Privacy Policy.
This Privacy Notice for AxEazy (“we,” “us,” or “our”) describes how and why we might access, collect, store, use, and/or share (“process”) your personal information when you use our services (“Services”), including when you visit our website at https://axeazy.com, use the Axeazy platform, or engage with us in other related ways, including any marketing or events.
Axeazy is a web-based SaaS platform that automatically scans websites for accessibility violations based on WCAG 2.2 AA standards using the axe-core scanning engine. It generates AI-powered code-level fix suggestions and delivers them to your codebase via GitHub Pull Requests. The platform also produces timestamped PDF scan reports documenting identified violations and suggested remediations.
Questions or concerns? If you do not agree with our policies and practices, please do not use our Services. If you have questions, contact us at contact@axeazy.com.
1. What Information Do We Collect?
Personal information you disclose to us
In short: we collect personal information that you provide to us.
We collect personal information that you voluntarily provide when you register on the Services, express an interest in obtaining information about us or our products, participate in activities on the Services, or otherwise contact us. This may include:
- Names
- Email addresses
- Usernames
- Passwords (stored hashed by our authentication provider; never in plain text)
- Contact preferences
- Contact or authentication data (including multi-factor authentication data)
- Billing addresses (collected by our payment processor)
- Website URLs you submit for scanning
- GitHub repository access (scoped to repositories you select)
- Documents or PDFs you upload to the Emergency Kit flow
Sensitive information. We do not process sensitive personal information (such as racial or ethnic origin, health data, or religious beliefs).
Payment data. We may collect data necessary to process your payment if you make purchases, such as your payment instrument number and the security code associated with it. All payment data is handled and stored by Paddle. You can find their privacy notice here: paddle.com/legal/privacy. Card data is processed directly by Paddle and never stored on Axeazy servers.
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.
Information automatically collected
In short: some information (such as your IP address and browser characteristics) is collected automatically when you visit our Services.
- Log and usage data: service-related, diagnostic, usage, and performance information our servers automatically collect, including IP address, browser type and settings, pages viewed, features used, scan history, and error reports.
- Location data: imprecise geolocation derived from your IP address, used for security and rate limiting.
- Cookies: strictly necessary session cookies for authentication. See our Cookie Notice.
2. How Do We Process Your Information?
In short: we process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.
- To facilitate account creation and authentication and otherwise manage user accounts.
- To deliver and facilitate delivery of services: running scans, generating fixes and reports, monitoring.
- To respond to user inquiries and offer support.
- To send administrative information: scan results, security alerts, and changes to our terms and policies.
- To fulfill and manage your orders and subscriptions through Paddle.
- To send marketing and promotional communications, in accordance with your preferences. You can opt out at any time via the unsubscribe link in every marketing email.
- To protect our Services: fraud monitoring, abuse prevention, SSRF protection, and rate limiting.
- To evaluate and improve our Services and identify usage trends. We do not train third-party AI models on your individual scans, uploaded uploaded documents, or site content.
- To comply with our legal obligations and respond to legal requests.
3. What Legal Bases Do We Rely On?
In short: we only process your personal information when we have a valid legal reason to do so.
If you are located in the EU or UK
The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the legal bases we rely on to process your personal information. We may rely on:
- Consent. You have given us permission to use your personal information for a specific purpose. You can withdraw your consent at any time.
- Performance of a contract. Processing is necessary to fulfill our contractual obligations to you, including providing the Services.
- Legitimate interests. Processing is necessary for our legitimate business interests (such as securing the Services and preventing fraud) where those interests are not overridden by your rights.
- Legal obligations. Processing is necessary for compliance with our legal obligations.
Please note: the Services are designed for United States accessibility law (ADA / Section 508 / WCAG as referenced by US courts). EU and UK users may use the Services with the understanding that scan outputs reference US frameworks — your GDPR and UK GDPR rights are preserved as described in Section 13.
If you are located in Canada
We may process your information if you have given us specific permission (express consent), or in situations where your permission can be inferred (implied consent). You can withdraw your consent at any time. In some exceptional cases, we may be legally permitted to process your information without consent — for example, for investigations and fraud detection, or if disclosure is required to comply with a subpoena.
If you are located in India
We process your personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA) — see Section 14.
4. When and With Whom Do We Share Your Personal Information?
In short: we share information only with the service providers below, who process it on our behalf under data processing agreements. We do not sell your personal information.
