Privacy Policy

1. Introduction

Penguin Alley (“we,” “us,” or “our”) operates FixMyAccess, a website accessibility scanning tool. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Service. By using FixMyAccess, you agree to the collection and use of information in accordance with this Policy. Contact us at hello@penguinalley.com with any questions.

2. Information We Collect

Account Data

• Email address (required — used for authentication via magic link)
• Display name (optional — for account personalization)
• Account creation timestamp and subscription tier

Scan Data

• URLs you submit for accessibility scanning
• Scan results, identified WCAG violations, and severity classifications
• AI-generated remediation suggestions (cached per-issue to reduce processing)
• Scan timestamps and scan history

Payment Information (via Stripe)

Payment processing is handled entirely by Stripe, Inc. We do not store credit card numbers, bank account details, or full payment information. We receive and store only a Stripe customer ID and subscription status to manage your plan. Stripe's Privacy Policy applies to payment data: stripe.com/privacy.

Technical Data

• Browser type and version (for compatibility)
• Error logs and stack traces for debugging (via Sentry)
• Feature usage patterns within the Service (aggregated)

Cookies

We use minimal cookies — authentication session cookies only (set by Supabase Auth). We do not use advertising, tracking, or analytics cookies. You may disable cookies in your browser, but this will prevent you from logging into your account.

3. How We Use Your Information

• To provide, operate, and maintain the accessibility scanning Service
• To generate AI-powered remediation suggestions (scan data sent to Anthropic Claude Haiku per-request — see Section 5)
• To process payments and manage your subscription via Stripe
• To send transactional emails (scan results, account updates, billing) via Resend
• To detect, prevent, and address abuse, fraud, or security threats
• To improve the Service using aggregated, anonymized usage data
• To respond to your support requests and legal obligations

We do not sell your personal data. We do not use your data for advertising or share it with data brokers.

4. AI Processing Disclosure

Remediation suggestions are cached in our database to avoid redundant AI calls for identical issues. Cached suggestions include the same AI-generated label. Anthropic's usage policies apply to this processing: anthropic.com/legal/privacy.

5. Data Retention

• Account data is retained while your account is active
• Scan results and issue reports are retained for the duration of your subscription
• Upon account deletion, all personal data is deleted within 30 days, except where retention is required by applicable law
• Error logs (Sentry) are retained for 30 days then automatically purged
• Anonymized, aggregated data (e.g., most common WCAG violations across all scans) may be retained indefinitely for product improvement

6. Third-Party Services

We share data with the following processors only to the extent necessary to provide the Service:

7. Security Measures

We implement industry-standard security measures to protect your data:

• All data encrypted in transit via TLS 1.2+
• Data at rest encrypted in Supabase (AES-256)
• Row-Level Security (RLS) enforced at the database layer
• Authentication via magic link (no stored passwords)
• API endpoints protected with authentication and rate limiting
• Cloudflare Turnstile for bot protection on public-facing forms

No method of transmission over the internet is 100% secure. We cannot guarantee absolute security of your data. Please notify us at hello@penguinalley.com if you discover a security vulnerability.

8. California Privacy Rights (CCPA / CalOPPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information we have collected, used, disclosed, or sold in the past 12 months
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Opt-Out: We do not sell personal information, so no opt-out is necessary
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your rights, contact us at hello@penguinalley.com with “California Privacy Request” in the subject line. We will respond within 45 days as required by law.

9. Children's Privacy

FixMyAccess is not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without parental consent, we will delete that information promptly. If you believe we may have collected information from a child under 13, please contact us at hello@penguinalley.com.

10. International Transfers

Our Service is hosted primarily in the United States (us-east-1 region via Supabase and Vercel). If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We rely on our data processor agreements to ensure adequate protection for international data transfers in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) where applicable.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice in the Service at least 14 days before the changes take effect. We will update the effective date at the top of this page with each revision. We encourage you to review this Policy periodically.

12. Contact

For privacy-related inquiries, to exercise your data rights, or to report a security concern, contact us: