Skip to main content
Legal · Cookies

Cookie Policy

Every cookie WCAGHub sets — why it exists, how long it lives, and how you can control it. Eight cookies in total, all strictly necessary. No consent banner, because nothing here would require one.

  • Effective: 19 April 2026
  • Version 2.1
  • Applies globally

1. What cookies are

Cookies are small text files placed on your device (computer, tablet or phone) when you visit a website. They let the site remember information about your session — whether you are logged in, your language preference, a payment in progress — across page loads. Cookies are a standard part of how the web works and are used by almost every website on the internet.

There are different ways to group cookies:

  • Session cookies are deleted when you close your browser.
  • Persistent cookies remain on your device for a set period (anywhere from minutes to years).
  • First-party cookies are set by the website you are visiting (here, wcaghub.com).
  • Third-party cookies are set by a different domain included on the page — for WCAGHub, that means only Stripe (during checkout).

This Cookie Policy explains which cookies WCAGHub uses, why, how long they last, and how you can control them. It sits alongside our Privacy Policy, which covers the wider topic of personal data.

2. Our approach — only what is strictly necessary

WCAGHub uses only cookies that are strictly necessary for the Service to work or for payment to complete. Specifically:

  • WordPress session cookies — so you stay logged in.
  • PHP session cookie — so the server can hold your in-progress scan.
  • A language-preference cookie — so the dashboard remembers your locale.
  • Stripe cookies during checkout — for fraud prevention and payment session continuity.

That is the complete list. We do not use cookies for analytics, advertising, behavioural tracking, A/B testing, heatmaps, session replay or cross-site profiling. An accessibility tool is the kind of product whose users are especially likely to care about surveillance; we have built the Service that way on purpose.

Short answer

Eight cookies in total across the whole Service, all of them strictly necessary or functional-for-payment. No consent banner — because there is nothing that would require one.

3. Essential cookies we set

These cookies are first-party (set by wcaghub.com) and strictly necessary. Without them, logging in and using the dashboard would not work. They are exempt from consent requirements under Article 5(3) of the EU ePrivacy Directive and regulation 6(4) of the UK PECR.

Cookie Set by Purpose Duration
wordpress_logged_in_*WCAGHub (WordPress)Maintains your login session and authenticates you as a registered user.Session
wordpress_sec_*WCAGHub (WordPress)Additional security signature for authenticated sessions over HTTPS.Session
wp_langWCAGHub (WordPress)Remembers your preferred language so the dashboard is not reset each visit.Session
wordpress_test_cookieWCAGHub (WordPress)Checks whether your browser accepts cookies at all, so we can warn you if a session cannot be established.Session
PHPSESSIDWCAGHub (PHP)Server-side session identifier used while a scan request is in flight, so the VPS worker can attach results to your session.Session

"Session" here means the cookie is deleted when you close your browser. None of these cookies contain your plain-text password, billing details or the content you upload.

4. Payment cookies (Stripe, third-party)

When you buy a subscription or top-up on WCAGHub, payment is processed by Stripe Payments Europe, Limited (EU customers) or Stripe, Inc. (all other customers). Stripe sets cookies on the checkout flow for fraud prevention and to keep your payment session coherent. These cookies are third-party to wcaghub.com — they are set by stripe.com and js.stripe.com.

Stripe's cookies are considered functional / strictly-necessary-for-payment: without them, Stripe cannot reliably protect your card against fraud, so the checkout will not complete. We include them only because they are required for payment to work; we do not read their contents.

Cookie Set by Purpose Duration
__stripe_midStripe (m.stripe.com)Stable machine identifier used by Stripe Radar for fraud prevention and payment-method verification.1 year
__stripe_sidStripe (m.stripe.com)Short-lived checkout session identifier; keeps a payment flow linked while you confirm details.30 minutes
mStripe (stripe.com)Stripe platform cookie — supports internal service continuity across the Stripe network.2 years

For Stripe's own explanation of how these cookies are used and the legal bases Stripe relies on, see stripe.com/cookies-policy/legal and Stripe's privacy policy.

5. Cookies and tracking tech we do NOT use

Because we regularly get asked, here is an explicit list of the tech WCAGHub does not use anywhere on wcaghub.com or the three scan tools. None of these cookies, pixels or scripts are present in the delivered HTML.

  • No Google Analytics / GA4 — no _ga, _gid, _gat or equivalent.
  • No Meta / Facebook Pixel — no fbp, fbc or conversion tracking.
  • No Google Ads, LinkedIn Insight, X (Twitter) Ads — no remarketing pixels of any kind.
  • No session-replay — no Hotjar, Microsoft Clarity, LogRocket, FullStory, or similar.
  • No behavioural A/B testing — no Optimizely, VWO or Google Optimize cookies.
  • No cross-site ad networks — no DoubleClick, Criteo, AppNexus, or DSP tags.
How you can verify

Open your browser's developer tools on any page of wcaghub.com, go to the Application (Chromium) or Storage (Firefox) tab, and inspect cookies. You should only ever see the cookies listed in sections 3 and 4 of this policy. If you see anything else that looks like it was set by WCAGHub, please email info@wcaghub.com so we can investigate.

