Privacy Policy

Last updated: February 2026

1. Overview

A11yMate (“we”, “our”, “us”) operates the website a11ymate.com and the A11yMate Chrome extension (collectively, “the Service”). A11yMate is a web-accessibility testing tool that helps developers and teams identify and fix WCAG violations on their websites.

This Privacy Policy explains what information we collect, how we use it, and what choices you have. It applies to all users of the Service, including the Chrome extension and the web dashboard.

Free tier: Core accessibility scanning runs entirely in your browser using the axe-core engine. No data is transmitted to any server, and no account is required. Your scan results stay in your browser unless you explicitly sign in and choose to save them.

Pro, Team, and Agency tiers: These paid plans require a user account and store data on our servers to provide features such as AI-powered fix suggestions, saved scan reports, team collaboration, and API access.

2. Information We Collect

2a. Information You Provide

  • Account information: When you sign in with Google OAuth, we receive and store your email address, display name, and avatar URL.
  • Payment information: When you subscribe to a paid plan, billing details (name, address, payment method) are collected and processed by Lemon Squeezy, our payment processor. We store your Lemon Squeezy customer ID and subscription ID but do not store credit card numbers directly.
  • Team member emails: If you use team collaboration features, we store the email addresses of people you invite to your team.
  • VPAT product information: If you generate VPAT (Voluntary Product Accessibility Template) documents, we process the product name, version, URL, and contact details you provide.
  • PDF branding: If you customize PDF report branding, we process the company name, logo, and website URL you provide.

2b. Information Collected Automatically

  • Scan reports: When you save a scan report, we store the URL that was scanned, your accessibility score, the number of violations found, passing checks, incomplete checks, and HTML snippets from the violations detected on the page.
  • Scan metadata: We record the scan duration (in milliseconds), the number of elements scanned, and the timestamp of each scan.
  • Violation tracking: If you use violation management, we store the status, assignee, and notes for each tracked violation.
  • Usage analytics: We track your monthly scan count for internal analytics purposes only. No usage limits are enforced based on this count.

2c. Information Processed by Third Parties

  • AI fix suggestions: When you request an AI-generated fix suggestion, the violation rule ID and the relevant HTML snippet (up to 500 characters) are sent to OpenAI to generate a suggested code fix. These snippets are cached by content hash to avoid redundant requests.
  • AI VPAT remarks: When you generate VPAT documentation, violation data is sent to OpenAI to produce conformance remarks and remediation guidance.

3. How We Use Your Information

We use the information we collect to:

  • Provide the A11yMate service, including accessibility scanning, saved reports, AI-powered fix suggestions, and VPAT generation.
  • Process payments and manage your subscription through Lemon Squeezy.
  • Enable team collaboration features, such as inviting members, assigning violations, and sharing reports.
  • Improve the service through aggregate, anonymized usage analytics.

We do not sell your personal data. We do not use your data for advertising or share it with data brokers.

4. Third-Party Services

A11yMate relies on the following third-party services. Each receives only the data necessary to perform its function:

  • Google (authentication): We use Google OAuth to sign you in. Google receives your authentication request and provides us with your email, name, and avatar URL. Google Privacy Policy
  • Supabase (database and authentication hosting): All stored data (profiles, scan reports, AI suggestion cache, team members, violation statuses) is hosted on Supabase infrastructure. Supabase Privacy Policy
  • OpenAI (AI suggestions): Violation rule IDs and HTML snippets from accessibility violations are sent to OpenAI's API to generate fix suggestions and VPAT remarks. No personal information or full page content is sent. OpenAI Privacy Policy
  • Lemon Squeezy (payment processing): Your email and billing information are shared with Lemon Squeezy to process subscription payments. Lemon Squeezy Privacy Policy

5. Data Storage and Security

  • All server-side data is stored on Supabase-hosted PostgreSQL infrastructure.
  • API keys (for Agency plan users) are SHA256-hashed before storage. We never store raw API keys.
  • Authentication tokens in the Chrome extension are stored in chrome.storage.session, which is automatically cleared when the browser session ends.
  • Authentication tokens on the web dashboard are stored in sessionStorage, which is cleared when the browser tab is closed.
  • All communications between the extension, web dashboard, and our servers use HTTPS encryption.

6. Cookies

We do not use cookies for tracking, advertising, or analytics. A11yMate does not set any cookies in your browser.

Essential session data (authentication tokens) is stored in your browser's sessionStorage (web dashboard) or chrome.storage.session (Chrome extension). Both are automatically cleared when your browser session ends and are never shared with third parties.

7. Data Retention

  • Scan reports: Retained until you delete them or delete your account.
  • AI suggestion cache: Cached suggestions are retained indefinitely to improve performance and reduce redundant API calls.
  • Payment records: Retained as required by applicable tax and accounting regulations.
  • Account data: Retained until you request deletion of your account.

8. Your Rights

For all users

  • Right of access: You may request a copy of all personal data we hold about you.
  • Right to rectification: You may request that we correct any inaccurate personal data.
  • Right to erasure: You may request that we delete all of your personal data, including your account, scan reports, and any associated records.
  • Right to data portability: You may request a copy of your data in a structured, machine-readable format.
  • Right to restrict processing: You may request that we limit how we process your data.
  • Right to object: You may object to the processing of your personal data.

Additional rights under GDPR (EU/EEA residents)

If you are located in the European Union or European Economic Area, you have the rights listed above under the General Data Protection Regulation. You also have the right to lodge a complaint with your local data protection authority.

Additional rights under CCPA (California residents)

  • Right to know: You may request details about the categories and specific pieces of personal information we have collected.
  • Right to delete: You may request deletion of your personal information.
  • Right to opt-out of sale: We do not sell personal information, so there is no sale to opt out of.

To exercise any of these rights, please contact us at the email address listed in the Contact section below.

9. Chrome Extension Permissions

The A11yMate Chrome extension requests the following browser permissions. Each permission is used solely for the purpose described:

  • activeTab — Grants access to the currently active tab when you initiate a scan, allowing A11yMate to read the page content for accessibility analysis.
  • scripting — Allows the extension to inject the axe-core accessibility scanning engine into the page you are testing.
  • storage — Used to save your settings, branding preferences, and authentication tokens locally in the browser.
  • sidePanel — Enables the A11yMate side panel interface where scan results and tools are displayed.
  • identity — Used for Google OAuth sign-in, which is required for Pro, Team, and Agency features.
  • Content script (<all_urls>) — Needed so the scanning engine can run on any webpage you choose to test. The content script is only activated when you initiate a scan.

10. Free Tier Privacy

If you use A11yMate on the free tier without signing in, your privacy is strongly protected by design:

  • All accessibility scanning runs entirely in your browser using the locally bundled axe-core engine.
  • No data is transmitted to any external server during free-tier scanning.
  • No account or sign-in is required for free features.
  • Scan results remain in your browser and are never sent to our servers unless you explicitly sign in and choose to save them.

11. Children's Privacy

A11yMate is not directed at children under the age of 13 (or under 16 in the European Economic Area). We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at the email address below.

12. International Data Transfers

Your data may be processed in the United States through our third-party service providers (Supabase, OpenAI, and Lemon Squeezy). If you are located in the European Union or European Economic Area, these transfers are conducted in accordance with applicable data protection laws, relying on Standard Contractual Clauses or other lawful transfer mechanisms to ensure your data is adequately protected.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make changes, we will update the “Last updated” date at the top of this page. If we make material changes that affect how we handle your personal data, we will notify registered users by email.

14. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at bitnara.na@gmail.com.