WebAbility Privacy Policy

Effective Date: January 15, 2025

Welcome to WebAbility! This Privacy Policy outlines how we handle your personal information when you use our services, which include our standalone service accessible through our website, webability.io (collectively referred to as the "Service").

Information We Collect and Receive

We collect various types of information, including Personal Information, when a Customer or a Visitor (including anyone acting on their behalf) accesses or uses our Services as more fully set forth below.

a. Information You Provide

• Account Information: When you register or update an account, we collect full name, email address, and phone number. You may edit these at any time via your account or by emailing us at [email protected].
• Payment Details: To purchase a license, you may provide billing information (name, card number, expiration date, CVV, billing address) which is handled by our secure third-party payment processor.
• Device & Technical Information: We automatically collect your IP address, referring URL, device type and ID, operating system and version, browser type/version, and screen resolution.
• Support Information: When you use our chatbot or contact support, we collect any Personal Information you share (for example, your name, email, and message content) and may combine it with other data we hold.
• Marketing Communication: If you request a demo, a scan, or register for events, we collect your name, email, phone number, job title, and company details to fulfill your request and send follow-up materials.

b. Information Collected from Other Sources

• WebAbility Communication: Signing up for an WebAbility report requires your name and email, which we may also use for marketing follow-up.
• Usage Information: When our accessibility widget is installed, we receive image URLs, link URLs, HTML/CSS structure, clicks, interactions, and page views.
• Log Information: Server logs capture your IP address, approximate geolocation, referring page, browser type/settings, and cookie data.
• Cookies: We use cookies (excluding widget-only cookies) to operate the Service, measure ad performance, and analyze traffic (only on the landing page). See our Cookie Policy for details.

c. Information from Social Media

We collect publicly posted data (e.g., feedback, reviews, social handles) from our official social pages. If you'd like content removed, email [email protected].

d. Data Obtained through Analytics Tools

We use tools like Google Analytics to track site visits, page interactions, session frequency, non-precise geolocation, and referral sources.

e. Information We Collect from Third Parties

We may obtain data from referral partners, service providers (e.g., payment processors, social media), publicly available sources, and marketing providers. Combined with our data, this helps us improve and personalize the Service.

f. Information Collected in Accordance with Applicable Law

We also collect any data required to verify your identity or comply with legal obligations under applicable laws.

Communications

We may contact you via email, telephone, or other means about changes to the Service, updates to your account, billing issues, and important security or account-related notices ("Essential Communications"). You cannot opt out of these Essential Communications as they are necessary for contract performance.

Additionally, we may send newsletters, feature updates, event invitations, and other marketing or promotional emails based on your consent. You may withdraw consent and opt out of these easily by:

• Clicking the unsubscribe link included in any marketing email
• Emailing us at [email protected]
• Contacting our Data Protection Officer at [email protected]

How We Use Your Data

WebAbility uses the collected data for various purposes, including:

• Operating and maintaining our Service (Contract Performance)
• Notifying you about changes to our Service (Contract Performance/Legal Obligation)
• Allowing you to participate in interactive features when you choose (Contract Performance)
• Providing customer care and support (Contract Performance)
• Conducting analysis to improve the Service (Legitimate Interests)
• Monitoring usage of the Service (Legitimate Interests)
• Detecting, preventing, and addressing technical issues (Legitimate Interests)
• Sending marketing communications (Consent)

Data Transfer

Your information, including Personal Data, may be transferred to and maintained on servers located outside your state, province, country, or other governmental jurisdiction where data protection laws may differ from your own. If you are located outside Germany and choose to provide information to us, note that we transfer the data to Germany for processing. This transfer is necessary for the performance of our contract with you and to provide our services.

We take reasonable steps to ensure that your data is secure and treated in accordance with this Privacy Policy and applicable data protection laws. All data processing takes place within the European Economic Area (EEA), ensuring adequate protection under GDPR. No transfer of your Personal Data will occur to an organization or country unless adequate controls are in place.

Since we process data within Germany and the European Economic Area (utilizing secure German data center infrastructure), your personal data benefits from comprehensive protection under European data protection laws.

