Skip to main content

Privacy Policy

17 Apr 2026
Legal · Privacy

Privacy Policy

How WCAGHub collects, uses, stores and protects personal data across our web, PDF and document accessibility tools — written for customers worldwide.

  • Effective: 19 April 2026
  • Version 2.1
  • Applies globally

1. Who we are & legal entity

WCAGHub ("WCAGHub", "we", "us", "our") operates the website and platform accessible at wcaghub.com, together with the Web Accessibility Checker, PDF Accessibility Checker and Document Accessibility Checker (together, the "Service"). For the purposes of the EU/UK General Data Protection Regulation ("GDPR"), the Australian Privacy Act 1988 and comparable laws worldwide, we act as a data controller for account and billing data, and as a data processor for the content you upload for scanning.

Legal entity:
WCAGHub Pty Ltd [registered trading name — placeholder]
ABN: [ABN — placeholder]
Registered address: [street, suburb, state, postcode — placeholder], Australia

Contact:
All enquiries: info@wcaghub.com
Website: wcaghub.com

We do not currently have a designated Data Protection Officer under Art. 37 GDPR because none of the triggering conditions in Art. 37(1) apply to us. For all data protection enquiries, please use the contact email above; enquiries are handled by our privacy lead.

EU / UK representative

Because we are established outside the EU and the UK but offer services to individuals in both regions, we will appoint a representative under Art. 27 GDPR / Art. 27 UK GDPR before volumes make it material. Contact details will be added here. In the meantime, EU/UK residents can exercise all rights directly via info@wcaghub.com.

2. Scope of this policy

This policy covers personal data we collect when you:

  • visit wcaghub.com or any sub-domain we operate;
  • create an account, log in or manage subscription credits;
  • submit a URL, PDF or Office document for accessibility scanning;
  • contact our support team, fill out a form, or email us;
  • receive transactional email from us (e.g. receipts, scan-ready notifications).

It does not cover third-party websites, PDFs or documents reached via links inside the Service (for example a government compliance page we link to). Their privacy practices are governed by their own policies.

3. Information we collect

3.1 Account information

When you register for a WCAGHub account we collect:

  • Email address — identifies the account and receives service email.
  • Display name / username — used in the dashboard.
  • Password — stored only as a bcrypt hash. We never store, log or transmit the plain-text password and cannot recover it.
  • Locale & timezone — used to format dates and select language.

3.2 Payment & billing data

Payments are processed by Stripe, Inc. via Stripe Checkout. We do not see or store your card number, CVC or expiry. From Stripe we receive:

  • transaction identifier, amount, currency and timestamp;
  • billing name, billing country (used for tax) and last-four digits of the card for your own reference in your receipt history;
  • subscription status and invoice PDFs.

3.3 Content you submit for scanning

  • Web Checker — the URL you submit and, transiently, the rendered HTML/CSS/JS our scanner fetches. We do not persist page contents; only the structured scan results (issue list, counts, severity) and a full-page screenshot are stored against the scan record.
  • PDF Checker — the uploaded PDF. The file is held only for the duration of the scan, then deleted automatically within 24 hours. Scan results (findings, score, page numbers) are retained with the scan record.
  • Document Checker — uploaded .docx, .pptx and .xlsx files. Same 24-hour deletion applies to the file; only the result set is retained.
Sensitive content

Please do not upload documents that contain special-category personal data (health records, biometric data, government ID scans, etc.) without first ensuring you have a lawful basis to share that content with a data processor. We recommend redacting or using synthetic test documents where practical.

3.4 Usage and scan history

  • Records of scans you initiated: tool used, target URL or filename, timestamp, credit consumed, score and issue counts.
  • Which reports you have opened and which tabs / filters you interacted with.
  • Credit purchases, consumption and balance over time.

3.5 Technical & security data

Our servers log, for security, capacity planning and fraud-prevention purposes:

  • IP address of the device making the request (retained in logs for up to 30 days, then rotated);
  • User-agent — browser type and version, operating system family;
  • HTTP request logs — path, status code, timestamp, referrer;
  • Session cookie identifier — see section 10 for details.

3.6 Support communications

When you email us or submit a contact form, we retain the message, any attachments, our response and metadata (date, channel) for as long as necessary to handle the enquiry and comply with record-keeping obligations.

3.7 What we do NOT collect

No behavioural tracking

We do not use Google Analytics, Google Tag Manager, Facebook Pixel, LinkedIn Insight, Mixpanel, Hotjar, FullStory, advertising cookies, cross-site tracking, or any third-party behavioural analytics. We do not sell personal data to anyone, ever.

4. How we use your information

We use personal data only for the following purposes:

4.1 Providing the Service

  • Creating and authenticating your account;
  • Running scans against URLs, PDFs and Office documents you submit;
  • Showing scan results in the dashboard, generating PDF reports, delivering handoff summaries to the PDF Checker from the Document Checker, and supporting the AI Fix engine with minimal context snippets.

