Privacy Policy
Last updated: 2026-05-08
1. Who we are
AccessProof is operated by Romain Lacube, registered as an individual entrepreneur (EI) in France.
- SIRET: 848 852 356 00031
- Address: 315 chemin de la Croix Verte, 13090 Aix-en-Provence, France
- Contact: [email protected]
We are the "data controller" under the EU General Data Protection Regulation (GDPR) for the data described below.
2. What data we collect
Account data
- Email address (required for sign-up and login)
- Hashed password (bcrypt, never stored in plain text)
- Account plan and subscription status
Site & scan data
- URLs of the websites you ask us to scan
- Accessibility audit results (axe-core output, WCAG score, issues list)
- Generated PDF reports
Technical data
- IP address (rate-limiting and abuse prevention, retained max 90 days)
- User-Agent and request metadata (security logs)
- Session cookies (httpOnly, SameSite=Lax)
Payment data
Card details are never stored on our servers. Payments are processed entirely by Stripe; we only receive a customer ID and subscription status.
3. Why we use your data (legal basis)
- Contract: running scans, delivering reports, billing.
- Legitimate interest: security logs, fraud prevention, product analytics.
- Consent: marketing emails (only if you opt in).
- Legal obligation: invoicing, accounting (10 years retention required by French law).
4. How long we keep it
- Account data: until you delete your account, then purged within 30 days.
- Scan results: as long as your account is active. Deleted accounts trigger cascade deletion.
- Invoices: 10 years (French accounting law).
- Security logs (IP / UA): 90 days.
5. Who we share it with (sub-processors)
| Processor | Purpose | Region |
|---|---|---|
| Fly.io | App + database hosting | EU (Paris, CDG) |
| Cloudflare | DNS, CDN, DDoS protection | Global |
| Upstash | Redis (queue, rate limiting) | EU |
| Stripe | Payments | US/EU (Stripe France) |
| Resend | Transactional emails | US |
All sub-processors are bound by Data Processing Agreements (DPA) and either host within the EU/EEA or rely on Standard Contractual Clauses for international transfers.
6. Your rights (GDPR)
You can at any time:
- Request a copy of your data (right of access)
- Correct inaccurate data (right of rectification)
- Delete your account and all associated data (right to erasure)
- Restrict or object to processing
- Receive your data in a machine-readable format (data portability)
- Lodge a complaint with the French data protection authority (CNIL)
Email [email protected] with your request. We respond within 30 days.
7. Cookies
See our Cookie Policy. We only use strictly necessary cookies by default; analytics cookies require your consent.
8. Security
- HTTPS (TLS 1.2+) on every endpoint
- Passwords hashed with bcrypt (12 rounds)
- Session tokens are httpOnly, SameSite=Lax, expire after 7 days
- Database backups daily, retained 30 days
- Multi-tenant isolation enforced at the API layer
9. Changes to this policy
We'll update the "Last updated" date and notify you by email of material changes at least 14 days before they take effect.
10. Contact
Questions: [email protected].