Skip to main content

Privacy Policy

Effective date: June 1, 2026  ·  HCI Design Lab, LLC  ·  Las Vegas, Nevada

The whole policy in one paragraph: Your data is yours. We collect the minimum needed to run A11y Logger, your account details and the content you create, and we use it only to give you the service. We don’t sell it, share it, mine it for insights, or use it to train AI models. The open source version runs entirely on your own machine, so none of this applies to it. You can export or delete everything whenever you want. Questions go to hello@hcidesignlab.com.

What we collect

If you self-host the open source version, we collect nothing. Skip to the open source section below.

For the hosted cloud version, here is everything we store and why:

What you give us

  • Account details: your name, email, and password.
  • Profile: your role and organization, if you choose to add them.
  • Payment details: handled by Stripe. Your card number never touches our servers.
  • The content you create: findings, reports, VPATs, screenshots, recordings, and anything else you type into the tool.

What the service generates

  • Your projects, workspaces, and who is on your team.
  • Basic technical logs that keep the service running: IP address, browser type, the pages you visit in the app, and crash reports when something breaks.

That is the full list. There is no marketing tracker, no advertising pixel, and no analytics built on top of your content. We use a couple of essential cookies to keep you logged in. We don’t use advertising cookies, third-party tracking cookies, or Google Analytics.

What we never do with it

This is the part that matters most, so here it is plainly:

  • We don’t sell your data. Not to advertisers, not to data brokers, not to anyone.
  • We don’t share it with third parties for their own use.
  • We don’t mine it for product insights, industry trends, or benchmarks. Your findings are not our research material.
  • We don’t use it to train or fine-tune AI models. We’re not an AI company, and your audits aren’t training data.
  • We don’t read your content unless you ask us to, for support, or the law forces us to.

Your audit findings, VPATs, and reports are yours. We store them so the tool works. That is the only reason we have them.

Open source vs. cloud

A11y Logger comes in two forms, and the privacy story is different for each.

Open source, self-hosted

It runs entirely on your own machine or server. Nothing leaves it. There is no account, no telemetry, and nothing that phones home. We can’t see your data because we never receive it. This policy doesn’t really apply to you, because there is nothing for us to collect.

Cloud, hosted by us

We run the infrastructure, so the data described above lives on our servers and everything in this policy applies. If you want the convenience of the hosted version with assurances close to running it yourself, the rest of this page is for you.

Third-party services

Running the cloud version means a few outside services touch your data. We keep the list short and use vendors bound by data processing agreements. Here is all of them:

  • Vercel — hosts the application and stores your account and content.
  • Stripe — processes payments. Card data stays with Stripe.
  • AI providers (Anthropic, OpenAI) — only when you use an AI-assisted feature. The content for that one request, an issue description or a VPAT row, is sent over an encrypted connection to generate the result. Our agreements prohibit them from training on it, and they don’t keep it after the request finishes. If you never use an AI feature, none of your content goes to them. Enterprise customers can bring their own AI keys, in which case those requests go to your provider under your own terms, not ours.
  • Error monitoring service — catches crashes so we can fix them.

That is the entire list. We don’t add new processors quietly. If it changes, this page changes, and we’ll email you before any material change takes effect.

Keeping and deleting your data

We keep your data for as long as your account is active. Delete your account and we delete your content within 30 days. During the beta, email us and we’ll do it within 5 business days.

The only thing we hold onto longer is what the law requires us to, like billing records we keep for tax purposes.

You can export your data at any time in a standard, machine-readable format. It’s yours, so you should be able to take it with you. You don’t need to ask permission or explain why.

Your rights

Depending on where you live, laws like the GDPR in Europe, the CCPA in California, and Nevada’s privacy law give you formal rights over your data: to see it, correct it, export it, delete it, and object to how it’s used. We extend all of those rights to everyone, wherever you are, because it’s the right way to treat people.

To use any of them, email hello@hcidesignlab.com. We’ll respond within 30 days, usually much sooner, and we won’t charge you or make you justify the request.

If your organization needs a Data Processing Agreement before sharing client data through the platform, we have one. Email us with “DPA Request” in the subject line and we’ll send it over.

Security

We protect your data with encryption in transit and at rest, access controls, and regular reviews. No system is perfectly secure, and we won’t pretend otherwise. If a breach ever affects your data, we’ll tell you within 72 hours.

Found a vulnerability? Email hello@hcidesignlab.com before disclosing it publicly and we’ll respond within 48 hours.

Contact

A11y Logger is built by HCI Design Lab, LLC, a small team in Las Vegas, Nevada. A real person reads privacy email, often the same person who wrote the code.

We built A11y Logger because accessibility work deserves better tools. Your data was never the business model. We keep what we need to run the service, we guard it, and we hand it back the moment you ask. If anything here is unclear, or you want one of these commitments in writing for your organization, email us.