Privacy Policy

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

• You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
• Company refers to AllAccessible, 1950 Butler Pike #244, Conshohocken, PA 19428.
• Application means the software program provided by the Company, named AllAccessible, including web dashboard, widget, and mobile applications.
• Service refers to the AllAccessible accessibility platform, including the Application, Website, Widget, API, and all related services.
• Widget refers to the JavaScript accessibility widget deployed on third-party websites.
• Personal Data is any information that relates to an identified or identifiable individual, including Protected Health Information (PHI) when applicable.
• Device means any device that can access the Service such as a computer, a cellphone, or a digital tablet.
• Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself.
• PHI (Protected Health Information) means individually identifiable health information as defined by HIPAA.

Personal Data

While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. This includes:

• Email address
• First name and last name
• Phone number
• Company name and business information
• Website URLs and domain information
• Billing address and payment information
• User preferences and accessibility settings

Accessibility Data

To provide accessibility services, We collect:

• Website content and structure for accessibility analysis
• Accessibility issues and compliance violations
• User interactions with accessibility features
• Screen reader and assistive technology preferences
• Color contrast and visual accessibility settings
• Audio descriptions and alternative text data

Usage Data

Usage Data is collected automatically and may include:

• Your Device's Internet Protocol address (IP address)
• Browser type, version, and operating system
• Pages visited, time spent, and navigation patterns
• Widget usage statistics and performance metrics
• API calls and response times
• Error logs and diagnostic information

Healthcare and Disability Data

When providing accessibility services to healthcare organizations or processing disability-related information, We may handle Protected Health Information (PHI) in compliance with HIPAA regulations. This data is subject to additional security measures and is processed only as necessary to provide accessibility services.

Infrastructure Services

Our Service is hosted on enterprise-grade cloud infrastructure that meets enterprise security, HIPAA-eligible, and PCI DSS compliance standards through our hosting environment:

• Authentication Services: Secure user identity management and access control
• File Storage: Encrypted storage systems with redundancy and backup
• Database Hosting: Encrypted database services with automated backups
• Content Delivery: Global content delivery network with TLS encryption
• Application Hosting: Scalable container-based application infrastructure
• Load Balancing: Secure traffic distribution and failover systems
• Cache Management: Encrypted session and performance cache systems
• Serverless Computing: Event-driven processing for data operations

Security and Monitoring

Our infrastructure includes comprehensive security and monitoring services:

• Encryption Key Management: Hardware security modules for encryption keys
• Audit Logging: Comprehensive activity and access logging
• Configuration Monitoring: Automated compliance and configuration checks
• Threat Detection: AI-powered security monitoring and threat analysis
• Web Application Firewall: Advanced protection against web-based attacks
• Secure Credential Storage: Encrypted storage for API keys and secrets
• Performance Monitoring: Real-time application and infrastructure monitoring

Data Location and Processing

Your data is primarily processed in secure data centers within the United States that maintain enterprise security standardss. We maintain Business Associate Agreements (BAAs) with our cloud infrastructure providers for HIPAA-eligible services to ensure healthcare data protection. Our hosting environment benefits from infrastructure providers that maintain compliance with industry standards including ISO 27001, SOC 1/2/3, and FedRAMP authorizations.

Payment Processing

• Stripe: Payment processing and subscription management. Stripe maintains PCI DSS Level 1 compliance and SOC certifications, ensuring payment data is processed securely according to industry standards.

Customer Relationship Management

• HubSpot: Customer relationship management, lead tracking, and communication. Data is shared to improve customer support and marketing efforts.

Email Services

• Amazon SES (Simple Email Service): Transactional email delivery for account notifications, password resets, and service communications.

AI and Machine Learning

• Computer Vision Services: Automated image analysis for generating alternative text descriptions.
• Text-to-Speech Services: Audio generation for accessibility features.
• AI Content Generation: Machine learning-powered accessibility content generation and analysis.

Analytics and Marketing Services

• Google Tag Manager (GTM-T3FHWN4): Tag and tracking code management for analytics and marketing pixels.
• Google Analytics (G-JNPSNTYYWN): Website traffic analysis, user behavior insights, conversion tracking.
• Google Ads: Conversion tracking and advertising campaign performance measurement.
• LinkedIn Insight Tag: B2B campaign tracking and professional audience insights.
• Facebook Pixel: Social media advertising performance and audience targeting (Meta platforms).
• Sentry: Error tracking, application performance monitoring, and diagnostic information.

These services may set cookies like: _ga, _gid, _fbp, li_fat_id, __hstc, __hssc. You can opt out through our cookie consent banner.

Security Services

• reCAPTCHA: Google reCAPTCHA v3 for bot protection and spam prevention on forms.
• Amazon CloudFront: Content delivery network (CDN) with integrated DDoS protection and web application firewall.