• GDPR Protection: Full compliance with the General Data Protection Regulation
• Adequate Security Measures: Technical and organizational measures to protect your data including encryption, access controls, and secure development practices
• Data Subject Rights: Full exercise of your rights under European data protection law
• Supervisory Authority Oversight: Regulation by German and EU data protection authorities

Data Protection Officer

You can contact our Data Protection Officer at:
Email: [email protected]
For general privacy inquiries: [email protected]

Disclosure of Data

WebAbility may disclose your Personal Data in good faith if necessary to:

• Comply with legal obligations (Legal Obligation)
• Protect and defend the rights or property of WebAbility (Legitimate Interests)
• Prevent or investigate possible wrongdoing in connection with the Service (Legitimate Interests)
• Protect the personal safety of users or the public (Vital Interests)
• Protect against legal liability (Legitimate Interests)

Security of Data

The security of your data is important to us. We implement appropriate technical and organizational measures to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Access controls and authentication systems
• Regular security assessments and updates
• Staff training on data protection
• Incident response procedures

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

Data Protection Safeguards

Since we process data within Germany and the European Economic Area, your personal data benefits from comprehensive protection under European data protection laws.

• GDPR Protection: Full compliance with the General Data Protection Regulation
• Adequate Security Measures: Technical and organizational measures to protect your data including encryption, access controls, and secure development practices
• Data Subject Rights: Full exercise of your rights under European data protection law
• Supervisory Authority Oversight: Regulation by German and EU data protection authorities

Data Protection Officer

You can contact our Data Protection Officer at:
Email: [email protected]
For general privacy inquiries: [email protected]

How Long We Retain Personal Information

We retain Personal Information for specific periods based on the purpose:

• Account Data: For the duration of your account plus 30 days after closure
• Support Communications: 3 years from last contact
• Marketing Data: Until consent is withdrawn plus 30 days
• Legal/Compliance Data: As required by applicable law (typically 6-10 years)
• Analytics Data: 26 months, then permanently deleted or rendered truly anonymous (irreversibly de-identified)

After the retention period ends, we take the following actions with your personal data:

• Deletion: Complete removal of your personal data from our systems so that it cannot be recovered or reconstructed
• Anonymization: Processing data to permanently remove all identifying elements, making it impossible to link the data back to you personally. This anonymized data may be used for statistical analysis and service improvement

You can request earlier deletion of your personal data by contacting us at [email protected]. Note that anonymized data cannot be deleted as it no longer identifies you personally.

Aggregated, anonymized data used for business insights is retained indefinitely, as it cannot identify you and provides valuable insights for service improvement.

How We Protect Your Information

The security of your Personal Information is important to us. We implement physical, technical, and organizational safeguards—such as encryption, access controls, and secure development practices—to protect your data from misuse, damage, and unauthorized access.

However, no system is entirely foolproof. While we strive to use industry-standard measures, we cannot guarantee absolute security for information transmitted over the Internet or stored on our servers or those of our third parties.

Your Rights as a Visitor from the EEA, UK or Switzerland

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, the GDPR, UK GDPR, and Swiss FADP apply. In addition to the rights in this policy, you have the additional rights listed below.

We process your Personal Information on these lawful grounds:

• Consent: Where required, based on your consent.
• Contractual necessity: To perform our agreement with you.
• Legal obligation: To comply with laws and protect vital interests.
• Legitimate interests:
  • Communications & direct marketing
  • Cybersecurity & fraud prevention
  • Support, customer relations, and service operations
  • Enhancements & improvements to the Service
  • Analytics & feature optimization

You have the right to:

• Access the Personal Information we hold about you and learn how it's processed.
• Rectify inaccurate or incomplete Personal Information.
• Erase your Personal Information ("right to be forgotten"). Note: this applies to personal data only, not anonymized data that can no longer identify you.
• Restrict or object to processing of your Personal Information.
• Port your data to another service provider.
• Withdraw consent at any time (without affecting prior processing). You can easily withdraw consent by:
  • Clicking the unsubscribe link in any marketing email
  • Emailing us at [email protected]
  • Contacting our Data Protection Officer at [email protected]
• Not be subject to decisions based solely on automated processing.
• File a complaint with your local Data Protection Authority.

For a full summary of your EU data protection rights, visit ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en.

To exercise these rights, contact us at [email protected]. We may request information to verify your identity and will respond within 30 days.

When we act as an independent data controller, you may contact us directly. If we process data on behalf of another controller, please contact that controller to exercise your rights.

If you're unsatisfied with our response, you may lodge a complaint with your local Data Protection Authority. Find contacts at ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.

