Privacy Policy
Last updated: July 5, 2026
This policy explains what data SiteAttest collects, why we collect it, who we share it with, and the choices you have. The short version: we collect what we need to scan the sites you submit and run your account, we never sell your data, payments are handled by Stripe, and you can ask us to delete your data at any time.
1. Who we are and what this covers
SiteAttest is operated by Masas Technologies, LLC ("we", "us"), the data controller for the personal data described here. SiteAttest provides automated website accessibility scanning and monitoring. This policy explains what personal data we collect when you use our website and Service, how we use it, who we share it with, and the rights you have. It applies to visitors who run free scans, subscribers, and recipients of our reports and emails.
2. Data we collect
- Account data: email address, name (optional), and a hashed password. We never store passwords in plain text.
- Billing data: handled by Stripe, our payment processor. We store your Stripe customer and subscription identifiers and your plan status. We do not receive or store your full card number.
- Lead data: if you unlock a free scan report, we store the email address you provide together with the scanned URL and score.
- Scan data: the URLs you submit, the publicly accessible content of those pages as loaded during the scan, and the resulting findings, scores, screenshots, and reports.
- Agency branding: brand names and logo URLs you configure for white-label reports.
- Usage and log data: IP address, browser type, pages visited, and timestamps, used for security, rate limiting, and improving the Service.
- Cookies: a session cookie to keep you signed in. We do not use third-party advertising cookies.
3. How we use your data
- to provide the Service: run scans, generate reports, send regression alerts, and maintain your compliance evidence log
- to process payments and manage subscriptions through Stripe
- to send transactional email such as scan reports and alerts through our email provider
- to respond to support requests
- to secure the Service, prevent abuse, and enforce our terms, including verifying that scans target permitted, publicly reachable websites
- to send occasional product updates to leads and customers, which you can opt out of at any time
Where the GDPR applies, we rely on performance of a contract (providing the Service), legitimate interests (security, product improvement, business communications), and consent where required (marketing emails).
4. AI processing of scanned content
Parts of a scan use large language models to review page content, for example judging whether image alt text describes the image and drafting suggested fixes. To do this, excerpts of the scanned page (HTML snippets and images) are sent to our AI provider, Anthropic, for processing. This content comes from the websites you submit for scanning, not from your account data. AI outputs are cached so identical content is not repeatedly processed.
5. Who we share data with
We do not sell personal data. We share data only with service providers that help us run SiteAttest, under agreements limiting their use of it:
- Stripe, for payment processing
- our email delivery provider, for reports and alerts
- Anthropic, for AI analysis of scanned page content
- our hosting and infrastructure providers, which store our databases and run our scanners
We may also disclose data if required by law, to protect our rights or users, or as part of a merger or acquisition, in which case this policy continues to apply to previously collected data.
6. Shared report links
Free scan reports live at unlisted URLs. Anyone who has the link can view the report, so treat report links as you would the report itself. Reports are excluded from search engine indexing.
7. Retention
Account and subscription data is kept while your account is active and deleted or anonymized within a reasonable period after account deletion, except where we must retain records for tax, accounting, or legal purposes. Free scan reports and lead records may be deleted after a period of inactivity. Scan history for subscribers is retained as part of your compliance evidence log while your subscription is active; deleting a monitored site deletes its scan history.
8. Security
We use industry-standard measures to protect data: encrypted connections (HTTPS), hashed passwords, scoped API credentials, and isolation of the scanning infrastructure. Scans refuse to target private or internal network addresses. No system is perfectly secure, so we cannot guarantee absolute security; if a breach affects your personal data we will notify you as required by law.
9. Your rights
Depending on where you live (for example under the GDPR, UK GDPR, or CCPA), you may have the right to access, correct, delete, or export your personal data, to object to or restrict certain processing, to withdraw consent, and to complain to a supervisory authority. To exercise any of these rights, email us at the address below. We will respond within the time required by applicable law and may need to verify your identity first.
You can unsubscribe from non-essential emails using the link in any such email. Transactional emails, such as scan alerts for sites you actively monitor, are part of the Service.
10. International transfers
Our service providers may process data in countries other than yours, including the United States and the European Union. Where required, transfers are protected by appropriate safeguards such as standard contractual clauses implemented by our providers.
11. Children
The Service is intended for business use and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time. For material changes we will give notice by email or in the Service before the changes take effect. The date at the top shows when this policy was last revised.
13. Contact
Masas Technologies, LLC. Privacy questions and rights requests: [email protected].