Privacy Policy
At a glance
We built Curbcut to be honest, and that includes how we handle your data. In short:
- What we collect: your account details (name and email, via Google sign-in), the website URLs you ask us to scan, the resulting reports, and standard technical data (like your IP address) needed to run and protect the service.
- Why: to provide the scan and monitoring service you asked for, to keep it secure and free of abuse, and to communicate with you.
- We don’t sell your data. We don’t run advertising, and we don’t share your data with advertisers.
- Who helps us run it: a small set of infrastructure providers (hosting, database, email, storage) — listed below.
- Your control: you can access, correct, export, or delete your data at any time — email hello@curbcut.app.
The full detail is below. This summary doesn’t replace it.
1. Who we are
This Privacy Policy explains how Curbcut (“we”, “us”, “our”), the operator of curbcut.app, collects and uses personal data. For the purposes of the UK GDPR and EU GDPR, we are the data controller of the personal data described in this policy.
Questions about this policy or how we handle your data: hello@curbcut.app. A human — the person who built this — reads that inbox.
2. Scope
This policy applies to personal data we process when you:
- visit curbcut.app;
- run a free accessibility scan;
- create an account and use the dashboard, monitoring, and reports;
- contact us (via the contact form or email).
It does not cover third-party websites we link to, or the practices of the websites you choose to scan (which have their own policies).
3. The personal data we collect
- Account data — your name, email address, and an authentication identifier. From you, via Google sign-in (scope:
email profile). - Scan request data — the website URL(s) you submit. The free scan is anonymous: it requires no account and no email address. If you choose “email me this report”, we use the address you enter to send that report.
- Reports and results — accessibility findings, scores, reports, and annotated screenshots generated for the pages you scan or monitor.
- Technical and security data — IP address, browser and device information, timestamps, and request logs, used for security, rate-limiting, and abuse prevention.
- Usage data — aggregate, privacy-friendly product analytics (page views, feature use). Our analytics are cookieless, do not track you across other websites, and deliberately exclude identifying details such as scan IDs.
- Communications — your name, email, company, company size, and message when you use the contact form; any support correspondence.
- Payment data — not currently collected. Billing is off during early access. If we introduce paid plans, payments will be handled by a payment processor (Stripe); we will not store full card numbers, and we will update this policy first.
We do not intentionally collect special-category (sensitive) personal data, and we ask you not to submit it to us.
4. Cookies
We keep cookies to a minimum: the only cookies we set are strictly necessary ones that sign you in and keep your session secure. They are required for the service to work and do not need consent. Our analytics are cookieless — which is why you don’t see a cookie banner here. If that ever changes, we will ask for consent before setting any non-essential cookie.
5. Why we use your data, and our legal bases
Under UK/EU GDPR we must have a lawful basis for each use:
- Providing the scan, dashboard, monitoring, and reports you request — performance of a contract (or steps prior to one).
- Transactional email (a report you asked for, monitoring alerts, service notices) — performance of a contract.
- Security, abuse prevention, and rate-limiting — legitimate interests (running a secure, sustainable service).
- Improving the product with aggregate, cookieless analytics — legitimate interests.
- Responding to enquiries and support — legitimate interests / contract.
- Optional product updates — consent, or where permitted soft opt-in, always with an easy unsubscribe.
- Legal obligations (accounting, lawful requests) — legal obligation.
Where we rely on legitimate interests, we have weighed your rights and freedoms; you can object at any time (see Your rights).
6. Who we share your data with
We don’t sell your personal data and we don’t share it with advertisers. We use a small set of service providers to run Curbcut, under contracts that require them to protect your data:
- Supabase — database and authentication.
- Vercel — website and application hosting, and cookieless analytics.
- Fly.io — runs the scanner (London, UK region).
- Cloudflare — storage for reports and screenshots (R2).
- Resend — sends transactional and notification email.
- ImprovMX — forwards email sent to our @curbcut.app addresses (including privacy enquiries) to our inbox.
- Google — “Sign in with Google” authentication.
- Stripe — payment processing, only if and when paid plans launch.
We may also disclose personal data if required by law, to enforce our terms, or in connection with a business transfer (such as a merger or acquisition) — in which case we’ll tell you.
7. International data transfers
Some of our providers process data outside the UK/EEA, including in the United States. Where personal data leaves the UK/EEA, we rely on safeguards recognised under UK/EU GDPR: adequacy decisions where they apply, and otherwise Standard Contractual Clauses (together with the UK Addendum / International Data Transfer Agreement). You can request more information about these safeguards at hello@curbcut.app.
8. How long we keep your data
- Raw scan data (JSON) and screenshots: up to about 90 days.
- Report PDFs: up to about 12 months.
- Account data: for as long as your account is active, then deleted or anonymised within a reasonable period after closure (subject to legal retention duties, such as accounting records).
- Security and rate-limiting logs: short-lived, kept only as long as needed for abuse prevention.
- Contact and support messages: as long as needed to handle your enquiry and a reasonable follow-up period.
You can ask us to delete your data sooner at any time: hello@curbcut.app.
9. How we protect your data
We use technical and organisational measures appropriate to the risk: encryption in transit, access controls and least-privilege access, private (signed, expiring) links for reports and screenshots, and hardening of the scanner against abuse. No system is perfectly secure, but we take protecting your data seriously and review our practices as the product grows.
10. Your rights
If you’re in the UK or EEA
You have the right to access your data, rectify inaccurate data, erase it, restrict or object to processing, data portability, and to withdraw consent at any time where we rely on it. You can also lodge a complaint with a supervisory authority — in the UK, the Information Commissioner’s Office (ico.org.uk); in the EU, your local data protection authority. We respond to rights requests within one month (extendable for complex requests, as the law allows).
If you’re a US resident
Depending on your state, you may have rights to know, access, correct, delete, and obtain a portable copy of your personal information, and to opt out of its “sale” or “sharing”. We do not sell or share personal information for cross-context behavioural advertising, and we do not use it for targeted advertising. We will not discriminate against you for exercising your rights, and we respond within 45 days (extendable as the law allows).
How to exercise your rights
Email hello@curbcut.app. We may need to verify your identity before acting on a request. Every non-essential email we send includes an unsubscribe.
11. Automated decision-making
Curbcut’s accessibility score is a heuristic prioritisation indicator produced by an automated engine to help you triage issues. It is not a solely-automated decision with legal or similarly significant effects about you, and it is not a certification of legal compliance. We do not carry out profiling that produces legal effects concerning you.
12. Websites you scan, screenshots, and business outreach
When you submit a URL, our scanner fetches and analyses publicly available pages of that website. Reports include screenshots of those public pages so you can see exactly where each issue is; a screenshot may incidentally capture personal data that the page itself displays. Screenshots are stored privately, shared only via expiring links in your report, and deleted with the scan data (see retention above). We do not set out to collect personal data from scanned pages, and we ask you only to scan sites you own or are authorised to test.
Where we proactively scan a business’s public website and contact that business about accessibility, we do so as business-to-business communication on the basis of legitimate interests, and every such message includes an easy way to opt out.
13. Children’s privacy
Curbcut is a business tool and is not directed to children. We don’t knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we’ll delete it.
14. Changes to this policy
We may update this policy from time to time. We’ll change the “Last updated” date above and, for material changes, take reasonable steps to notify you — by email or a notice on the site.
15. Contact us
Questions, requests, or complaints: hello@curbcut.app. If you’re in the UK and unhappy with our response, you can contact the ICO (ico.org.uk); in the EEA, your local supervisory authority.