Privacy Policy

Last Updated: March 28, 2026

Effective Date: March 28, 2026

1. Introduction and Scope

Brandon Armour, operating as LiquidA11y ("Company," "we," "us," or "our"), operates the LiquidA11y accessibility scanning and remediation platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal information when you:

  • Visit our websites at liquida11y.com and app.liquida11y.com
  • Use our accessibility scanning, Fix-Flow Studio, or Compliance Record services
  • Connect your Shopify store via our custom app integration
  • Contact us for support or other inquiries
Important: By using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: Email address, name, password (stored as a cryptographic hash using bcrypt with salt), company name (optional)
  • Billing Information: Payment card details, billing address. Note: All billing is handled through the Shopify Billing API. We do not process, store, or have access to payment card details.
  • Website URLs: URLs you submit for accessibility scanning, including any associated metadata
  • Shopify Store Data: When you connect your store, we access: store name, domain, theme information, product/collection/page URLs (for scanning purposes only). We do NOT access customer personal data, orders, or financial information.
  • Communications: Emails, chat messages, support tickets, feedback, and any other communications you send to us
  • AI Chat Interactions: Conversations with our AI support assistant, which are logged for quality improvement and abuse prevention

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, scan history, Fix-Flow applications, time spent on pages, click patterns
  • Device Information: Browser type and version, operating system, device type, screen resolution
  • Network Information: IP address (may be anonymized after 30 days), approximate geolocation (country/region level)
  • Referral Data: How you arrived at our site (referrer URL, UTM parameters)
  • Cookies and Similar Technologies: Session identifiers, preferences, analytics data (see Section 8)

2.3 Website Scan Data

When you scan a website, we temporarily access and analyze publicly accessible page content to identify accessibility issues. Specifically:

  • We render pages using headless browser technology (Chromium via Playwright)
  • We analyze DOM structure, CSS styles, ARIA attributes, and visual elements
  • We may capture screenshots for AI vision analysis to detect visual accessibility issues
  • Scanned page data is processed in memory and NOT permanently stored except for aggregate issue reports
  • We do NOT access password-protected pages, logged-in user sessions, customer databases, or private backend systems
Zero-Retention Policy: For Free Discovery Scans, page content data is deleted immediately after scan completion. For Accessibility Audit purchases, data is retained for 42 days (14-day premium trial + 28-day grace period, then permanently deleted unless you add Always Accessible). For Always Accessible subscribers, data is retained while your subscription is active.

3. How We Use Your Information

We use collected information for the following purposes:

  • Service Delivery: Perform accessibility scans, generate reports, provide Fix-Flow Studio functionality, maintain Compliance Record audit trails
  • Account Management: Create and manage your account, authenticate logins, process password resets
  • Billing: Process payments, issue invoices, handle subscription management, prevent fraud
  • Customer Support: Respond to inquiries, troubleshoot issues, provide technical assistance
  • Product Improvement: Analyze usage patterns (in aggregate), identify bugs, develop new features
  • Security: Detect and prevent fraud, abuse, and unauthorized access
  • Communications: Send transactional emails (scan results, account notifications), and with consent, marketing communications
  • Legal Compliance: Comply with applicable laws, respond to legal requests, enforce our Terms of Service

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

  • Contractual Necessity: Processing necessary to perform our contract with you (e.g., providing scanning services, generating reports you purchased)
  • Legitimate Interests: Processing for our legitimate business interests (e.g., product improvement, fraud prevention, security) where not overridden by your rights
  • Consent: Processing based on your explicit consent (e.g., marketing communications, optional analytics)
  • Legal Obligation: Processing necessary to comply with applicable law (e.g., tax records, responding to valid legal requests)

5. How We Share Your Information

We do NOT sell your personal information. We have never sold personal information and have no plans to do so.

We may share information with the following categories of recipients:

5.1 Service Providers

  • Stripe, Inc.: Payment processing (PCI DSS Level 1 certified)
  • Railway: Backend server hosting and infrastructure
  • Cloudflare: Frontend hosting (Cloudflare Pages), CDN, DDoS protection, DNS, security
  • Neon: PostgreSQL database hosting
  • Upstash: Redis caching
  • Resend: Transactional email delivery
  • AI Model Providers: AI analysis services including open-source models hosted via NVIDIA NIMs and other providers (scan data may be processed for accessibility analysis)
  • Sentry: Error monitoring (minimal, anonymized diagnostic data)

All service providers are contractually obligated to protect your data and use it only for specified purposes.

5.2 Legal Requirements

We may disclose information when required by law, court order, or government request, or when we believe disclosure is necessary to:

  • Comply with applicable law or legal process
  • Protect our rights, property, or safety
  • Prevent fraud or other illegal activity
  • Enforce our Terms of Service

5.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website of any such change in ownership or control.