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | All customer data | United States |
| Vercel, Inc. | Web hosting, edge functions | Request logs, performance metrics | United States |
| Railway Corp. | Scanner-service worker hosting, job queue, logging | Scan jobs, generated artifacts, queue metadata | United States |
| Upstash, Inc. | Rate-limit counters | IP-keyed counters | United States / EU |
| LanguageTooler GmbH (LanguageTool) | Grammar, style, and readability analysis for cognitive accessibility checks | Scanned page text | Germany |
| Anthropic, PBC | Claude model — alt-text, ARIA analysis, remediation suggestions, document analysis | Scanned page text, document text (when uploaded) | United States |
| OpenAI, L.L.C. | Whisper speech-to-text for video captioning | Audio extracted from customer videos (Pro+) | United States |
| Resend, Inc. | Transactional and newsletter email delivery | Recipient email, message content, open/click events | United States |
| Paddle.com Market Limited | Payment processing (Merchant of Record) | Billing name, email, card data (PCI-scoped at Paddle), transaction metadata | United Kingdom (with global subprocessors) |
| GitHub, Inc. | GitHub App for code-level PR generation when you opt in | Installation tokens, repo contents the App is invited to | United States |
| Termly LLC | Data Subject Access Request intake form (identity verification + request routing) | Email address, request type, identity-verification answers, optional supporting documentation | United States |
We notify customers of material changes to this subprocessor list before they take effect via the same email channel used for Terms updates.
We may also need to share your personal information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company (business transfers).
What we do NOT do:
- We do not sell your personal information.
- We do not share your data with advertisers or data brokers.
- We do not train third-party AI models on your individual scans, uploaded uploaded documents, or site content.
- We do not use third-party analytics that build cross-site user profiles (no Google Analytics, no Facebook Pixel).
5. Do We Use Cookies and Other Tracking Technologies?
In short: yes — a small set of strictly necessary cookies only.
We use strictly necessary cookies for session authentication, a strictly necessary localStorage entry (axeazy.consent.v1) to record your cookie consent choice, and an optional functional localStorage entry (axeazy.marketing.session) to attribute pricing-page interactions to subsequent conversions. We do not use cookies for advertising or third-party cross-site tracking, and we do not permit ad networks to place trackers on our Services. Details, including how to refuse cookies, are in our Cookie Notice.
6. Do We Offer Artificial Intelligence-Based Products?
In short: yes. We offer features powered by AI through third-party providers.
We provide AI-powered features (the “AI Products”) through third-party service providers, including Anthropic and OpenAI (“AI Service Providers”). Your input (such as scanned page content) and output are shared with and processed by these AI Service Providers to enable the AI Products, for the purposes outlined in Section 4. You must not use the AI Products in any way that violates the terms or policies of any AI Service Provider.
Our AI Products are designed for the following functions:
- Automated content generation (alt text, fix suggestions, captions)
- Automated analysis (screen-reader simulation analysis, document analysis)
- Natural language processing
How to opt out: simply do not use the AI fix-generation features. Core scanning works without them.
7. Website Scanning and AI Processing
When you submit a website URL for scanning, Axeazy accesses and analyzes the publicly accessible content of that website including HTML structure, images, links, and page text. This content is processed by our AI systems (Anthropic Claude and OpenAI) solely to identify accessibility violations and generate code-level fixes. We do not store the full content of scanned pages beyond what is necessary to display scan results and generate fixes. Scanned website content is never used to train AI models or shared with third parties beyond what is necessary to operate the service.
8. GitHub Repository Access
When you connect your GitHub account, Axeazy accesses only the specific repositories you authorize through the GitHub App installation. We use this access solely to create Pull Requests with accessibility fixes. We do not read, store, or analyze your repository code beyond what is necessary to apply the specific fixes generated from your scan results. You can revoke GitHub access at any time through your GitHub account settings under Installed Apps.
9. Scan Reports
Scan reports and PDF documents generated by Axeazy are technical records of accessibility violations detected and fixes suggested. These documents contain timestamps, violation details, and fix records. We retain this data for the duration of your account. This documentation does not constitute legal advice or a compliance certification. Disclaimers regarding compliance guarantees, AI-generated fixes, warranties, and limitations of liability are set out in our Terms of Service, which control.
10. How Long Do We Keep Your Information?
In short: as long as necessary for the purposes in this notice, and never longer than three (3) months past the termination of your account unless required by law.
- Account data: until you delete your account, plus a short backup-expiration window.
- Scan results: until you delete the site, or after subscription cancellation per the outer bound below.
