Skip to main content
EU Compliance

GDPR Compliance

AllAccessible is designed to support General Data Protection Regulation (GDPR) compliance. We collect only necessary data to provide our services and comply with legal requirements.

What Data We Collect & Why

Transparent data practices compliant with GDPR Article 13 & 14

Marketing Website (allaccessible.org)

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

Data Collected

  • Analytics data (Google Tag Manager, Google Analytics)
  • Conversion tracking (Google Ads, LinkedIn, Facebook)
  • Form submissions (name, email, company, message)
  • IP address (for fraud prevention)
  • Language preference

Purpose

  • Measure marketing campaign effectiveness
  • Improve website user experience
  • Process demo/contact requests
  • Provide customer support
  • Remember your language choice

Accessibility Widget (Client Websites)

Legal basis: Legitimate interest + User consent for preferences

✅ Anonymized Usage Metrics

  • Widget activations (no user identification)
  • Feature usage aggregated by website
  • No IP addresses, no cookies for tracking
  • Website-level statistics only

🔒 User Preference Storage (Cookies & LocalStorage)

  • <code>aacxValidated</code> - Short-lived validation cookie (~10 minutes)
  • <code>accessibilityWidgetHidden</code> - Remembers if you've hidden the widget (functional cookie, ~1 year)
  • Widget position - Remembers where the widget button sits on the page (functional cookie)
  • <code>overrideOptions</code> - Your accessibility settings (text size, contrast, etc.), stored in your browser's local storage
  • <strong>Your accessibility settings stay on your device and are not sent to our servers.</strong> Separately, the widget sends anonymous usage data (which tools were used and the page visited) to help improve the product - never your name, email, or activity across other sites

Application Users (app.allaccessible.org)

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

Data Collected

  • Account information (email, name, company)
  • Website/domain configurations
  • Audit history and scan results
  • Usage metrics and analytics
  • Billing information (via Stripe)

Purpose

  • Provide accessibility services
  • Generate compliance reports
  • Process payments
  • Customer support
  • Service improvements

Accommodation Requests

Legal basis: Legal obligation + Explicit consent for health data

Basic Accommodation Requests

  • Employee name, request type, description
  • No medical/health information
  • Available to all customers

⚠️ Advanced Accommodation (Protected Health Information)

  • Medical documentation and health conditions
  • Disability details and treatment requirements
  • <strong>Requires signed HIPAA Business Associate Agreement</strong>
  • Only available with executed BAA
  • Encrypted storage, audit logs, access controls

<strong>Important:</strong> We do NOT process protected health information without a valid HIPAA BAA in place. Contact us to execute a BAA before using advanced accommodation features.

Your GDPR Rights

Under GDPR, you have comprehensive rights regarding your personal data

Right to Access

Request a copy of all personal data we hold about you

Right to Erasure

Request deletion of your personal data ("right to be forgotten")

Right to Rectification

Correct inaccurate or incomplete personal data

Right to Data Portability

Receive your data in a structured, machine-readable format

Privacy-First Widget Design

Widget usage is completely anonymized

Anonymous Widget Usage

Widget interactions are tracked at website level only, with no individual user tracking

Preferences Stay on the Device

A visitor's chosen accessibility settings are saved in their own browser and are not uploaded to our servers; only anonymous usage (which tools were used) is recorded separately

Minimal Cookie Footprint

The widget uses only strictly-necessary functional cookies and anonymous usage analytics — no personal, identifying, or cross-site tracking data. Site owners disclose AllAccessible's use within their own terms of service and accessibility statement.

What Data We Do NOT Collect

No IP addresses
No user identifiers or IDs
No cookies for tracking
No session tracking
No accessibility preferences
No health-related data
No personal device information
No marketing or analytics data

EU Representative & DPO

Professional EU representation and data protection services

Article 27 EU Representative

Prighter Group

Provided by iuro Rechtsanwälte GmbH t/a Prighter

EU Address

Schellinggasse 3, 1010 Vienna, Austria

Responsibilities

  • Receive GDPR-related inquiries
  • Coordinate with data protection authorities
  • Handle data subject requests
  • Provide information on data processing

Data Protection Officer (DPO)

Prighter provides professional Data Protection Officer services as required by GDPR Article 37-39.

