GDPR Compliance
AllAccessible is designed to support General Data Protection Regulation (GDPR) compliance. We collect only necessary data to provide our services and comply with legal requirements.
What Data We Collect & Why
Transparent data practices compliant with GDPR Article 13 & 14
Marketing Website (allaccessible.org)
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
Data Collected
- • Analytics data (Google Tag Manager, Google Analytics)
- • Conversion tracking (Google Ads, LinkedIn, Facebook)
- • Form submissions (name, email, company, message)
- • IP address (for fraud prevention)
- • Language preference
Purpose
- • Measure marketing campaign effectiveness
- • Improve website user experience
- • Process demo/contact requests
- • Provide customer support
- • Remember your language choice
Accessibility Widget (Client Websites)
Legal basis: Legitimate interest + User consent for preferences
✅ Anonymized Usage Metrics
- • Widget activations (no user identification)
- • Feature usage aggregated by website
- • No IP addresses, no cookies for tracking
- • Website-level statistics only
🔒 User Preference Storage (Cookies & LocalStorage)
- • <code>aacxValidated</code> - Short-lived validation cookie (~10 minutes)
- • <code>accessibilityWidgetHidden</code> - Remembers if you've hidden the widget (functional cookie, ~1 year)
- • Widget position - Remembers where the widget button sits on the page (functional cookie)
- • <code>overrideOptions</code> - Your accessibility settings (text size, contrast, etc.), stored in your browser's local storage
- • <strong>Your accessibility settings stay on your device and are not sent to our servers.</strong> Separately, the widget sends anonymous usage data (which tools were used and the page visited) to help improve the product - never your name, email, or activity across other sites
Application Users (app.allaccessible.org)
Legal basis: Contract performance (Art. 6(1)(b) GDPR)
Data Collected
- • Account information (email, name, company)
- • Website/domain configurations
- • Audit history and scan results
- • Usage metrics and analytics
- • Billing information (via Stripe)
Purpose
- • Provide accessibility services
- • Generate compliance reports
- • Process payments
- • Customer support
- • Service improvements
Accommodation Requests
Legal basis: Legal obligation + Explicit consent for health data
Basic Accommodation Requests
- • Employee name, request type, description
- • No medical/health information
- • Available to all customers
⚠️ Advanced Accommodation (Protected Health Information)
- • Medical documentation and health conditions
- • Disability details and treatment requirements
- • <strong>Requires signed HIPAA Business Associate Agreement</strong>
- • Only available with executed BAA
- • Encrypted storage, audit logs, access controls
<strong>Important:</strong> We do NOT process protected health information without a valid HIPAA BAA in place. Contact us to execute a BAA before using advanced accommodation features.
Your GDPR Rights
Under GDPR, you have comprehensive rights regarding your personal data
Right to Access
Request a copy of all personal data we hold about you
Right to Erasure
Request deletion of your personal data ("right to be forgotten")
Right to Rectification
Correct inaccurate or incomplete personal data
Right to Data Portability
Receive your data in a structured, machine-readable format
Privacy-First Widget Design
Widget usage is completely anonymized
Anonymous Widget Usage
Widget interactions are tracked at website level only, with no individual user tracking
Preferences Stay on the Device
A visitor's chosen accessibility settings are saved in their own browser and are not uploaded to our servers; only anonymous usage (which tools were used) is recorded separately
Minimal Cookie Footprint
The widget uses only strictly-necessary functional cookies and anonymous usage analytics — no personal, identifying, or cross-site tracking data. Site owners disclose AllAccessible's use within their own terms of service and accessibility statement.
What Data We Do NOT Collect
EU Representative & DPO
Professional EU representation and data protection services
Article 27 EU Representative
Prighter Group
Provided by iuro Rechtsanwälte GmbH t/a Prighter
EU Address
Schellinggasse 3, 1010 Vienna, Austria
Responsibilities
- Receive GDPR-related inquiries
- Coordinate with data protection authorities
- Handle data subject requests
- Provide information on data processing
Data Protection Officer (DPO)
Prighter provides professional Data Protection Officer services as required by GDPR Article 37-39.
