00

Privacy at a Glance

  • Encrypted at rest: Sensitive data including API keys is encrypted using industry-standard encryption
  • Secure cloud storage: Your projects and scan results are stored securely in your account
  • Cookie-free analytics: We use self-hosted Umami analytics, which collects no personal data and requires no cookies
  • No data selling: We do not sell, trade, or rent your personal information
  • Third-party processing: URL data is processed by OpenRouter's AI services during scans
01

Introduction

AccessHawk ("the Service") is built and operated by JonesLabs LLC (joneslabs.dev) ("we," "our," or "us"). We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered accessibility scanning service at accesshawk.ai.

By using AccessHawk, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service.

02

Information We Collect

Information You Provide

Account Information

When you create an account, we collect your email address and name. If you sign up or log in using Google, GitHub, or Microsoft OAuth, we only request your name and email address from these providers—no additional permissions or data are requested. You can link or unlink OAuth accounts from your Account Settings at any time.

URLs for Scanning

When you submit a URL for accessibility scanning, our server accesses that URL to capture screenshots, accessibility tree data, and HTML structure. Scan results and screenshots are stored in your account so you can access them later. You can delete individual scans or your entire account at any time.

API Keys (BYOK Overflow)

Paid users can optionally provide their OpenRouter API key to continue scanning after exhausting included monthly scans. Your API key is encrypted using AES-256-GCM encryption before storage and is only decrypted momentarily when making API requests on your behalf. We never log or store your API key in plaintext.

Information Collected Automatically

Analytics Data

We use Umami, a privacy-focused, cookie-free analytics platform self-hosted on our own infrastructure. Umami collects anonymous, aggregated usage data such as pages visited, referrer source, browser type, device type, and general geographic location (country/region level). No personal data is collected or shared with third parties.

Server Logs

Our servers may automatically log certain information such as IP addresses, request timestamps, and error messages. These logs are used for security monitoring and debugging purposes and are retained for a limited period.

Information Stored in Your Account

The following data is stored securely in your AccessHawk account:

  • Your name and email address
  • Linked OAuth provider identifiers (Google, GitHub, and/or Microsoft account IDs, if connected)
  • Projects and scan history
  • Scan results, reports, and screenshots
  • Your encrypted API key (if provided for BYOK Overflow)
  • Subscription status (billing is handled by our payment provider)
  • Account preferences

You can delete your data at any time from Account Settings, including complete account deletion.

03

How We Use Information

We use the information we collect to:

  • Provide the Service: Process accessibility scans by capturing webpage data and sending it to AI models for analysis
  • Improve the Service: Analyze aggregated usage patterns to understand how the Service is used and identify areas for improvement
  • Maintain security: Monitor for abuse, detect security threats, and protect the integrity of the Service
  • Communicate: Respond to inquiries and provide customer support (if you contact us)
  • Comply with legal obligations: Meet legal requirements and respond to lawful requests from authorities
04

Data Sharing & Third Parties

Important: AI Processing

When you perform a scan, the captured webpage data (screenshots, accessibility tree, HTML) is sent to OpenRouter, which routes requests to various AI model providers (Anthropic, OpenAI, Google, etc.). This data is processed according to OpenRouter's and the respective AI provider's privacy policies.

Third-Party Services We Use

Google OAuth

Optional authentication provider. We only request your name and email address—no other Google data is accessed.

Privacy Policy

GitHub OAuth

Optional authentication provider. We only request your name and email address—no repository or code access.

Privacy Policy

Microsoft OAuth

Optional authentication provider. We only request your name and email address via Microsoft Entra ID—no other Microsoft data is accessed.

Privacy Policy

Polar

Merchant of Record for payments and subscriptions. Handles billing, invoices, and sales tax compliance. Invoices will show "Polar Software, Inc."

Privacy Policy

OpenRouter

AI model routing service that processes scan data to generate accessibility reports.

Privacy Policy

Cloudflare

CDN, DDoS protection, and DNS services. All traffic passes through Cloudflare's network.

Privacy Policy

Umami (self-hosted)

Privacy-focused, cookie-free analytics hosted on our own infrastructure. No personal data is collected or shared with third parties.

About Umami

Railway

Cloud hosting platform where our servers run.

Privacy Policy

Google Fonts

Font delivery service for typography.

Privacy FAQ

We Do Not:

  • Sell, trade, or rent your personal information to third parties
  • Request additional permissions beyond name and email from OAuth providers (Google, GitHub, Microsoft)
  • Share your API keys with anyone other than OpenRouter for processing requests
  • Use your scan data for purposes other than providing the Service
  • Access your scan results except as necessary to provide technical support
05

Data Retention

1
Scan Data

Scan results, screenshots, and reports are stored in your account until you delete them. Raw HTML and accessibility tree data used during analysis are processed and then discarded after the scan completes.

2
API Keys (BYOK Overflow)

If you configure an API key for BYOK Overflow, it is encrypted with AES-256-GCM and stored in your account. Keys are only decrypted momentarily during API requests and are never logged in plaintext. You can delete your API key at any time from Account Settings.

