erasure)
  • Restrict or object to processing
  • Request data portability
  • Withdraw consent for marketing
  • Lodge a complaint with your local supervisory authority

To exercise any of these rights, email deniz@promptward.ai. We respond within 30 days.

8. Security

We encrypt data in transit (TLS). Passwords are stored as scrypt hashes — the plaintext is never persisted. Sessions are managed with secure cookies, scan targets are validated by SSRF guards, and every record is isolated by tenant. Our security controls — and the precise, current status of any third-party audit or certification — are published at /security. We state that status plainly and do not claim certifications we do not hold.

9. Children

The Service is not directed to children under 16 and we do not knowingly process their data.

10. Changes to this policy

We will notify account owners by email at least 30 days before material changes take effect. Continued use of the Service after the effective date constitutes acceptance.

11. Contact

Data Controller: A11yward (a Ward Labs product)
Privacy contact: deniz@promptward.ai

Template notice: This document is provided as a starting point for A11yward customers and prospects. Before relying on it in a paid engagement, have it reviewed by counsel familiar with your jurisdiction (e.g. GDPR, UK DPA 2018, CCPA). Bracketed placeholders [ ] must be filled in.