Legal

Privacy Policy

Effective Date: April 20, 2026

This Privacy Policy explains how QA11Y Labs ("we," "us," or "our") collects, uses, and protects information when you use our website and web accessibility auditing services. We are committed to protecting your privacy and handling your data with transparency.

1. Who We Are

QA11Y Labs is a web accessibility auditing company. We provide automated WCAG 2.2 AA scanning, manual accessibility audits, and accessibility consulting services. Our website is located at qa11ylabs.com.

For questions about this policy, contact us at qa11ylabs.com/contact.html.

2. Data We Collect

We collect only the minimum data necessary to provide our services. The types of data we collect include:

Data you provide directly

  • Email address — when you use our free scan tool or contact us. Used to deliver your scan report and to respond to inquiries.
  • URLs submitted for scanning — the web addresses you submit to our free or paid scanning tools.
  • Client audit data — for paid audit engagements, this may include your organization's website content, accessibility issue logs, remediation notes, and deliverable documents shared as part of the engagement.
  • Contact form information — your name, email, and message when you reach out via our contact form.

Data collected automatically

  • Usage data — pages visited, time on page, and general navigation patterns via our analytics tooling.
  • Technical data — browser type, operating system, referring URL, and IP address (used for security and abuse prevention, not for profiling).

We do not collect payment card information directly. Any payment processing is handled by our third-party payment processor (see Section 6).

3. How We Use Your Data

We use the data we collect for the following purposes:

  • To deliver services — processing your free scan and emailing you the scan report, fulfilling paid audit engagements, and responding to consulting inquiries.
  • To communicate with you — sending scan reports, deliverables, and service-related updates via email (delivered through AgentMail).
  • To improve our services — understanding which features are used, identifying bugs, and improving accuracy of our accessibility checks.
  • Security and fraud prevention — detecting and preventing abuse of our scanning tool or contact form.
  • Legal compliance — meeting our obligations under applicable law.

We will not use your data for any purpose materially different from those described above without first obtaining your consent.

4. Data Storage and Security

Client audit data is stored on our own virtual private server (VPS) infrastructure. All client data is stored encrypted at rest. Access is restricted to QA11Y Labs staff directly involved in your engagement.

We implement appropriate technical and organizational security measures, including:

  • Encryption at rest for all stored client and scan data.
  • Encrypted transit (TLS/HTTPS) for all data transmitted to and from our services.
  • Access controls and authentication requirements for staff accessing client data.
  • Regular review of access logs and security posture.

No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify you and relevant authorities as required by law.

We do not sell, rent, or trade your personal data to any third party, ever.

5. Data Retention

We retain your data only for as long as necessary to fulfill the purposes for which it was collected:

  • Free scan data (email address and submitted URL) — retained for 90 days from the date of submission, then permanently deleted from our systems.
  • Scan reports — deleted after 90 days unless the client has requested longer retention as part of a paid engagement.
  • Client audit data — retained for the duration of the engagement and for a reasonable period thereafter (typically up to 12 months) to allow for follow-up questions, unless the client requests earlier deletion or continued retention. Specific retention terms for paid clients are outlined in the engagement agreement.
  • Contact form submissions — retained for up to 12 months, then deleted unless an ongoing engagement is in place.

You may request deletion of your data at any time (see Section 7). Upon a verified deletion request, we will delete your data within 30 days, except where retention is required by law.

6. Third-Party Services

We use a limited number of third-party services to operate our business. These parties have access to only the minimum data necessary to perform their functions and are prohibited from using it for other purposes:

  • AgentMail — we use AgentMail to deliver scan reports and service-related emails to you. Your email address and scan report contents are transmitted to AgentMail for delivery purposes.
  • Payment processing — if you purchase a paid service, payment card data is handled directly by our payment processor. We do not store card numbers on our systems.
  • Analytics — we may use privacy-respecting analytics to understand site traffic. Analytics data is aggregated and does not identify individual users.

We do not use advertising networks, data brokers, or behavioral tracking services. We do not share your data with any third party for marketing purposes.

7. Your Rights

Regardless of where you are located, you have the following rights with respect to your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request that we correct inaccurate or incomplete data.
  • Deletion — request that we delete your personal data ("right to be forgotten").
  • Restriction — request that we restrict processing of your data in certain circumstances.
  • Portability — request your data in a structured, commonly used, machine-readable format.
  • Objection — object to processing based on our legitimate interests.

To exercise any of these rights, please contact us using the contact form at qa11ylabs.com/contact.html. We will respond to verified requests within 30 days. We may need to verify your identity before processing your request.

8. GDPR — Rights for EU/EEA Residents

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) grants you additional rights and requires us to be transparent about our legal basis for processing your data.

Legal basis for processing

  • Contract performance — processing your email and submitted URL to deliver the free scan service you requested.
  • Legitimate interests — security monitoring, fraud prevention, and service improvement, balanced against your privacy interests.
  • Legal obligation — where processing is required to comply with applicable law.
  • Consent — where we have obtained your specific, informed consent (e.g., for any optional communications).

Data transfers

Our VPS infrastructure is located within the United States. If you are an EU/EEA resident, your data may be transferred to and processed in the United States. Where we transfer data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

Right to lodge a complaint

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data is being processed in violation of the GDPR.

9. CCPA/CPRA — Rights for California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you the following rights:

  • Know — the right to know what personal information we collect, use, disclose, and sell about you.
  • Delete — the right to request deletion of personal information we have collected from you.
  • Correct — the right to correct inaccurate personal information.
  • Opt-out of sale/sharing — the right to opt out of the sale or sharing of your personal information. QA11Y Labs does not sell or share personal information.
  • Limit use of sensitive personal information — the right to limit the use and disclosure of sensitive personal information.
  • Non-discrimination — the right not to be discriminated against for exercising your CCPA rights.

To submit a CCPA request, contact us at qa11ylabs.com/contact.html. We will verify your identity and respond within 45 days (extendable by an additional 45 days when reasonably necessary).

In the preceding 12 months, we have not sold or shared personal information, and we have not used personal information for purposes beyond those described in this policy.

10. Cookies and Tracking

Our website uses a minimal number of cookies necessary for site operation. We do not use advertising cookies or cross-site tracking cookies.

  • Essential cookies — necessary for the website to function (e.g., session management). These cannot be disabled without impairing site functionality.
  • Analytics cookies — if used, these collect aggregated, anonymized data about site usage. You may opt out via your browser settings or a global privacy control (GPC) signal, which we honor.

You can control cookies through your browser settings. Disabling all cookies may affect site functionality.

11. Children's Privacy

Our services are intended for business and professional use and are not directed at children under the age of 13 (or 16 in the EU/EEA). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Effective Date" at the top of this page and, where appropriate, notify you by email or by a notice on our website.

We encourage you to review this policy periodically. Continued use of our services after changes have been posted constitutes your acceptance of the revised policy.

13. Contact Us

For any privacy-related questions, requests, or concerns — including requests to access, correct, or delete your data — please reach out through our contact form:

QA11Y Labs — Privacy Requests
Contact form: qa11ylabs.com/contact.html
Please include "Privacy Request" in your message subject and describe the nature of your request.

We aim to respond to all privacy-related inquiries within 5 business days, and to complete verified requests within 30 days.