Fair Access Shield privacy policy ready.
Fair Access Shield
Privacy Policy
This draft describes how Fair Access Shield expects to collect, use, retain, and protect data when people create accounts, submit sites for accessibility scans, use Studio, export evidence, and manage billing.
Controller and contact
Fair Access Shield is the data controller for account, product, support, and scan data handled through this service unless a signed customer agreement says otherwise. Privacy requests go to privacy@fairaccessshield.com.
Data we collect
- Account data from Google OAuth, including name, email address, profile picture, and Google user ID.
- Billing identifiers and subscription state from Stripe. Stripe stores card numbers and payment method details; Fair Access Shield receives customer ids, subscription ids, invoice status, and plan status.
- Scan input, including URLs and domains submitted by a user.
- Scan output, including DOM snapshots, accessibility findings, screenshots of scanned pages, evidence exports, and Studio handoff metadata.
- Usage data such as page views, feature use, error logs, device/browser information, and security signals. Fair Access Shield does not currently use third-party advertising pixels.
Legal basis
Fair Access Shield expects to process data under consent, contract necessity, and legitimate interest. EEA users may have GDPR rights; California users may have CCPA/CPRA rights; users elsewhere may have rights under local privacy laws. This draft must be reconciled with the jurisdictions where the service is sold.
Retention
- Account records: account lifetime plus 90 days after deletion, unless a legal hold or billing dispute requires longer retention.
- Scan artifacts and evidence exports: 12 months unless the user deletes them earlier or a customer agreement sets a shorter period.
- Security and application logs: 30 days unless needed to investigate misuse, fraud, service abuse, or a support incident.
Processors
Fair Access Shield expects to use Google for authentication, Stripe for billing, a hosting provider for application infrastructure, and a transactional email sender for account and operational notices. A current DPA list may be requested at privacy@fairaccessshield.com.
Privacy rights
Depending on location, users may request access, deletion, correction, portability, objection to processing, or withdrawal of consent. Fair Access Shield expects to respond within 30 days unless a shorter legal deadline applies.
Cookies
The service expects to use session and CSRF cookies needed for login, account security, and service operation. It does not currently use advertising cookies. If analytics beyond necessary service telemetry are added, this policy and any consent flow must be updated before launch in jurisdictions that require consent.
Children
Fair Access Shield is not intended for anyone under 16 and does not knowingly collect data from children under 16. The matching minimum-age requirement belongs in the Terms of Service.
International transfers
Data is expected to be stored in the United States. For EEA-resident users, Standard Contractual Clauses or another approved transfer mechanism should be available on request once counsel approves the final policy.
Updates
Material changes should receive 30 days of notice by email and in-product notice. Non-material corrections may be posted by updating this page. A review is triggered by new processors, new analytics, new retention periods, new jurisdictions, or a material product change.