4.2 Billing and subscription management

  • Charging your preferred payment method via Stripe;
  • Issuing receipts and tax invoices compliant with your jurisdiction;
  • Renewing or cancelling subscriptions based on your preferences.

4.3 Service email

We send transactional email strictly necessary for the Service — account-confirmation, password-reset, scan-complete notifications, payment receipts, security alerts and material changes to these legal documents. We do not send marketing email without your explicit, separate consent, and never spam.

4.4 Support

When you contact us, we use the information you provide to diagnose the issue, respond to your enquiry, and improve the relevant part of the Service.

4.5 Legal, security and fraud prevention

  • Detecting and preventing credential-stuffing, abuse, scraping and denial-of-service;
  • Complying with court orders, subpoenas, law-enforcement requests and statutory record-keeping obligations;
  • Defending our legal rights.

4.6 Aggregate & anonymised analysis

We may produce aggregate, anonymised statistics about platform usage (e.g. "most common WCAG failure this month"). Such statistics cannot be used to identify any individual and are not subject to data-protection law.

5. Legal bases for processing (GDPR)

If you are located in the European Economic Area, the United Kingdom or Switzerland, our processing of your personal data relies on one or more of the following legal bases under Art. 6 GDPR:

  • Contract (Art. 6(1)(b)) — processing necessary to provide the Service you have signed up for: running scans, managing your account, charging credits.
  • Legitimate interests (Art. 6(1)(f)) — keeping the Service secure and free from abuse, protecting our legal rights, operating our business. Our interest is balanced against your rights; you can object at any time using the contact in section 15.
  • Legal obligation (Art. 6(1)(c)) — accounting, tax, anti-money-laundering and law-enforcement obligations in Australia and (where applicable) in your country.
  • Consent (Art. 6(1)(a)) — for any optional feature that collects data beyond what the Service needs to function (for example if we ever add a marketing newsletter). Consent can be withdrawn at any time without affecting prior processing.

For Australian users the equivalent framework is the Australian Privacy Principles (APPs) under the Privacy Act 1988. APP 3 ("collection of solicited personal information") and APP 6 ("use or disclosure") correspond most closely to the Contract and Legitimate-interests bases above.

6. Data retention

We retain personal data only for as long as needed for the purpose it was collected, or for a longer period if required by law.

Data category Retention period Trigger for deletion
Account profile (email, username, password hash)Life of account + 30 daysAccount deletion or inactivity > 24 months
Uploaded PDF / Office filesUp to 24 hoursAutomated deletion after scan completes
Scan results & reportsLife of accountAccount deletion or user-initiated purge
Billing invoices7 yearsAustralian tax-record retention requirement
Server access logs (IP, user-agent)30 daysAutomatic rotation
Security incident logsUp to 24 monthsForensic review complete + regulator obligations met
Support tickets & email24 months after resolutionThen archived or deleted

When your account is deleted, we purge your profile, scan history, reports and any uploaded files from production systems immediately; encrypted backups containing residual data expire on their normal 30-day rotation cycle.

7. Sub-processors we use

We engage a short list of carefully vetted sub-processors to deliver the Service. Each is bound by a written agreement imposing data-protection obligations consistent with this policy and, where applicable, the EU Standard Contractual Clauses ("SCCs") of Commission Implementing Decision (EU) 2021/914.

Sub-processor Role Data processed Region
DigitalOcean, LLCPuppeteer scan workersURL submitted, transient rendered HTML, screenshotsSG / AU
cPanel shared hostingWordPress application & scan-history databaseAccount profile, scan records, reportsAU / EU
ChemiCloud, LLCSecondary hosting & mail infrastructureAccount email, transactional messagesUS
Stripe, Inc.Payment processing & invoicingCard data (never touches our servers), billing name, countryIE / US
Anthropic, PBCAI Fix engine (framework-aware fix suggestions)Small HTML / document snippets tied to a detected issueUS
Transactional email provider [final vendor TBD]Outbound service emailRecipient email, message bodyUS / EU

We publish changes to this list on this page before new sub-processors are activated. If you have an active subscription, we will also notify account administrators by email at least 14 days before the change takes effect, so you can object if you wish.

8. International data transfers

Because our sub-processors operate in Australia, Singapore, the European Economic Area and the United States, your personal data may cross international borders. We rely on the following transfer mechanisms, as appropriate:

  • For EEA, UK and Swiss data subjects we rely on the European Commission Standard Contractual Clauses (SCCs) (Module 2: Controller-to-Processor) supplemented by the UK International Data Transfer Addendum where the UK GDPR applies, together with supplementary technical measures (encryption at rest & in transit, access controls) where required by the Schrems II judgment.
  • For Australian data subjects, transfers comply with APP 8 (cross-border disclosure of personal information). Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs.
  • For California (CCPA/CPRA) and Canadian (PIPEDA) data subjects, our contracts with sub-processors contain equivalent data-protection commitments.

You can request a redacted copy of the applicable SCCs or our sub-processor agreements by emailing info@wcaghub.com.

9. Your data protection rights

Depending on where you live, you have some or all of the following rights. We honour each of them regardless of your jurisdiction, as a matter of global policy.

  • Access

    Ask what personal data we hold about you and receive a machine-readable copy.

  • Rectification

    Correct inaccurate or incomplete data. Most profile fields can be edited in your dashboard directly.

  • Erasure ("right to be forgotten")

    Delete your account and all associated personal data, subject to statutory retention limits.

  • Restriction

    Temporarily limit how we use your data while a dispute or objection is being resolved.

  • Portability

    Receive your account data and scan history in a structured, machine-readable format.

  • Objection

    Object to processing based on legitimate interests, including direct marketing. We stop unless compelling legitimate grounds override.

  • No automated decisions

    We do not take decisions that produce legal or similarly significant effects on you based solely on automated processing.

  • Complaint to a regulator

    You can complain to the Australian OAIC or your EU / UK data protection authority — see section 13.

To exercise any of these rights, email info@wcaghub.com. We respond within 30 days (or one month under GDPR), and sooner in most cases. We may ask for proof of identity so that we do not disclose personal data to the wrong person.

10. Cookies

We use the bare minimum of cookies needed to make the Service work. None of them track you across sites or feed advertising networks.

Cookie Purpose Type Lifetime
wcaghub_sessionKeeps you logged inStrictly necessarySession / 30 days if "stay signed in"
wcaghub_csrfCross-site request forgery protectionStrictly necessarySession
wcaghub_consentRecords your cookie-banner choiceStrictly necessary12 months
__stripe_*Stripe fraud-prevention during checkoutStrictly necessarySession

Because only strictly necessary cookies are used, EU/UK consent law (ePrivacy Directive, PECR) does not require prior consent. See our full Cookie Policy for details.

11. Data security

We take technical and organisational security measures proportionate to the risk of processing. These include, at a minimum:

  • Encryption in transit — TLS 1.2+ enforced across all public endpoints.
  • Encryption at rest — database volumes, object storage and backups encrypted with AES-256.
  • Password storage — bcrypt / Argon2id with a per-account salt; plain-text passwords are never written to logs.
  • Access control — role-based access, MFA enforced on all infrastructure accounts, audit logging.
  • Network isolation — production databases and scan workers are not reachable from the public internet.
  • Patching & dependency management — automated vulnerability scanning on application dependencies, OS packages and container images.
  • Incident response — a documented procedure with 72-hour notification to supervisory authorities under Art. 33 GDPR where required, and to affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
  • Vendor review — annual review of each sub-processor's security posture and certifications.

No online service is ever fully risk-free. If we become aware of a personal-data breach affecting your data, we will notify you without undue delay in accordance with applicable law.

12. Children's privacy

WCAGHub is designed for professional and organisational use. The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact info@wcaghub.com and we will delete the data promptly.

For users located in the United States, COPPA (Children's Online Privacy Protection Act) does not authorise the Service for children under 13.

13. Regional privacy notices

13.1 Australia (Privacy Act 1988, APPs)

WCAGHub is an Australian entity subject to the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles. See our Australia compliance brief. You may lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au) if you consider your personal data has been mishandled.

13.2 European Economic Area & Switzerland (GDPR)

If you are in the EEA or Switzerland, you have the rights in section 9 above. You can complain to your local supervisory authority — a list is maintained at edpb.europa.eu. See our EU/EAA compliance brief.

13.3 United Kingdom (UK GDPR, Data Protection Act 2018)

Residents of England, Scotland, Wales and Northern Ireland can complain to the Information Commissioner's Office (ico.org.uk). See our UK compliance brief.

13.4 United States (CCPA / CPRA for California residents)

California residents have the right to know what personal information we collect, to request deletion, to correct inaccurate data, to opt out of the "sale" or "sharing" of personal information, and to limit the use of sensitive personal information. We do not sell or share personal information as defined under the CCPA/CPRA. We do not use personal information to build cross-context behavioural advertising profiles. See our US compliance brief.

13.5 Canada (PIPEDA)

Canadian residents can complain to the Office of the Privacy Commissioner (priv.gc.ca) if they believe we have mishandled their data. See our Canada compliance brief.

13.6 Brazil (LGPD)

Brazilian residents have rights broadly equivalent to GDPR under Lei Geral de Proteção de Dados (Law 13.709/2018). Use the privacy contact above to exercise them.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we update the "Effective" date at the top of this page. If the changes are material — for example a new sub-processor, a new purpose of processing, a new legal basis or a change of data-retention period — we will also notify active account holders by email at least 14 days before the new version takes effect, giving you time to review the changes or close your account.

Prior versions of this policy are available on request from info@wcaghub.com.

15. Contact & complaints

Any question about this policy, the data we hold about you, or a right you want to exercise — write to us. We read every message.

All enquiries (privacy, support, legal, general):
info@wcaghub.com

Postal:
WCAGHub Pty Ltd [registered name — placeholder]
[street, suburb, state, postcode — placeholder], Australia

If you are unsatisfied with our response, you have the right to complain to your local data-protection authority (see section 13).

All legal documents Data Processing Agreement