EU GDPR Representation
Learn more about Prighter's EU and UK GDPR representation servicesUK GDPR Representation
Learn more about Prighter's EU and UK GDPR representation servicesLegal Bases for Data Processing
GDPR Article 6 compliance explained
Article 6 GDPR Legal Bases
Website Usage Analytics
- • <strong>Legal Basis:</strong> Legitimate Interest (Art. 6(1)(f))
- • We process analytics to improve our services
- • Balanced against your rights and freedoms
- • You can opt-out via cookie preferences
Data NOT Processed
- • No special category data (Art. 9 GDPR)
- • No criminal conviction data (Art. 10 GDPR)
- • Health data only with explicit consent + HIPAA BAA
- • No automated decision-making (Art. 22 GDPR)
Detailed GDPR Rights
How to exercise your data protection rights
Right to Information
Receive clear information about how we process your data (Articles 13 & 14)
Right of Access
Obtain confirmation and access to your personal data (Article 15)
Right to Rectification
Correct inaccurate or incomplete data (Article 16)
Right to Erasure
Request deletion ("right to be forgotten") under specific conditions (Article 17)
Right to Restrict Processing
Limit processing in certain circumstances (Article 18)
Right to Data Portability
Receive your data in machine-readable format (Article 20)
Right to Object
Object to processing based on legitimate interests or direct marketing (Article 21)
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent (Article 7)
How to Exercise Your Rights
Contact us at <strong>[email protected]</strong> or use our Trust Center. We will respond within 30 days as required by GDPR.
You have the right to lodge a complaint with your local data protection authority.
Data Security & Protection
Technical and organizational measures to protect your data
Data Security
- <strong>Encryption:</strong> All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- <strong>Access Controls:</strong> Role-based access, multi-factor authentication required
- <strong>Monitoring:</strong> 24/7 security monitoring and intrusion detection
- <strong>Audits:</strong> Regular security audits and penetration testing
- <strong>Backup:</strong> Automated backups with encryption and geo-redundancy
Data Retention
- <strong>Marketing Data:</strong> 2 years from last interaction
- <strong>Account Data:</strong> Duration of service + 6 months
- <strong>Billing Data:</strong> 7 years (legal requirement)
- <strong>Support Tickets:</strong> 3 years after resolution
- <strong>Audit Logs:</strong> 1 year for security purposes
Third-Party Processors
- <strong>Stripe:</strong> Payment processing (PCI-DSS compliant)
- <strong>Amazon Web Services (AWS):</strong> Infrastructure hosting, storage, and compute (ISO 27001, SOC 2)
- <strong>Google Cloud:</strong> AI-powered image description and content processing (ISO 27001, SOC 2)
- <strong>HubSpot:</strong> CRM and marketing automation
- <strong>Intercom:</strong> Customer support platform
- <strong>Dictionary lookups:</strong> When a visitor uses the widget's dictionary tool, the searched word is sent directly from their browser to third-party dictionary services (Merriam-Webster, Wikipedia) to return a definition
International Data Transfers
- Data stored in US-based data centers
- Third-party processors use Standard Contractual Clauses (SCCs)
- Additional safeguards for US transfers post-Schrems II
- Data Processing Agreements (DPAs) with all processors
Contact & Data Protection
Questions about GDPR compliance or data protection?
Data Controller
AllAccessible, LLC
515 Congress Ave, Suite 1750, Austin, TX 78701, USA
EU Representative
Prighter Group (iuro Rechtsanwälte GmbH)
Schellinggasse 3, 1010 Vienna, Austria
Trust Center
Visit our Trust Center for comprehensive privacy and security information:
Visit Trust Center →Ready to Get Started?
Experience privacy-first accessibility solutions that respect your data