HIPAA Compliance Framework

For healthcare customers, AllAccessible operates under a comprehensive HIPAA compliance framework supported by our enterprise security compliant hosting environment:

• Business Associate Agreements (BAAs): Executed with all healthcare customers and HIPAA-eligible service providers
• Administrative Safeguards: Access controls, workforce training, and security incident procedures that meet SOC 2 standards
• Physical Safeguards: Leveraging enterprise-grade security data center security and physical access controls through our hosting providers
• Technical Safeguards: Enterprise-grade encryption, access logging, audit controls, and transmission security
• Compliance Framework: HIPAA compliance supported by our infrastructure providers' certifications and regular assessments

Protected Health Information (PHI)

When processing PHI, we implement additional security measures:

• End-to-end encryption for all PHI in transit and at rest
• Role-based access controls with multi-factor authentication
• Comprehensive audit logging and monitoring
• Regular security assessments and vulnerability testing
• Secure data disposal procedures for PHI retention

We use your Personal Data for the following purposes:

• Service Provision: To provide and maintain our accessibility services, including widget functionality and compliance monitoring
• Account Management: To manage your registration and provide access to Service features
• Performance Monitoring: To monitor Service usage, performance, and accessibility compliance
• Communication: To contact you regarding updates, security alerts, and service-related communications
• Support: To provide customer support and respond to your requests
• Legal Compliance: To comply with legal obligations and regulatory requirements
• Security: To protect against fraud, security threats, and unauthorized access
• Improvement: To analyze usage patterns and improve our Service offerings

Data Sharing

We may share your information in the following situations:

• Service Providers: With third-party vendors who assist in providing our Service (under appropriate agreements)
• Business Transfers: In connection with mergers, acquisitions, or business transfers
• Legal Requirements: When required by law, regulation, or legal process
• Security: To protect rights, property, or safety of AllAccessible, users, or the public
• Consent: With your explicit consent for specific purposes

Technical Safeguards

• Encryption: AES-256 encryption for data at rest and TLS 1.2+ for data in transit
• Access Controls: Role-based access with multi-factor authentication
• Network Security: VPC isolation, security groups, and network access controls
• Application Security: Web Application Firewall (WAF) and DDoS protection
• Monitoring: 24/7 security monitoring and threat detection through SOC-compliant hosting environment
• Backup Security: Encrypted backups with secure retention policies
• Compliance Standards: Infrastructure that meets enterprise security, ISO 27001, and HIPAA-eligible standards

Organizational Safeguards

• Regular security training and awareness programs for all personnel
• Background checks and security clearances for employees with data access
• Incident response procedures and breach notification protocols that meet enterprise security standards
• Regular security assessments, penetration testing, and vulnerability management
• Data minimization and privacy-by-design principles following industry best practices
• Adherence to GDPR, CCPA, HIPAA, and other regulatory requirements where applicable

We retain your Personal Data only as long as necessary for the purposes outlined in this Privacy Policy:

• Account Data: Retained while your account is active and for 7 years after account closure for legal compliance
• Usage Data: Retained for 25 months for analytics and service improvement
• Audit Logs: Retained for 7 years for security and compliance purposes
• PHI Data: Retained according to HIPAA requirements and customer agreements
• Marketing Data: Retained until you opt-out or for 3 years from last interaction
• Backup Data: Maintained in encrypted archives according to our backup retention policy

If you are located in the European Economic Area (EEA), you have the following rights:

• Right to Access: Request access to your Personal Data and receive a copy
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your Personal Data (right to be forgotten)
• Right to Restrict Processing: Request limitation of processing under certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent: Withdraw consent where processing is based on consent

Legal Basis for Processing

We process Personal Data under the following legal bases:

• Consent: For marketing communications and certain data processing activities
• Contract Performance: To provide our Service and fulfill our obligations
• Legal Obligations: To comply with applicable laws and regulations
• Legitimate Interests: For security, fraud prevention, and service improvement

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request information about the categories and specific pieces of Personal Data we collect
• Right to Access: Request access to your Personal Data
• Right to Delete: Request deletion of your Personal Data
• Right to Opt-Out: Opt-out of the sale of Personal Data (Note: We do not sell Personal Data)
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights

Do Not Sell My Personal Information

We do not sell, rent, or trade your Personal Data to third parties for monetary or other valuable consideration. We may share data with service providers for business purposes as outlined in this policy.

Our Service is not directed to children under 13 years of age. We do not knowingly collect Personal Data from children under 13. If you become aware that a child has provided us with Personal Data, please contact us immediately. If we discover that we have collected Personal Data from a child under 13 without verification of parental consent, we will take steps to remove that information from our servers.

For users between 13 and 18 years old, we may limit certain functionality and require parental consent for some processing activities as required by applicable law.

Your Personal Data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards for international transfers:

• Adequacy Decisions: Transfers to countries with adequate data protection levels
• Standard Contractual Clauses: EU-approved Standard Contractual Clauses for international transfers
• Cloud Provider Agreements: Ensuring appropriate safeguards for cloud processing
• Encryption: All international transfers are encrypted in transit and at rest