Privacy Policy

The data controller is [COMPANY NAME], registered in England and Wales (company number [NUMBER]), whose registered office is at [ADDRESS].

For data protection enquiries, contact us at support@ariawai.com.

We collect data through three channels:

A. Account and billing data (Customers)

When you create an account or subscribe, we collect your email address, the domain(s) you register, and payment information. Payment data (card numbers, bank details) is handled directly by Stripe and never touches our servers. We store only a Stripe customer ID and subscription status token.

Legal basis: Performance of contract (Article 6(1)(b) GDPR) — necessary to provide the Service and process your subscription.

B. Widget telemetry (anonymous, aggregate)

When a visitor uses the AriaWAI toolbar on your website, the widget records a lightweight telemetry event. Each event contains:

• A session hash — a one-way SHA-256 hash derived from the site key, the calendar day, and a client-generated random identifier. It cannot be reversed to identify an individual and changes every calendar day. No persistent cookies or fingerprinting are used.
• The type of action (e.g. widget opened, high-contrast enabled);
• The active accessibility profile, if any;
• The browser language (e.g. “en-GB”);
• A best-effort country code (ISO-3166-1 alpha-2) derived from the visitor’s IP address at the edge — the IP address itself is not stored.
• A user-agent family string (e.g. “Chrome”), not the full user-agent header.

Telemetry is aggregated nightly into per-site, per-day counts. The underlying event records are retained for 90 days and then permanently deleted. Aggregate daily statistics are retained indefinitely so you can review long-term trends.

Legal basis: Legitimate interests (Article 6(1)(f) GDPR) — providing anonymised analytics to the site operator improves the accessibility of the web. We have assessed that this interest is not overridden by the rights of End Users because no individual is identified and the data has a direct accessibility benefit.

C. Scan report data

When you run a WCAG scan, our crawler visits publicly accessible pages on the domain you provide. We store the list of URLs scanned and the accessibility violations detected on each page (HTML fragments, CSS selectors, and rule descriptions). Scan results are retained for 12 months and then deleted.

Legal basis: Performance of contract (Article 6(1)(b) GDPR).

On each page load, the AriaWAI widget makes a lightweight request to our API to verify that your site key has an active licence. This request carries the site key only; no End User data is transmitted. If the request fails the widget remains fully functional (fail-open design).

The AriaWAI widget stores the visitor’s selected accessibility preferences (e.g. font size level, contrast mode) in localStorage on the visitor’s own device so their choices persist across page loads. This data never leaves the visitor’s browser. No cookies are set by the widget.

The AriaWAI dashboard web application uses a single session cookie set by Supabase Auth to maintain your logged-in state. This cookie is strictly necessary for the service to function and is exempt from consent requirements under the PECR.

We do not use advertising, tracking, or analytics cookies. We do not use Google Analytics, Facebook Pixel, or any third-party tracking technology.

All data is stored on a self-hosted Supabase (PostgreSQL) instance running on a dedicated server located in the United Kingdom. Data does not leave the United Kingdom in the ordinary course of business.

Payment processing is handled by Stripe. Stripe’s infrastructure is PCI-DSS Level 1 certified. Their privacy policy is available at stripe.com/gb/privacy.

We apply industry-standard security measures including encryption in transit (TLS 1.2+), encryption at rest, row-level security policies on all database tables, and regular automated backups. Access to production systems is restricted to authorised personnel and protected by SSH key authentication.

We do not sell your data. We share data only in the following limited circumstances:

• Stripe — for payment processing and subscription management. Data shared: email, name, billing address.
• Transactional email — we send account-related emails (password reset, invoice receipts) via Resend. Data shared: your email address and the content of the transactional email.
• Legal obligations — we may disclose data when required by law, court order, or to protect the rights, safety, or property of AriaWAI or others.
• Business transfers — in the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquirer subject to the same privacy protections.

All third-party processors are subject to data processing agreements consistent with GDPR requirements.

Under the UK GDPR and EU GDPR you have the following rights in relation to your personal data:

• Right of access. You may request a copy of all personal data we hold about you.
• Right to rectification. You may ask us to correct inaccurate or incomplete data.
• Right to erasure. You may ask us to delete your data where there is no legitimate reason for us to continue processing it.
• Right to restriction. You may ask us to restrict the processing of your data in certain circumstances.
• Right to data portability. You may request your account data in a structured, machine-readable format (JSON or CSV). Contact us to make this request.
• Right to object. You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling grounds that override your interests.
• Rights related to automated decision-making. We do not use automated decision-making or profiling that produces legal or similarly significant effects.

To exercise any of these rights, email support@ariawai.com. We will respond within 30 days. If you are unsatisfied with our response you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) (UK) or your local supervisory authority.

The Service is directed at businesses and professionals aged 18 and over. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected such data we will delete it promptly.

When AriaWAI is installed on your website, you become a data controller in respect of your End Users, and AriaWAI acts as your data processor for the widget telemetry. You are responsible for:

• Disclosing to your End Users in your own privacy policy that AriaWAI is installed and that aggregate, anonymised usage data is collected;
• Ensuring you have a lawful basis for the processing described in section 2B above;
• Complying with the PECR (or equivalent national law) where applicable in relation to the localStorage usage described in section 4.

We have prepared suggested disclosure language you can add to your privacy policy on request.

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. The current version is always available at ariawai.com/privacy.

For any questions, data requests, or complaints:

[COMPANY NAME]
[ADDRESS]
Email: support@ariawai.com