Specific Provisions for California Residents

a. Categories of Personal Information Collected

In the past 12 months, we have collected:

• Identifiers (e.g., name, email address, IP address)
• Commercial information (e.g., payment details)
• Internet or network activity (e.g., site and mobile usage, session info, search history)
• Inferences drawn from other personal information

b. Business Purposes for Collection

We collect this information to provide, maintain, and improve the Service, as described in Section 4.

c. Sources of Information

We obtain Personal Information directly from you, from your use of the Service, and from third-party providers.

d. Sharing of Personal Information

We share your data with service providers and affiliates (see Section 5). We do not "sell" your data under CCPA, but we do share it with certain ad tech partners. To opt out of such sharing, click here.

e. Categories of Disclosed Information

In the past 12 months, we have disclosed for business purposes:

• Identifiers (name, email, IP)
• Commercial information (payment details)
• Internet or network activity
• Inferences drawn from Personal Information

We have not sold Personal Information in the past 12 months.

f. Your Rights as a California Resident

You may:

• Request the categories and specific pieces of Personal Information we collected in the past 12 months.
• Request the sources and business purposes for that collection.
• Request categories of third parties with whom data was shared.
• Receive your data by mail or electronically, and request its transfer to another entity.
• Correct or update incorrect Personal Information.
• Request deletion of your Personal Information, subject to legal exceptions.
• Not be discriminated against for exercising these rights.

g. How to Exercise Your Rights

To submit a request, email us at [email protected]. Only you or an authorized agent may make a request. You may make two requests per 12 months. We will verify your identity and respond within 45 days (possible extension of 45 more days with notice). We do not charge a fee unless the request is excessive or unfounded.

Service Providers

We may employ third-party companies and individuals to facilitate our Service ("Service Providers"), provide the Service on our behalf, perform Service-related services, or assist us in analyzing how our Service is used.

These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

GDPR Compliance: All service providers are contractually bound to:

• Process data only on our instructions
• Implement appropriate security measures
• Assist with data subject rights requests
• Notify us of any data breaches
• Delete or return data upon termination

Analytics

We may use third-party Service Providers to monitor and analyze the use of our Service.

International Data Transfers

Since we process data within Germany and the EEA, international data transfers are minimized. Where transfers outside the EEA occur (e.g., to cloud service providers), we ensure adequate protection through:

• Adequacy Decisions: Transfers to countries with adequate protection as determined by the European Commission
• Standard Contractual Clauses: EU-approved contractual terms ensuring adequate protection
• Certification Schemes: Transfers under approved certification schemes

Links to Other Sites

Our Service may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

GDPR Compliance

If you are located in the European Economic Area (EEA), the following additional provisions apply:

Data Controller

WebAbility is the data controller responsible for your personal data under the GDPR.
Contact:
WebAbility
Email: [email protected]
DPO Email: [email protected]

Lawful Basis for Processing

We process your personal data only where we have a lawful basis to do so, such as:

• Consent: you have given us (e.g., marketing communications)
• Contractual necessity: to deliver the Service you request
• Legal obligation: compliance with applicable laws
• Legitimate interests: to improve our Service, prevent fraud

Your GDPR Rights

Under the GDPR, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Ask us to correct any inaccurate or incomplete data.
• Erasure ("Right to be Forgotten"): Request deletion where no lawful basis exists. This applies to personal data only, not anonymized data that can no longer identify you.
• Restriction of Processing: Request that we restrict how we use your data.
• Data Portability: Obtain and reuse your personal data across different services.
• Object: Object to processing based on legitimate interests or direct marketing.
• Withdraw Consent: You may withdraw consent at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond within one month, or sooner if required by law.

Supervisory Authority

If you are located in the European Economic Area and believe that our processing of your personal information violates data protection laws, you have the right to lodge a complaint with a supervisory authority responsible for data protection. You can find contact details for supervisory authorities at: edpb.europa.eu/about-edpb/about-edpb/members_en

Changes to This Privacy Policy

Recent Updates (January 15, 2025)

Key changes in this version include:

• Updated data location from United States to Germany for full GDPR compliance
• Enhanced legal basis clarification for data processing activities
• Improved consent withdrawal mechanisms with multiple contact options
• Added clear distinction between data deletion and anonymization
• Enhanced data subject rights information and contact details
• Added Data Protection Officer contact information

Future Changes

We may update our Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page.

For material changes that affect your rights or significantly change how we process your data, we will provide at least 30 days' notice via email and/or a prominent notice on our Service, and update the "Effective Date" at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Data Controller:
WebAbility
Email: [email protected]

Data Protection Officer:
Email: [email protected]

For GDPR-related inquiries:
Email: [email protected]