Legal Bases for Data Processing

GDPR Article 6 compliance explained

Article 6 GDPR Legal Bases

Website Usage Analytics

  • <strong>Legal Basis:</strong> Legitimate Interest (Art. 6(1)(f))
  • We process analytics to improve our services
  • Balanced against your rights and freedoms
  • You can opt-out via cookie preferences

Data NOT Processed

  • No special category data (Art. 9 GDPR)
  • No criminal conviction data (Art. 10 GDPR)
  • Health data only with explicit consent + HIPAA BAA
  • No automated decision-making (Art. 22 GDPR)

Detailed GDPR Rights

How to exercise your data protection rights

Right to Information

Receive clear information about how we process your data (Articles 13 & 14)

Right of Access

Obtain confirmation and access to your personal data (Article 15)

Right to Rectification

Correct inaccurate or incomplete data (Article 16)

Right to Erasure

Request deletion ("right to be forgotten") under specific conditions (Article 17)

Right to Restrict Processing

Limit processing in certain circumstances (Article 18)

Right to Data Portability

Receive your data in machine-readable format (Article 20)

Right to Object

Object to processing based on legitimate interests or direct marketing (Article 21)

Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent (Article 7)

How to Exercise Your Rights

Contact us at <strong>[email protected]</strong> or use our Trust Center. We will respond within 30 days as required by GDPR.

You have the right to lodge a complaint with your local data protection authority.

Data Security & Protection

Technical and organizational measures to protect your data

Data Security

  • <strong>Encryption:</strong> All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • <strong>Access Controls:</strong> Role-based access, multi-factor authentication required
  • <strong>Monitoring:</strong> 24/7 security monitoring and intrusion detection
  • <strong>Audits:</strong> Regular security audits and penetration testing
  • <strong>Backup:</strong> Automated backups with encryption and geo-redundancy

Data Retention

  • <strong>Marketing Data:</strong> 2 years from last interaction
  • <strong>Account Data:</strong> Duration of service + 6 months
  • <strong>Billing Data:</strong> 7 years (legal requirement)
  • <strong>Support Tickets:</strong> 3 years after resolution
  • <strong>Audit Logs:</strong> 1 year for security purposes

Third-Party Processors

  • <strong>Stripe:</strong> Payment processing (PCI-DSS compliant)
  • <strong>Amazon Web Services (AWS):</strong> Infrastructure hosting, storage, and compute (ISO 27001, SOC 2)
  • <strong>Google Cloud:</strong> AI-powered image description and content processing (ISO 27001, SOC 2)
  • <strong>HubSpot:</strong> CRM and marketing automation
  • <strong>Intercom:</strong> Customer support platform
  • <strong>Dictionary lookups:</strong> When a visitor uses the widget's dictionary tool, the searched word is sent directly from their browser to third-party dictionary services (Merriam-Webster, Wikipedia) to return a definition

International Data Transfers

  • Data stored in US-based data centers
  • Third-party processors use Standard Contractual Clauses (SCCs)
  • Additional safeguards for US transfers post-Schrems II
  • Data Processing Agreements (DPAs) with all processors

Contact & Data Protection

Questions about GDPR compliance or data protection?

Data Controller

AllAccessible, LLC

515 Congress Ave, Suite 1750, Austin, TX 78701, USA

EU Representative

Prighter Group (iuro Rechtsanwälte GmbH)

Schellinggasse 3, 1010 Vienna, Austria

[email protected]

Privacy Inquiries

[email protected]

For data subject requests, privacy questions, or GDPR concerns

Trust Center

Visit our Trust Center for comprehensive privacy and security information:

Visit Trust Center →

Ready to Get Started?

Experience privacy-first accessibility solutions that respect your data