3
Server Logs

Basic server logs (excluding API keys and sensitive data) may be retained for up to 30 days for security and debugging purposes.

4
Analytics Data

Umami analytics data is stored on our self-hosted infrastructure. All data is anonymous and aggregated. No personal data or cookies are involved.

5
Account Data

Your projects, scan results, API keys, and account data are retained until you delete them or close your account. You can delete individual items or your entire account from Account Settings at any time.

06

Data Security

We implement appropriate technical and organizational measures to protect your data:

  • AES-256-GCM encryption: Sensitive account data including API keys is encrypted at rest using AES-256-GCM, a military-grade encryption standard.
  • HTTPS encryption: All data transmitted between your browser and our servers is encrypted using TLS
  • Secure API key handling: API keys are never logged or stored in plaintext. They are validated before storage and explicitly excluded from all server logs.
  • Content Security Policy: Strict CSP headers prevent cross-site scripting (XSS) attacks
  • Input validation: URLs are validated to prevent server-side request forgery (SSRF) attacks
  • Infrastructure security: Our hosting provider (Railway) maintains SOC 2 Type II and SOC 3 compliance, GDPR-compliant data handling, and HIPAA-ready infrastructure

For a detailed explanation of how these security measures protect you, see our Security Guide.

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents.

07

Your Privacy Rights

All Users

Regardless of your location, you have the right to:

  • Delete your data at any time
  • Know what personal information we collect and how it is used
  • Contact us with questions or concerns about your privacy

Delete Your Data

You have several options to delete your data:

  • Delete individual scans: From your dashboard, click on a project to view scans, then delete individual scan results.
  • Delete individual projects: Delete entire projects along with all associated scans from your dashboard.
  • Remove API key: From Account Settings, remove your stored API key at any time.
  • Delete account: Delete your entire account and all associated data from Account Settings.

European Economic Area (GDPR)

If you are located in the EEA, you have additional rights under the General Data Protection Regulation:

  • Right of access: Request information about the personal data we hold about you
  • Right to rectification: Request correction of inaccurate personal data
  • Right to erasure: Request deletion of your personal data
  • Right to restrict processing: Request limitation of processing of your personal data
  • Right to data portability: Request transfer of your data to another service
  • Right to object: Object to processing of your personal data
  • Right to withdraw consent: Withdraw consent at any time

Our legal basis for processing personal data is legitimate interest in providing and improving the Service.

California Residents (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected
  • Right to delete: Request deletion of personal information we have collected
  • Right to opt-out: Opt out of the sale of personal information (note: we do not sell personal information)
  • Right to non-discrimination: Not receive discriminatory treatment for exercising your rights

To Exercise Your Rights:

Contact us through our Contact page using the "Privacy/Data Requests" option. We will respond to verified requests within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA).

08

Cookies & Tracking

AccessHawk uses minimal cookies and tracking technologies:

Analytics (Cookie-Free)

We use Umami, a privacy-focused analytics platform that does not use cookies or collect personal data. Umami is self-hosted on our own infrastructure, so no data is shared with third parties.

Authentication Cookies

Secure session cookies are used to keep you logged in to your account. These are essential for the Service to function.

You can manage cookies through your browser settings. Disabling cookies will require you to log in more frequently but will not affect analytics, as our analytics solution is cookie-free.

09

Children's Privacy

AccessHawk is not intended for use by children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately using the "Privacy/Data Requests" option, and we will take steps to delete such information.

10

International Data Transfers

AccessHawk is operated by JonesLabs LLC from the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located.

By using the Service, you consent to the transfer of your information to the United States and other jurisdictions where we or our service providers operate. We implement appropriate safeguards to protect your data during international transfers, including:

  • Using service providers that participate in recognized data transfer frameworks
  • Implementing standard contractual clauses where required
  • Ensuring appropriate technical and organizational measures are in place
11

Third-Party Websites

The Service may contain links to third-party websites (e.g., OpenRouter, WCAG documentation). This Privacy Policy applies only to AccessHawk. We are not responsible for the privacy practices of third-party websites. We encourage you to review the privacy policies of any third-party sites you visit.

When you submit a URL for scanning, our server accesses that third-party website to capture data. The owners of those websites may have their own logging and analytics that could record our server's access. We do not control and are not responsible for third-party website data practices.

12

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

  • Update the "Last updated" date at the top of this policy
  • For material changes, provide prominent notice on the Service

Your continued use of the Service after changes become effective constitutes your acceptance of the revised Privacy Policy. We encourage you to review this policy periodically.

13

Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

JonesLabs LLC (AccessHawk)

8735 Dunwoody Place #12250
Atlanta, GA 30350, United States

Website: https://accesshawk.ai

Company: https://joneslabs.dev

For privacy-related inquiries or to exercise your data rights, please visit our Contact page.

  • For privacy requests: Select "Privacy/Data Requests"
  • For general inquiries: Select "General Inquiry"

We will respond to verified requests within the timeframes required by applicable law.

For EU residents: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.