Privacy policy
Last updated: 2 July 2026
Who we are
AccessProof is an accessibility scanning and monitoring service operated by Benchfour, a sole proprietorship based in India (the "data controller" for the purposes of the GDPR). Contact for anything in this policy: [email protected].
What we collect
- Scan data:the website addresses you submit and the scan results we generate from each site's publicly available pages. We do not log into or access non-public areas of any site.
- Email addresses: when you request a report by email, join the early-access list, or create an account.
- Account data: your monitored sites, scan history, plan, and (for agencies) branding settings.
- Essential cookies:a single session cookie ("ap_session") that keeps you signed in. We use no tracking cookies.
- Aggregate analytics: we use Cloudflare Web Analytics, a privacy-first, cookieless service that gives us page-level statistics (views, referrers, load times) without identifying, fingerprinting, or tracking individual visitors.
- Server logs: IP addresses and requests, kept briefly for security and rate-limiting.
Payments are handled by Lemon Squeezy as merchant of record — they, not we, collect and process your payment details and billing address under their own privacy policy.
Why we process it (legal bases)
- To provide the service you asked for — scans, monitoring, reports, sign-in links (performance of a contract).
- To follow up when you request a report by email or join the early-access list (consent; unsubscribe any time).
- To keep the service secure and prevent abuse (legitimate interest).
We do not sell personal data, and we do not use it for advertising.
Where data lives and who touches it
Application data is stored on servers in the European Union. We use a small number of processors to run the service: our hosting provider (EU region), our transactional email provider (for sign-in links and report emails), and Lemon Squeezy (payments, as merchant of record).
The founder administers the service from India. Administrative access from outside the EU is limited to what is necessary to operate the service, protected by authentication, and covered by the safeguards of this policy.
Retention
- Account data: for as long as your account exists.
- Scan results: kept so you can track changes over time; deleted with your account.
- Early-access/report emails: until you unsubscribe or ask us to delete them.
- Server logs: short-lived, security only.
Your rights
Under the GDPR you can ask for access to, correction of, deletion of, or a portable copy of your personal data; you can object to or ask us to restrict processing; and you can withdraw consent at any time. Email [email protected] and we will respond within one month. You also have the right to complain to your national data protection authority.
Scanning other people's sites
Scans read publicly available pages only, the way any browser or search-engine crawler does. If your site was scanned by one of our users and you want the stored results removed, email [email protected].
Changes
We'll update this policy as the service evolves and change the date above. Material changes affecting account holders will be announced by email.