Privacy Policy

Effective date: 9 February 2026

1. Who we are

ToggleKit Ltd ("A11yFlow", "we", "us", "our") is a company registered in England and Wales. We are the data controller for the personal data processed through the A11yFlow API, dashboard, and documentation (together, the "Service").

For any questions about this policy or how we handle your data, you can reach us via our contact form.

2. What data we collect

Account information

When you create an account, we receive your email address and name from our authentication provider, Clerk. We store your user ID, email address, display name, and subscription tier in our database.

API usage data

We log metadata about each API request you make, including the endpoint called, HTTP method, response status code, response time in milliseconds, and a reference to the API key used. API keys are stored only as SHA-256 hashes. We do not log the contents of request or response bodies.

Scan data

When you submit a URL for scanning, we store the target URL, the scan configuration you specified, and the results produced by the scan (accessibility violations, scores, category breakdowns, and related metadata). Scan data is associated with the API key that initiated the request.

Billing data

All payment processing is handled by Paddle.com Market Limited ("Paddle"), who acts as our Merchant of Record. We store only your Paddle customer ID in our database. We do not receive, process, or store credit card numbers, bank account details, or other payment credentials. For information on how Paddle handles your payment data, please refer to Paddle's Privacy Policy.

Technical data

When you visit the dashboard, we may collect standard technical information such as your IP address, browser type, and device information through our hosting providers. This data is used for security purposes (such as rate limiting) and is not used for tracking or profiling.

3. Lawful basis for processing

Under the UK General Data Protection Regulation (UK GDPR), we rely on the following lawful bases:

  • Contract. Processing your account information, scan data, and billing data is necessary for the performance of our contract with you (i.e. providing the Service you have signed up for).
  • Legitimate interests. We process API usage logs and technical data for the purposes of maintaining the security and performance of the Service, preventing abuse, and improving our product. We have assessed that these interests do not override your rights and freedoms.
  • Legal obligation. We may process data where necessary to comply with a legal obligation, such as responding to a lawful request from a regulatory authority.

4. How we use your data

We use the data we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and manage your account
  • Enforce rate limits and subscription quotas
  • Process subscriptions and billing through Paddle
  • Monitor the performance, security, and reliability of the Service
  • Detect and prevent fraud, abuse, and security incidents
  • Communicate with you about your account, service updates, or changes to our terms
  • Comply with legal obligations

We do not use your data for automated decision-making or profiling. We do not sell your personal data to third parties.

5. Who we share data with

We share personal data only with the third-party service providers necessary to operate the Service. We do not sell, rent, or trade your personal data.

ProviderPurposeData shared
ClerkAuthenticationEmail, name
PaddlePayment processingEmail, subscription details
NeonDatabase hostingAll stored data (encrypted at rest and in transit)
UpstashRate limitingAPI key identifiers, request counts
CloudflareAPI hosting and CDNRequest metadata (IP address, headers)
VercelDashboard hostingRequest metadata (IP address, headers)
SentryError monitoringAnonymised error reports (no personal data)

6. International transfers

Some of our service providers are based outside the United Kingdom. Where personal data is transferred to a country that has not been deemed to provide an adequate level of data protection, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the UK Information Commissioner's Office (ICO) or reliance on the provider's certification under an approved framework.

7. Data retention

  • Account data is retained for as long as your account remains active. If you close your account, we will delete your personal data within 30 days, except where we are required to retain it by law.
  • Scan results are retained for 90 days from the date of the scan, after which they are automatically deleted.
  • API usage logs are retained for 30 days.
  • Billing records may be retained for up to 7 years to comply with tax and accounting obligations.

8. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • API keys are stored as irreversible SHA-256 hashes. The raw key is displayed once at creation and cannot be retrieved.
  • All data in transit is encrypted using TLS.
  • Database connections are encrypted using SSL.
  • Access to production infrastructure is restricted and monitored.
  • Scan data is isolated per API key; users cannot access other users' results.

No method of transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Your rights

Under the UK GDPR, you have the following rights in relation to your personal data:

  • Right of access (Article 15) — You can request a copy of the personal data we hold about you.
  • Right to rectification (Article 16) — You can ask us to correct inaccurate or incomplete data.
  • Right to erasure (Article 17) — You can ask us to delete your personal data, subject to certain exceptions.
  • Right to restrict processing (Article 18) — You can ask us to limit how we use your data in certain circumstances.
  • Right to data portability (Article 20) — You can request a machine-readable copy of the data you provided to us.
  • Right to object (Article 21) — You can object to processing based on legitimate interests.

To exercise any of these rights, please use our contact form and select "Privacy or data request" as the subject. We will respond within one month, as required by law. There is no fee for making a request, although we may charge a reasonable fee for repetitive or manifestly unfounded requests.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
ico.org.uk/make-a-complaint

10. Cookies

We use strictly necessary cookies only. These are required for authentication and session management and cannot be disabled without breaking the Service. We do not use analytics cookies, advertising cookies, or any form of cross-site tracking.

11. Children

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. If we make material changes, we will notify you by email or through a notice on the dashboard at least 30 days before the changes take effect. The "Effective date" at the top of this page indicates when the policy was last revised.

13. Contact

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

ToggleKit Ltd
Contact form