Skip to main content

Privacy Policy

Last updated: April 14, 2026

ADAfriendly ("we," "us," "our") operates the ADAfriendly accessibility compliance platform at adafriendly.ai. This policy explains what personal information we collect, how we use it, and the choices you have.

This policy applies to the ADAfriendly website, web app, WordPress plugin, Shopify app, and JavaScript accessibility widget.

1. Information we collect

Account information

When you create an account we collect your email address, password (stored hashed via Supabase Auth), and optional profile information. If you sign in with Google we receive your email and basic profile details from Google.

Billing information

Payments are processed by Stripe. We do not store full payment card numbers. We store your Stripe customer ID, subscription plan, and billing status.

Site and scan data

When you add a site we scan its public pages with an automated crawler and record the accessibility issues found. We store the URL, page content excerpts relevant to detected violations, and the results of our AI-generated explanations and fix suggestions.

Widget visitor data

Our accessibility widget runs in visitor browsers on your customers' sites. The widget does not collect personal data about end-users by default. It reports aggregate installation status (site ID, page URL) to our servers so we can verify the widget is installed.

Usage analytics

We use PostHog to understand how customers use our dashboard. PostHog captures page views, button clicks, and anonymized user identifiers. You can opt out at any time via browser settings that block analytics cookies.

2. How we use your information

  • To provide the ADAfriendly service and run accessibility scans
  • To process payments and manage your subscription
  • To generate AI-powered explanations and fix suggestions for your violations
  • To send transactional emails (scan results, weekly reports, receipts)
  • To detect and prevent fraud, abuse, and security threats
  • To improve our product through anonymized analytics

3. Service providers we use

We share data only with service providers necessary to run the product. Each provider is contractually bound to protect your data:

  • Supabase — database, authentication, file storage
  • Stripe — payments and billing
  • Anthropic (Claude) — AI explanations and fix suggestions; scan content excerpts are sent to generate plain-English explanations. Anthropic does not use this data to train their models.
  • Resend — transactional email delivery
  • Vercel — hosting the web app
  • Inngest — background job orchestration for scans
  • PostHog — product analytics (self-hosted in the EU or US)

4. Data retention

Account data is retained while your account is active. Scan results are retained for the duration of your subscription plus 90 days. Audit logs for compliance purposes are retained for 7 years as required for ADA/WCAG defense records. You may request deletion at any time by emailing privacy@adafriendly.ai.

5. Your rights

GDPR (European Economic Area, UK, Switzerland)

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion (right to be forgotten)
  • Export your data in a portable format
  • Object to processing or request restriction
  • Lodge a complaint with your local data protection authority

CCPA / CPRA (California residents)

You have the right to:

  • Know what personal information we collect and how it is used
  • Delete personal information we have collected about you
  • Opt out of the sale or sharing of your personal information (we do not sell personal information)
  • Non-discrimination for exercising your privacy rights

To exercise any of these rights, email privacy@adafriendly.ai or visit your account settings.

6. Cookies

We use cookies to keep you signed in, remember your preferences, and measure product usage. Essential cookies are required for the service to function. Analytics cookies can be declined in your browser.

7. Security

We encrypt data in transit using TLS and store sensitive credentials (e.g., Shopify OAuth tokens) encrypted at rest using AES-256-GCM. We use Row Level Security on our database so one customer can never access another customer's data.

8. International transfers

Our servers are primarily located in the United States. If you access the service from outside the US, your data will be transferred to the US for processing, under appropriate safeguards (Standard Contractual Clauses for EEA data).

9. Children

ADAfriendly is not intended for children under 16. We do not knowingly collect personal information from children.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email to your account address at least 30 days before taking effect.

11. Contact

Questions about privacy: privacy@adafriendly.ai
Data Protection Officer (EEA/UK): dpo@adafriendly.ai