Privacy Policy

GovAccess ("GovAccess," "we," "us") provides an automated accessibility audit platform for state and local government websites at https://govaccess.us. For privacy questions, contact us at hello@govaccess.us.

Account information

• Email address (required for login)
• Password (stored as a salted hash by our authentication provider)
• Optional profile fields: full name, organization name, organization type (municipality, county, etc.), and population size — these are used to display the appropriate ADA Title II deadline and segment usage analytics.

Scan inputs

• Website URLs you submit for scanning (free scans and full scans).

Scan output

• A list of pages discovered, accessibility violations found (rule id, severity, WCAG criteria mapping), and short HTML snippets of the offending elements.
• Aggregate statistics (compliance score, counts by severity).
• PDF compliance reports generated from the above data.

Billing information

• Payment is processed by Stripe. We never see or store credit card numbers — Stripe returns us a customer identifier and subscription status only.

Technical information

• IP address (for rate limiting on the free scan endpoint).
• Standard server logs (timestamp, request path, response code).
• Aggregate, anonymous page-view analytics (Vercel Analytics) with no cookies or cross-site tracking.

• Operate the scanning service: queue scans, run them on our infrastructure, return results to your dashboard.
• Communicate with you about your account, billing, and material changes to the service.
• Enforce plan limits (number of sites, scans per month, page count per scan).
• Detect and prevent abuse (spam signups, scan-quota fraud, attempts to scan internal or private hosts).
• Improve the product: investigate failed scans, broaden our fix-suggestion library, refine the compliance scoring model. Aggregate, de-identified data may be used in product statistics.

We do not sell your information, share it with advertisers, or use it to train machine learning models for third parties.

GovAccess relies on the following third-party services. Each receives only the data needed to perform its function.

• Supabase — authentication, primary database, file storage for PDF reports. (US-East region.)
• Vercel — frontend hosting and edge function execution.
• Railway — worker process that runs scans and generates reports.
• Upstash — Redis queue used to schedule scans.
• Stripe — payment processing and subscription billing. Cardholder data is sent directly to Stripe and never passes through GovAccess servers.
• Resend — transactional email delivery (when enabled).

• All traffic between you and our services uses TLS.
• Database access is restricted by row-level security: users can only read and write their own rows.
• PDF reports in storage are served via short-lived signed URLs — they are not publicly accessible by default.
• Production secrets are rotated on a need basis and stored in encrypted environment variables.
• We block scan requests that target internal IP ranges (RFC1918, link-local, loopback) so the service cannot be used to probe networks it should not access.

• Account data and scan results: retained for the duration of your subscription plus 90 days, after which they may be permanently deleted.
• Server logs and aggregated analytics: retained for up to 12 months.
• Stripe billing records: retained as required by accounting and tax regulations.

You may at any time:

• Access your data — your dashboard shows your profile, sites, scans, issues, and reports.
• Export your data — contact us at hello@govaccess.us and we will return your account data in JSON within 14 business days.
• Correct your profile information from the Settings page.
• Delete your account and all associated data from the Settings page or by emailing hello@govaccess.us. Deletion is permanent and irreversible — backups are purged within 30 days.
• Opt out of any non-essential communications by replying to any email we send.

Residents of California may also exercise the rights granted by the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and the right not to be discriminated against for exercising any privacy right. Residents of jurisdictions with comparable laws (CPRA, VCDPA, CTDPA, CPA, UCPA, etc.) may exercise the equivalent rights using the contact email above.

GovAccess is intended for government employees and contractors. We do not knowingly collect data from anyone under 16. If you believe we have done so, contact us and we will delete the data promptly.

GovAccess infrastructure is hosted in the United States. By using the service from outside the US, you consent to the transfer of your data to the US for processing.

We will update the "Last updated" date at the top of this page when we change this policy. Material changes will be announced by email to active subscribers at least 14 days before they take effect.

Privacy questions, data requests, and complaints: hello@govaccess.us.