- Emergency Kit document content and generated artifacts: retained for the life of your account (so you can re-download), unless you request deletion.
- Outer bound: no purpose in this notice requires keeping your personal information longer than three (3) months past the termination of your account, except where retention is required or permitted by law (such as tax, accounting, or other legal requirements).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because it is stored in backup archives), we will securely store it and isolate it from further processing until deletion is possible.
11. How Do We Keep Your Information Safe?
In short: through organizational and technical security measures.
We use TLS in transit, encryption at rest, service-role-only writes for sensitive tables, and Row Level Security (RLS) on every customer data table. Multi-factor authentication is available on all accounts. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security. Transmission of personal information to and from our Services is at your own risk.
12. Do We Collect Information From Minors?
In short: no. The Services are for users 18 and older, and we take the additional steps required by COPPA for users under 13.
Users under 13 — COPPA. Consistent with the U.S. Children's Online Privacy Protection Act (15 U.S.C. §§6501–6506) and the FTC's implementing rule (16 C.F.R. Part 312), we do not knowingly collect personal information from children under 13. We do not direct the Services to children under 13, do not require age-gated registration of children, and do not place advertising of any kind. If a parent or guardian learns that their child under 13 has provided personal information to us — for example, by signing up with a parent's card — they may email us at contact@axeazy.com with subject “COPPA Deletion”. We will verify the request using a method reasonably designed to confirm parental status (typically a reply from the email address on the account) and delete the child's account and any associated personal information within thirty (30) days of verification, at no charge.
Users between 13 and 18. We do not knowingly collect, solicit data from, or market to children under 18 years of age (or the equivalent age as specified by law in your jurisdiction), nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18. If we learn that personal information from users under 18 has been collected, we will deactivate the account and take reasonable measures to promptly delete such data. If you become aware of any data we may have collected from minors, contact us at contact@axeazy.com.
13. EU and UK Users (GDPR)
The Services evaluate websites against United States accessibility frameworks (ADA, Section 508, WCAG 2.2 AA as cited in US litigation). They are not designed for the European Accessibility Act or EN 301 549. EU and UK users may use the Services with the understanding that scan outputs reference US frameworks only. Nothing in this Privacy Policy limits any data protection rights you hold under the GDPR or UK GDPR.
Data Controller. For the purposes of the GDPR and UK GDPR, AxEazyacts as the Data Controller for personal data processed in connection with your use of the Services. Contact details are in Section 20.
If you are located in the EU or UK, you have the following rights under the GDPR/UK GDPR:
- The right to request access to and obtain a copy of your personal information
- The right to request rectification or erasure
- The right to restrict the processing of your personal information
- The right to data portability
- The right to object to processing based on legitimate interests
- The right not to be subject to automated decision-making producing legal or similarly significant effects
- The right to withdraw consent at any time (without affecting the lawfulness of prior processing)
- The right to lodge a complaint with your local supervisory authority
International transfers. Our primary infrastructure is hosted in the United States. If you access the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States by us and the third parties listed in Section 4. Where required, our service providers offer appropriate safeguards for such transfers, such as Standard Contractual Clauses, as described in their respective privacy policies and data processing agreements.
To exercise any of these rights, submit a data subject access request or email contact@axeazy.com (or contact@axeazy.com if the dedicated address is unavailable).
14. India Users (DPDPA)
AxEazy complies with the Digital Personal Data Protection Act, 2023 (DPDPA) of India. As a Data Fiduciary, we collect and process your personal data only for lawful purposes with your consent. You have the right to:
- Access your personal data
- Correct inaccurate personal data
- Erase your personal data
- Nominate a representative for your data rights
- Withdraw consent at any time
- Lodge a grievance with us, and escalate to the Data Protection Board of India if unresolved
Grievance Officer (DPDPA §8(9)). The Grievance Team operates as the contact point for unresolved data-protection questions and complaints from Indian residents. Email contact@axeazy.com with subject “Grievance” and a clear description of the issue. We acknowledge receipt within seven (7) business days and respond substantively within thirty (30) days, as required by DPDPA §13. If your grievance is not resolved within that window you may escalate to the Data Protection Board of India. For all other data-rights requests covered by this section, email contact@axeazy.com or use the data subject access mechanisms in Section 21.
15. What Are Your Privacy Rights?
In short: you may review, change, or terminate your account at any time, depending on your country, province, or state of residence.
Withdrawing your consent: If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time by contacting us at contact@axeazy.com. This will not affect the lawfulness of processing before withdrawal.