6. Legal bases and consent

Different laws treat cookies differently. Here is how WCAGHub's cookie set maps to the main regimes.

6.1 European Union / European Economic Area

Under Article 5(3) of the ePrivacy Directive (2002/58/EC) storing information on a user's device requires consent unless the cookie is "strictly necessary for the provision of an information-society service explicitly requested by the subscriber or user." All WCAGHub cookies meet that test: WordPress and PHP session cookies are required to deliver the authenticated service you are requesting; Stripe cookies are required to complete the payment you initiated. No consent banner is legally required and we do not display one. For the underlying personal-data processing (e.g. IP address captured alongside a session) we rely on GDPR Art. 6(1)(b) performance of a contract and Art. 6(1)(f) legitimate interest in preventing payment fraud.

6.2 United Kingdom

The Privacy and Electronic Communications Regulations 2003 (PECR), reg. 6(4), mirror the EU position. WCAGHub's cookies fall within the strictly-necessary exemption.

6.3 Australia

Australian law has no cookie-specific regime. The Privacy Act 1988 and the Australian Privacy Principles (APPs) apply to personal information collected via cookies. APP 1 (open and transparent management) is satisfied by this Cookie Policy and the Privacy Policy.

6.4 California, USA (CCPA / CPRA)

WCAGHub does not "sell" or "share" personal information through cookies for cross-context behavioural advertising. No Global Privacy Control (Sec-GPC: 1) honoring is required because no selling or sharing takes place. California residents retain all other CCPA/CPRA rights; see the Privacy Policy, section 13.

6.5 Brazil (LGPD), Canada (PIPEDA), Switzerland (FADP)

Where cookies trigger personal-data processing in these jurisdictions, we rely on the equivalent of "contract performance" / "legitimate interest" under the local law. Each cookie is limited to what is necessary for the requested service.

7. How to control cookies

Because every cookie WCAGHub sets is strictly necessary, blocking them will have a concrete consequence — you will not be able to log in or complete a purchase. If you still want to block or delete them, your browser lets you do so at any time. Here are the official guides:

  • Google Chrome

    Settings → Privacy and security → Third-party cookies, or visit chrome://settings/cookies

  • Mozilla Firefox

    Settings → Privacy & Security → Cookies and Site Data, or visit about:preferences#privacy

  • Safari (macOS)

    Safari → Settings → Privacy → Manage Website Data

  • Microsoft Edge

    Settings → Cookies and site permissions → Manage and delete cookies

  • Brave

    Settings → Shields → Cookies (aggressive blocking available)

  • Mobile (iOS / Android)

    iOS: Settings → Safari → Advanced → Block All Cookies. Android: Chrome → Settings → Site settings → Cookies.

Impact of blocking

If you block all cookies for wcaghub.com you will not be able to log in, create a scan, or access your dashboard. If you block third-party cookies for stripe.com the checkout will fail. There is no workaround for these specific cookies because the Service literally cannot work without a session identifier.

8. Similar technologies

The ePrivacy rules do not only cover cookies — they cover any technology that stores information on, or reads it from, your device. For completeness, this is how WCAGHub uses each category.

8.1 localStorage and sessionStorage

The scan dashboard uses localStorage to cache two items: (a) your preferred dark/light theme; (b) the collapsed/expanded state of filter panels on the results page. Both values are local to your browser, never leave your device, and contain no personal data. You can clear them via your browser's "Clear site data" tool.

8.2 IndexedDB

The Web Checker extension (if you install it) may cache the last scan manifest in IndexedDB so a repeat scan can resume quickly. The plain Service at wcaghub.com does not use IndexedDB.

8.3 Server logs (not device-based)

Our VPS and hosting provider log each request for security and debugging: IP address, user agent, request path, response code, timestamp. Logs are retained for 30 days and then rotated. See the Privacy Policy, section 6, for full retention details.

8.4 No fingerprinting

We do not use canvas fingerprinting, font fingerprinting, audio fingerprinting, WebGL fingerprinting, device-ID generation or any similar technique. Stripe performs its own device-risk analysis inside the Stripe iframe during checkout; that is disclosed in Stripe's own privacy policy.

9. Changes to this policy

We update this Cookie Policy whenever we add, change or remove a cookie. When we make a material change — for example if we ever start using a cookie that is not strictly necessary, which would require a consent mechanism — we will update the effective date at the top of this page and notify active account holders by email at least 14 days before the change takes effect.

Minor edits (typo fixes, clarifications) will be made in place with the effective date updated. Prior versions are available on request from info@wcaghub.com.

10. Contact

If anything on this page is unclear, or you believe WCAGHub is setting a cookie that is not listed above — we want to hear from you.

All enquiries:
info@wcaghub.com

We aim to respond within 5 business days. For the full picture of how we handle personal data — not only cookies — please read our Privacy Policy.
Read the Privacy Policy All legal documents