6. Data Retention

We retain your information for as long as necessary to:

  • Provide the Service (while your account is active)
  • Comply with legal obligations (e.g., tax records: 7 years)
  • Resolve disputes and enforce agreements

Specific Retention Periods:

  • Free Discovery Scan Data: Deleted immediately after scan completion (zero retention)
  • Accessibility Audit Data: Retained for 42 days from purchase (14-day trial + 28-day grace), then permanently deleted unless upgraded to Always Accessible
  • Always Accessible Data: Retained for duration of subscription + 42 days after cancellation
  • Account Data: Retained while account is active; deleted 42 days after account deletion request or app uninstall
  • Billing Records: Retained for 7 years for tax/legal compliance
  • AI Chat Logs: Retained for 90 days, then anonymized or deleted
  • Audit Logs (Compliance Record): Retained for 1 year or as specified by your plan

7. Data Security

We implement industry-standard technical and organizational security measures including:

  • Encryption in Transit: TLS 1.3 encryption for all data transmitted between you and our servers
  • Encryption at Rest: AES-256 encryption for stored data
  • Password Security: Passwords hashed using bcrypt with unique salts (never stored in plaintext)
  • Access Controls: Role-based access control, principle of least privilege
  • Infrastructure Security: Firewalls, intrusion detection, DDoS protection
  • Audit Logging: Comprehensive logging of system access and administrative actions
  • Vendor Security: Payment security managed by Shopify Billing API
  • Regular Assessments: Periodic security reviews and vulnerability assessments

While we strive to protect your information, no method of transmission or storage is 100% secure. You are responsible for maintaining the security of your account credentials.

8. Cookies and Tracking Technologies

We use cookies and similar technologies. For detailed information, please see our Cookie Policy.

In summary:

  • Essential Cookies: Required for site functionality (authentication, security). Cannot be disabled.
  • Preference Cookies: Remember your settings and preferences.
  • Analytics Cookies: Help us understand usage patterns (can be declined).

You can control cookies through your browser settings or our cookie consent banner.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

9.1 All Users

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data (subject to legal retention requirements)
  • Opt-Out: Unsubscribe from marketing communications at any time

9.2 GDPR Rights (EEA, UK, Switzerland)

  • Portability: Receive your data in a structured, machine-readable format
  • Restriction: Request restriction of processing in certain circumstances
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw previously given consent at any time
  • Automated Decision-Making: Not be subject to solely automated decisions with legal effects
  • Lodge Complaint: File a complaint with your local data protection authority

9.3 CCPA/CPRA Rights (California Residents)

  • Right to Know: Know what personal information is collected, used, shared, or sold
  • Right to Delete: Request deletion of personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do NOT sell or share personal information for cross-context behavioral advertising
  • Right to Limit Use of Sensitive Information: Limit how sensitive personal information is used
  • Non-Discrimination: Not receive discriminatory treatment for exercising your rights

California residents may designate an authorized agent to make requests on their behalf. Verification may be required.

How to Exercise Your Rights

To exercise any of these rights, contact us at: privacy@liquida11y.com

We will respond to verifiable requests within 30 days (GDPR) or 45 days (CCPA/CPRA), with possible extensions where permitted by law.

10. International Data Transfers

LiquidA11y is based in the United States. If you access our Service from outside the United States, your information will be transferred to, stored, and processed in the United States.

For transfers from the EEA, UK, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Supplementary measures where required by Schrems II decision
  • Adequacy decisions where applicable

11. European Accessibility Act (EAA) Compliance

The European Accessibility Act (Directive (EU) 2019/882), enforceable from June 28, 2025, requires e-commerce services to meet accessibility standards harmonized with EN 301 549 (which references WCAG 2.2 Level AA). LiquidA11y helps merchants meet these requirements by scanning against WCAG 2.2 AA criteria (ISO/IEC 40500:2025) and generating code-level fixes.

Important: Automated scanning identifies approximately 30–40% of accessibility barriers. LiquidA11y reports are informational tools to assist your compliance efforts—they do not constitute legal certification of EAA, ADA, or any other regulatory compliance. We recommend combining automated scanning with expert manual review for comprehensive accessibility coverage.

12. Children's Privacy

LiquidA11y is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such data, we will delete it promptly. If you believe a child has provided us with personal information, contact us immediately.

13. Do Not Track Signals

Our Service currently does not respond to "Do Not Track" browser signals. However, you can control tracking through our cookie consent mechanism and browser settings.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy with a new "Last Updated" date
  • Sending email notification for significant changes (if you have an account)
  • Displaying a prominent notice on our website

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

15. Contact Us

For privacy-related questions, concerns, or to exercise your rights:

  • Email: privacy@liquida11y.com
  • Operator: Brandon Armour, operating as LiquidA11y
  • Location: San Luis Obispo County, California, United States

For EU/UK residents, if you have concerns about our data processing that we cannot resolve, you have the right to lodge a complaint with your local supervisory authority.