Opting out of marketing: You can unsubscribe from marketing communications at any time by clicking the unsubscribe link in the emails we send or by contacting us. You will still receive service-related messages necessary for the administration of your account.
Account information: To review or change the information in your account or terminate your account, contact us at contact@axeazy.com. Upon your request to terminate, we will deactivate or delete your account and information from our active databases. However, we may retain some information to prevent fraud, troubleshoot problems, assist with investigations, enforce our legal terms, and/or comply with applicable legal requirements.
Cookies: Most web browsers are set to accept cookies by default. You can usually set your browser to remove or reject cookies; this could affect certain features of the Services. See our Cookie Notice.
16. Controls for Do-Not-Track Features
Most web browsers include a Do-Not-Track (“DNT”) feature you can activate to signal your privacy preference. No uniform technology standard for recognizing and implementing DNT signals has been finalized, and we do not currently respond to DNT browser signals. California law requires us to disclose this; if a standard we must follow is adopted in the future, we will inform you in a revised version of this notice.
Global Privacy Control (GPC). We do honor the W3C Global Privacy Control signal. If your browser or extension sends a GPC signal, we treat it as an opt-out of Functional, Analytics, and Marketing storage at the moment of your first page view, consistent with the requirements of California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Oregon (OCPA), and Texas (TDPSA). See our Cookie Notice for details.
17. Do United States Residents Have Specific Privacy Rights?
In short: if you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have additional rights regarding your personal information.
Categories of personal information we collect
In the past twelve (12) months, we have collected the following categories of personal information (and have not sold or shared any of them):
| Category | Collected |
|---|---|
| A. Identifiers (name, email, IP address, account name) | YES |
| B. Personal information per the California Customer Records statute | YES |
| C. Protected classification characteristics | NO |
| D. Commercial information (transactions, subscriptions) | YES |
| E. Biometric information | NO |
| F. Internet or other similar network activity | YES |
| G. Geolocation data (precise) | NO |
| H. Audio, electronic, sensory information | NO |
| I. Professional or employment-related information | NO |
| J. Education information | NO |
| K. Inferences drawn to create a profile | NO |
| L. Sensitive personal information | NO |
We retain collected personal information as long as you maintain an account with us, subject to the outer bound in Section 10. We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months. We disclose personal information to our service providers (Section 4) pursuant to written contracts.
Your rights
- Right to know whether we are processing your personal data
- Right to access your personal data
- Right to correct inaccuracies in your personal data
- Right to request deletion of your personal data
- Right to obtain a copy of the personal data you previously shared with us
- Right to non-discrimination for exercising your rights
- Right to opt out of targeted advertising, the sale of personal data, or profiling (we do none of these)
How to exercise your rights
Submit a data subject access request, email contact@axeazy.com (preferred), email contact@axeazy.com, or use the contact details at the bottom of this document. We will verify your identity before acting on a request, and we respond within the time required by applicable law. You may designate an authorized agent to make a request on your behalf; we may require proof of valid authorization.
Appeals: if we decline to take action on your request, you may appeal by emailing contact@axeazy.com. We will inform you in writing of any action taken or not taken in response to the appeal, with a written explanation. If your appeal is denied, you may submit a complaint to your state attorney general.
18. Subscription and Billing Data
Billing and payment processing is handled entirely by Paddle. Axeazy receives only your subscription status, plan type, and billing address from Paddle. We never receive, store, or process raw credit card or bank account information.
19. Do We Make Updates to This Notice?
In short: yes, as necessary to stay compliant with relevant laws.
We may update this Privacy Notice from time to time. The updated version will be indicated by an updated “Last updated” date at the top. If we make material changes, we will notify you by email from contact@axeazy.com and/or by prominently posting a notice of such changes.
20. How Can You Contact Us About This Notice?
If you have questions or comments about this notice, email us at contact@axeazy.com or contact us by post at:
AxEazy
Kanpur, Uttar Pradesh, India
21. How Can You Review, Update, or Delete the Data We Collect From You?
Based on the applicable laws of your country or state of residence, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing. These rights may be limited in some circumstances by applicable law. To request to review, update, or delete your personal information, please fill out and submit a data subject access request or email contact@axeazy.com (or contact@axeazy.com if the dedicated address is unavailable) with the subject line “Data Request” from your registered email address. We process requests within the time required by the privacy law that applies to you, and in no event more than 45 days from receipt. We may extend that window by an additional 45 days where the law allows (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, and others) and will tell you in writing if we do.