Privacy Policy
Last updated: 18 May 2026
This Privacy Policy describes how VP Consulting (“A11yRisk”, “we”, “us”, “our”) processes personal data when you visit our website, create an account, or use our automated accessibility scanning services. It is issued pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR).
1. Identity and Contact Details of the Controller
Controller:
VP Consulting
Keurenplein 41, Box C3577, 1069CD Amsterdam, The Netherlands
E-mail: [email protected]
If you have any question about how we handle your personal data, please contact us at the email address above.
Data Protection Officer: We are not currently required to appoint a DPO. Should this change, contact details will be published here.
2. Categories of Personal Data We Process
We process the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Identity & contact data | Name, email address | Provided by you at registration (via Clerk) |
| Authentication data | Session tokens, OAuth tokens | Generated by Clerk on your behalf |
| Billing data | Credit balance, Stripe transaction reference IDs | Stripe processes payment; we store only confirmation references and credit balance |
| Submitted URLs | Website addresses you submit for scanning | Provided by you |
| Scan content | Webpage content retrieved during a scan (may include publicly visible personal data on the scanned site) | Fetched automatically from URLs you submit |
| Scan results & reports | Accessibility violations, page metadata, PDF and JSON reports | Generated by our scanning engine |
| Usage data | Features accessed, scan history, timestamps | Generated automatically |
| Technical data | IP address, browser type, device type | Generated by your connection to our servers |
| Support communications | Messages you send to our support team | Provided by you |
3. Legal Bases for Processing
We rely on the following legal bases under Article 6 GDPR:
- Performance of a contract (Art. 6(1)(b)): creating your account, delivering scan results, generating reports, managing your credits, and processing payments.
- Legitimate interests (Art. 6(1)(f)): security monitoring, fraud and abuse detection, service reliability, and statistical improvement of our scanning algorithms. We have assessed that our interests do not override your fundamental rights and freedoms.
- Legal obligation (Art. 6(1)(c)): retaining financial records as required by applicable accounting and tax law.
- Consent (Art. 6(1)(a)): where indicated at the point of collection (for example, optional marketing communications, if offered). You may withdraw consent at any time without affecting prior processing.
4. Purposes of Processing
| Purpose | Legal basis |
|---|---|
| Account registration and management | Contract |
| Running accessibility scans you request | Contract |
| Generating, storing, and delivering PDF/JSON reports | Contract |
| Processing credit purchases through Stripe | Contract |
| Detecting and preventing fraud and abuse | Legitimate interests |
| Monitoring platform availability and performance | Legitimate interests |
| Improving scan accuracy and rule coverage | Legitimate interests |
| Responding to support requests | Contract / Legitimate interests |
| Complying with legal obligations (e.g. accounting records) | Legal obligation |
5. Third-Party Service Providers (Processors)
We engage the following third-party processors who act on our instructions and are bound by data processing agreements:
| Processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Clerk, Inc. | Authentication and user management | United States | Standard Contractual Clauses (Commission Decision 2021/914) |
| Stripe, Inc. | Payment processing and fraud prevention | United States | Standard Contractual Clauses (Commission Decision 2021/914) |
| Cloudflare, Inc. (R2) | Secure object storage for PDF/JSON reports | United States / EEA edge nodes | Standard Contractual Clauses (Commission Decision 2021/914) |
| Supabase, Inc. | Hosted PostgreSQL database | EU Central (Frankfurt, eu-central-1) | EEA — no transfer |
| Railway (Redis service) | Task queue and in-memory caching | EU West (Amsterdam) | EEA — no transfer |
We do not sell your personal data to any third party. We do not use your data for advertising or profiling for third-party purposes.
An up-to-date sub-processor list is available on request at [email protected]. We will notify you of material sub-processor changes with reasonable advance notice.
6. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA). Where we transfer personal data to third countries not covered by an adequacy decision of the European Commission, we rely on Standard Contractual Clauses (SCCs) adopted pursuant to Commission Implementing Decision (EU) 2021/914 as the appropriate transfer mechanism. Copies of applicable SCCs are available on request.
7. Retention
| Data type | Retention period |
|---|---|
| Account data (name, email) | For the duration of your account, plus 30 days after deletion to allow recovery |
| Scan results and reports | While your account is active; you may delete individual scans at any time from your dashboard |
| Payment transaction references | 7 years (EU accounting law requirement) |
| Server and access logs | 30 days |
| Support communications | 2 years from last contact |
8. Your Rights Under the GDPR
As a data subject under the GDPR you have the following rights. To exercise any of them, contact us at [email protected]. We will respond within one month (extendable by two further months for complex requests). We may request proof of identity before processing your request.
- Right of access (Art. 15): Obtain confirmation of whether we process your data and receive a copy.
- Right to rectification (Art. 16): Have inaccurate data corrected.
- Right to erasure (Art. 17): Request deletion of your data where no overriding legal basis applies.
- Right to restriction (Art. 18): Restrict processing in defined circumstances (e.g. while accuracy is contested).
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
- Right to withdraw consent: Where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing.
You also have the right to lodge a complaint with your national supervisory authority. The supervisory authority for our place of establishment is Autoriteit Persoonsgegevens (AP) (autoriteitpersoonsgegevens.nl).
9. Automated Decision-Making and Profiling
We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing (Article 22 GDPR). The scan results we generate are purely informational and do not automatically affect your account status or any other decision about you.
10. Cookies and Tracking Technologies
We use only essential cookies required for authentication, secure session management, and fraud prevention. We do not use advertising, analytics, or behavioural tracking cookies. A cookie notice is displayed on your first visit explaining this. No consent is required for essential cookies under Article 5(3) of Directive 2002/58/EC (ePrivacy Directive).
11. Children
The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this policy to reflect changes in our practices or applicable law. For material changes, we will notify registered users by email at least 30 days before the updated policy takes effect. The current version is always available at this URL, dated at the top.
13. Contact
VP Consulting
Keurenplein 41, Box C3577, 1069CD Amsterdam, The Netherlands
E-mail: [email protected]