Privacy Policy

mandatiq (“mandatiq”, “we”, “us”) operates a self-serve web accessibility monitoring service for organisations subject to the European Accessibility Act (EAA). This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, and the rights you have under the General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and the Portuguese Data Protection Act (Lei n.º 58/2019).

1. Who is the controller?

The data controller for personal data processed through mandatiq.com is mandatiq. You can reach us for any privacy-related matter at privacy@mandatiq.com.

mandatiq has not appointed a formal Data Protection Officer because our core processing does not meet the thresholds in GDPR Art. 37. The address above is monitored by the person responsible for privacy matters and is the correct channel for any rights request.

2. What personal data we collect

We collect the minimum personal data needed to provide the service. Specifically:

• Account data. Email address, organisation name, hashed authentication credentials, and timestamps — collected when you sign up or accept an invitation.
• Scan input. The URLs you submit for scanning and any parameters you configure (crawl depth, schedule).
• Scan output. Accessibility violations, HTML snippets of the failing elements, screenshots where applicable, and AI-generated fix suggestions.
• Lead data. If you submit the free anonymous scanner, we store the email you provide and the scan ID it is linked to, so we can email you the results.
• Billing metadata. Stripe customer and subscription identifiers, invoice numbers, subscription tier, and plan usage counters. We do not store payment card details — these are handled directly by Stripe under its own PCI-DSS programme.
• Technical data. IP address, user agent, request timestamps, and rate-limit counters. We use these for security, abuse prevention, and service reliability.
• Cookies. Strictly necessary session and CSRF cookies set by our auth provider (Supabase). Non-essential analytics or marketing cookies are only set with your prior consent — see the Cookies section below.

3. Why we process it (legal basis)

We process personal data on the following legal bases:

• Performance of a contract (GDPR Art. 6(1)(b)) — account creation, running the scans you request, delivering reports, and processing your subscription.
• Legitimate interest(GDPR Art. 6(1)(f)) — securing the service, detecting abuse, applying rate limits, aggregating anonymised usage statistics, and communicating with you about service changes. You can object to processing on this basis at any time (see “Your rights” below).
• Legal obligation (GDPR Art. 6(1)(c)) — retaining invoices and billing records to comply with Portuguese tax law and the EU VAT Directive.
• Consent (GDPR Art. 6(1)(a)) — any non-essential cookies or analytics, product-update newsletters, and other optional communications. You can withdraw consent at any time without affecting processing carried out before the withdrawal.

4. Who we share it with (processors)

mandatiq is a small team and relies on sub-processors for infrastructure and ancillary services. Each sub-processor is contractually bound by a Data Processing Agreement that meets the requirements of GDPR Art. 28.

• Supabase (Supabase Inc., USA; EU region) — managed Postgres database and authentication. Stores account data, scan inputs, and scan outputs. EU region selected for data residency.
• Vercel (Vercel Inc., USA) — hosts the mandatiq web application. Processes request metadata and serves static assets.
• Fly.io (Fly.io Services Inc., USA; Frankfurt region) — hosts the scanner worker that performs accessibility scans. Region pinned to fra for EU data residency.
• Stripe (Stripe Payments Europe Ltd, Ireland) — payment processing, subscription management, invoicing.
• Upstash (Upstash Inc., USA; EU region) — Redis store used for API rate limiting.
• Anthropic (Anthropic PBC, USA) — the Claude API, used to generate fix suggestions for accessibility violations. We send the violation rule ID, a short HTML snippet, and the WCAG criteria; we do not send personal data.
• Resend (Resend Inc., USA) — transactional email delivery (scan result emails, billing notifications).
• Cloudflare (Cloudflare Inc., USA) — DNS, CDN, and bot-protection services in front of the web app.

For sub-processors located outside the EU/EEA, we rely on the Standard Contractual Clauses (2021/914) and, where applicable, the EU–US Data Privacy Framework as the transfer mechanism under GDPR Chapter V. A current list of sub-processors and their transfer mechanisms is available on request at privacy@mandatiq.com.

5. How long we keep it (retention)

• Account data — kept for the lifetime of your account, then deleted within 30 days of account closure.
• Scan results (authenticated accounts) — kept while the site remains in your account. Deleting a site or scan removes the associated data, including violations and fix suggestions, within 30 days.
• Anonymous free scans — automatically deleted seven days after they complete. The email associated with a lead is retained separately (see below).
• Lead emails — kept until you unsubscribe or request deletion. Unsubscribe links are included in every marketing email.
• Invoices and billing records — retained for ten years to comply with Portuguese commercial and tax law, regardless of whether your account is still active.
• Security logs — retained for 90 days, then purged.

6. Your rights

Under the GDPR you have the right to:

• Access (Art. 15) — request a copy of the personal data we hold about you.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure(Art. 17, “right to be forgotten”) — request deletion of your data where one of the grounds in Art. 17(1) applies.
• Restriction (Art. 18) — ask us to stop processing while a dispute is resolved.
• Portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
• Objection (Art. 21) — object to processing based on legitimate interest, including direct marketing.
• Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
• Lodge a complaint with a supervisory authority. The competent authority for Portugal is the Comissão Nacional de Protecção de Dados (CNPD). You may also complain to the supervisory authority of your habitual residence.

To exercise any of these rights, email privacy@mandatiq.com. We will respond within one month as required by GDPR Art. 12(3).

7. Cookies

mandatiq uses cookies and similar technologies only where strictly necessary to operate the service, or with your prior consent.

• Strictly necessary — authentication and CSRF cookies set by our auth provider (cookie names begin with sb-). These are required to keep you signed in and to protect form submissions; they cannot be disabled through the cookie banner.
• Analytics — not currently used. If we introduce privacy-respecting analytics in the future, they will be opt-in.
• Marketing — not currently used and, if ever introduced, will be opt-in.

When a cookie banner is present, you can open it again at any time by clicking Cookie settings in the footer.

8. Security

We encrypt data in transit using TLS 1.2 or newer, and at rest using the storage-level encryption provided by our sub-processors. Access to production infrastructure is restricted to a small number of administrators and is protected by SSO and hardware security keys. API keys are stored hashed, and payment card data never touches our servers.

9. Children

mandatiq is a business-to-business product and is not directed at children under 16. We do not knowingly collect personal data from children; if you believe a child has provided us with personal data, email privacy@mandatiq.com and we will delete it.

10. Changes to this policy

We may update this Privacy Policy as the service evolves. If we make material changes, we will notify you by email and update the “Last updated” date at the top of this page. Continued use of the service after an update constitutes acceptance of the revised policy.

11. Contact

For any privacy question, request to exercise your rights, or report of a suspected data breach, email privacy@mandatiq.com.

See also our Terms of Service.