- ✓Encrypted at rest: Sensitive data including API keys is encrypted using industry-standard encryption
- ✓Secure cloud storage: Your projects and scan results are stored securely in your account
- ✓Cookie-free analytics: We use self-hosted Umami analytics, which collects no personal data and requires no cookies
- ✓No data selling: We do not sell, trade, or rent your personal information
- ✓Third-party processing: URL data is processed by OpenRouter's AI services during scans
PRIVACY POLICY
Data Protection / Privacy Rights / Security Framework
Privacy at a Glance
Introduction
AccessHawk ("the Service") is built and operated by JonesLabs LLC (joneslabs.dev) ("we," "our," or "us"). We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered accessibility scanning service at accesshawk.ai.
By using AccessHawk, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service.
Information We Collect
Information You Provide
Account Information
When you create an account, we collect your email address and name. If you sign up or log in using Google, GitHub, or Microsoft OAuth, we only request your name and email address from these providers—no additional permissions or data are requested. You can link or unlink OAuth accounts from your Account Settings at any time.
URLs for Scanning
When you submit a URL for accessibility scanning, our server accesses that URL to capture screenshots, accessibility tree data, and HTML structure. Scan results and screenshots are stored in your account so you can access them later. You can delete individual scans or your entire account at any time.
API Keys (BYOK Overflow)
Paid users can optionally provide their OpenRouter API key to continue scanning after exhausting included monthly scans. Your API key is encrypted using AES-256-GCM encryption before storage and is only decrypted momentarily when making API requests on your behalf. We never log or store your API key in plaintext.
Information Collected Automatically
Analytics Data
We use Umami, a privacy-focused, cookie-free analytics platform self-hosted on our own infrastructure. Umami collects anonymous, aggregated usage data such as pages visited, referrer source, browser type, device type, and general geographic location (country/region level). No personal data is collected or shared with third parties.
Server Logs
Our servers may automatically log certain information such as IP addresses, request timestamps, and error messages. These logs are used for security monitoring and debugging purposes and are retained for a limited period.
Information Stored in Your Account
The following data is stored securely in your AccessHawk account:
- Your name and email address
- Linked OAuth provider identifiers (Google, GitHub, and/or Microsoft account IDs, if connected)
- Projects and scan history
- Scan results, reports, and screenshots
- Your encrypted API key (if provided for BYOK Overflow)
- Subscription status (billing is handled by our payment provider)
- Account preferences
You can delete your data at any time from Account Settings, including complete account deletion.
How We Use Information
We use the information we collect to:
- Provide the Service: Process accessibility scans by capturing webpage data and sending it to AI models for analysis
- Improve the Service: Analyze aggregated usage patterns to understand how the Service is used and identify areas for improvement
- Maintain security: Monitor for abuse, detect security threats, and protect the integrity of the Service
- Communicate: Respond to inquiries and provide customer support (if you contact us)
- Comply with legal obligations: Meet legal requirements and respond to lawful requests from authorities
Data Retention
Scan results, screenshots, and reports are stored in your account until you delete them. Raw HTML and accessibility tree data used during analysis are processed and then discarded after the scan completes.
If you configure an API key for BYOK Overflow, it is encrypted with AES-256-GCM and stored in your account. Keys are only decrypted momentarily during API requests and are never logged in plaintext. You can delete your API key at any time from Account Settings.
Basic server logs (excluding API keys and sensitive data) may be retained for up to 30 days for security and debugging purposes.
Umami analytics data is stored on our self-hosted infrastructure. All data is anonymous and aggregated. No personal data or cookies are involved.
Your projects, scan results, API keys, and account data are retained until you delete them or close your account. You can delete individual items or your entire account from Account Settings at any time.
Data Security
We implement appropriate technical and organizational measures to protect your data:
- AES-256-GCM encryption: Sensitive account data including API keys is encrypted at rest using AES-256-GCM, a military-grade encryption standard.
- HTTPS encryption: All data transmitted between your browser and our servers is encrypted using TLS
- Secure API key handling: API keys are never logged or stored in plaintext. They are validated before storage and explicitly excluded from all server logs.
- Content Security Policy: Strict CSP headers prevent cross-site scripting (XSS) attacks
- Input validation: URLs are validated to prevent server-side request forgery (SSRF) attacks
- Infrastructure security: Our hosting provider (Railway) maintains SOC 2 Type II and SOC 3 compliance, GDPR-compliant data handling, and HIPAA-ready infrastructure
For a detailed explanation of how these security measures protect you, see our Security Guide.
While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents.
Your Privacy Rights
All Users
Regardless of your location, you have the right to:
- Delete your data at any time
- Know what personal information we collect and how it is used
- Contact us with questions or concerns about your privacy
Delete Your Data
You have several options to delete your data:
- Delete individual scans: From your dashboard, click on a project to view scans, then delete individual scan results.
- Delete individual projects: Delete entire projects along with all associated scans from your dashboard.
- Remove API key: From Account Settings, remove your stored API key at any time.
- Delete account: Delete your entire account and all associated data from Account Settings.
European Economic Area (GDPR)
If you are located in the EEA, you have additional rights under the General Data Protection Regulation:
- Right of access: Request information about the personal data we hold about you
- Right to rectification: Request correction of inaccurate personal data
- Right to erasure: Request deletion of your personal data
- Right to restrict processing: Request limitation of processing of your personal data
- Right to data portability: Request transfer of your data to another service
- Right to object: Object to processing of your personal data
- Right to withdraw consent: Withdraw consent at any time
Our legal basis for processing personal data is legitimate interest in providing and improving the Service.
California Residents (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know: Request disclosure of the categories and specific pieces of personal information we have collected
- Right to delete: Request deletion of personal information we have collected
- Right to opt-out: Opt out of the sale of personal information (note: we do not sell personal information)
- Right to non-discrimination: Not receive discriminatory treatment for exercising your rights
To Exercise Your Rights:
Contact us through our Contact page using the "Privacy/Data Requests" option. We will respond to verified requests within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA).
Children's Privacy
AccessHawk is not intended for use by children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately using the "Privacy/Data Requests" option, and we will take steps to delete such information.
International Data Transfers
AccessHawk is operated by JonesLabs LLC from the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located.
By using the Service, you consent to the transfer of your information to the United States and other jurisdictions where we or our service providers operate. We implement appropriate safeguards to protect your data during international transfers, including:
- Using service providers that participate in recognized data transfer frameworks
- Implementing standard contractual clauses where required
- Ensuring appropriate technical and organizational measures are in place
Third-Party Websites
The Service may contain links to third-party websites (e.g., OpenRouter, WCAG documentation). This Privacy Policy applies only to AccessHawk. We are not responsible for the privacy practices of third-party websites. We encourage you to review the privacy policies of any third-party sites you visit.
When you submit a URL for scanning, our server accesses that third-party website to capture data. The owners of those websites may have their own logging and analytics that could record our server's access. We do not control and are not responsible for third-party website data practices.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:
- Update the "Last updated" date at the top of this policy
- For material changes, provide prominent notice on the Service
Your continued use of the Service after changes become effective constitutes your acceptance of the revised Privacy Policy. We encourage you to review this policy periodically.
Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
JonesLabs LLC (AccessHawk)
8735 Dunwoody Place #12250
Atlanta, GA 30350, United States
Website: https://accesshawk.ai
Company: https://joneslabs.dev
For privacy-related inquiries or to exercise your data rights, please visit our Contact page.
- For privacy requests: Select "Privacy/Data Requests"
- For general inquiries: Select "General Inquiry"
We will respond to verified requests within the timeframes required by applicable law.
For EU residents: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.