Skip to main content
Sturdly

Privacy Policy

Last updated: May 19, 2026

1. Information We Collect

We collect information necessary to provide the Sturdly Service. This includes:

  • Account information. Name, email address, and password (stored as a bcrypt hash) when you register for an account.
  • Website URLs. The URLs you submit for scanning or add to your monitoring dashboard.
  • Scan results. HTML snippets, DOM selectors, page screenshots, and structured accessibility findings produced by our scanner when it visits your pages. This data belongs to your account and is subject to the retention schedule below.
  • Usage data. Page views, feature interactions, API call counts, and scan credit consumption, collected to enforce plan limits and improve the Service.
  • Payment information. Credit card details are collected and processed directly by Stripe. We never store full card numbers or CVV codes on our systems. We retain only the last four digits and card type returned by Stripe for display purposes.
  • IP addresses. Stored as a one-way hash (SHA-256, salted) for rate limiting on free scan endpoints only. Raw IP addresses are not persisted.
  • Demand letter documents. If you use the demand letter response kit feature, documents you upload are stored encrypted at rest and deleted automatically after 90 days. They are not used for any purpose other than generating your response kit.

2. How We Use Your Information

  • To provide, operate, and improve the Service, including running scans, generating reports, and delivering AI fix suggestions.
  • To send transactional notifications: scan completion alerts, regression alerts from Autopilot monitoring, billing receipts, and plan expiration notices.
  • To enforce plan limits and prevent abuse of free scan endpoints and the API.
  • To improve the accuracy of our scanning rules and AI models by analyzing aggregate patterns in anonymized scan findings. We do not use individual customer content to train models without explicit consent.
  • To respond to your support requests.
  • To comply with applicable law, respond to legal process, and protect the rights and safety of our users and the public.

We do not sell your personal data. We do not use your data to serve third-party advertising.

3. Data Retention

  • Paid-plan scan results: Retained for 12 months from the date of the scan, then automatically purged.
  • Free scan results: Retained for 7 days, then automatically purged.
  • Demand letter documents: Retained for 90 days from upload, then automatically and permanently deleted.
  • Account data: Retained until you submit a deletion request or until 30 days after account termination, whichever comes first.
  • Billing records: Retained for 7 years as required by applicable tax and financial regulations, notwithstanding any deletion request.

4. Third-Party Services

We share data with the following service providers only to the extent necessary to deliver the Service:

  • Stripe — Payment processing. Your payment card data goes directly to Stripe and is governed by Stripe's Privacy Policy.
  • Anthropic Claude — AI fix suggestion generation. When you request AI explanations, HTML snippets and accessibility rule context from your scan results may be sent to Anthropic's API. Anthropic does not use API inputs to train models by default; see Anthropic's Privacy Policy.
  • Resend — Transactional email delivery. Your email address is shared with Resend to send you scan notifications and billing receipts.
  • Neon / PostgreSQL — Primary database, hosted in the United States. All account, scan, and organization data lives here.
  • Inngest — Background job orchestration for scan queuing, report generation, and notifications.
  • Vercel — Web application hosting and scan execution. Our Playwright-based scanner runs in Vercel's serverless compute; scanned URLs and the resulting HTML content are processed there.

Each provider operates under its own privacy policy and data processing agreements. We do not authorize any provider to use your data for their own purposes beyond what is necessary to perform services on our behalf.

5. Data Security

We implement industry-standard safeguards to protect your data:

  • All data is encrypted in transit using TLS 1.2 or higher.
  • Data is encrypted at rest in our database and storage systems.
  • Demand letter documents are encrypted with per-record keys.
  • Access to production systems is restricted to authorized personnel and protected by multi-factor authentication.
  • We do not sell, rent, or trade your personal data to any third party.

No security system is impenetrable. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

6. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

  • Access and portability. You may export your scan results and account data at any time from the dashboard settings page.
  • Correction. You may update your account information in your profile settings.
  • Deletion. You may request deletion of your account and all associated personal data by emailing support@sturdly.com. We will process deletion requests within 30 days, subject to retention obligations required by law (e.g., billing records).
  • Opt-out of marketing. Transactional emails (scan alerts, billing notices) cannot be disabled while your account is active. Marketing emails include an unsubscribe link.
  • CCPA rights (California residents). You have the right to know what personal data we collect, to request deletion, and to opt out of sale (we do not sell data). Contact us to exercise these rights.
  • GDPR rights (EEA/UK residents). You have the right to access, rectify, erase, restrict processing of, and port your data, as well as the right to object to processing. Contact us to exercise these rights.

7. Cookies

We use a minimal set of cookies:

  • Session cookies. Set by NextAuth for authentication purposes. These are essential and cannot be disabled without losing access to your account.
  • No third-party tracking cookies. We do not use Google Analytics, Facebook Pixel, or other third-party tracking scripts.
  • Server-side analytics. Usage metrics are collected server-side without setting tracking cookies in your browser.

8. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 14 days before the changes take effect. The updated policy will be posted at this URL with a revised "Last updated" date. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

9. Contact

Questions about this Privacy Policy or requests to exercise your rights? Contact us at support@sturdly.com.