Privacy Policy

1. Information We Collect

URLs you scan: When you use our free scanner, we process the URL you submit to perform the accessibility audit. We do not store the content of the scanned pages.

Email address: If you choose to unlock your full risk report, we collect the email address you provide.

Usage data: We collect anonymized usage data (pages visited, scan completion rates) to improve our service. We do not use third-party tracking cookies.

Technical data: We automatically collect browser type and version, IP address (anonymized after 30 days), and device type to ensure service compatibility and security.

2. How We Use Your Information

• To perform accessibility scans and generate reports
• To send you your risk report via email (if requested)
• To communicate about our remediation services (you can unsubscribe at any time)
• To improve our scanning technology and service quality

3. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

• Consent: For email communications and marketing. You can withdraw consent at any time by unsubscribing.
• Legitimate interest: For service improvement, fraud prevention, and ensuring platform security.
• Contract performance: For delivering scan reports and remediation services that you have requested or purchased.
• Legal obligation: For retaining financial and transactional records as required by UK law (Companies Act 2006, HMRC requirements).

4. Data Sharing

We do not sell, rent, or trade your personal information to third parties. We may share data with service providers who assist in operating our platform (e.g., email delivery, hosting), subject to confidentiality obligations. See Section 9 for details of our sub-processors.

5. Cookies and Tracking

We use only essential cookies required for the basic functionality of our service (e.g., session management). We do not use third-party advertising trackers or marketing cookies.

Analytics are collected via anonymized server-side logs. No client-side analytics scripts from third parties are loaded on our pages.

5a. Cookies — Detailed Disclosure

We use a minimal set of cookies and similar technologies, all classified as “strictly necessary” under ePrivacy Directive Article 5(3). No tracking, marketing, or analytics cookies are set without explicit consent.

Cookies we use

Third-party services — Stripe

When you initiate a payment, you are redirected to Stripe's hosted Checkout page on the stripe.com domain. Fix47 does not load Stripe.js on its own pages. Any cookies set during the Stripe Checkout flow are set by Stripe on their own domain and are governed by Stripe's Privacy Policy: stripe.com/privacy.

What we do not use

• No Google Analytics, Facebook Pixel, Hotjar, or any other behavioural tracking
• No marketing cookies, retargeting, or third-party advertising
• No cross-site tracking

Your rights

You can disable cookies in your browser settings. Disabling strictly necessary cookies will prevent the admin dashboard from functioning but will not affect general site browsing.

Updates to cookie usage

If we add analytics or marketing tools in the future that require non-essential cookies, we will deploy a consent banner with opt-in granular controls before activation, in compliance with UK PECR 2003, ePrivacy Directive 2002/58, and UK/EU GDPR Article 7(1).

5b. Site Access Credentials

When you become a remediation customer, we collect site access credentials (admin URLs, usernames, passwords) you provide via our secure form (fix47.com/credentials/…). These are encrypted at rest using AES-256-GCM, accessible only to authorised Fix47 personnel, used solely for delivering your remediation, and automatically deleted within 14 days of project completion. We never share them with third parties.

Legal basis: contract performance (UK GDPR Art. 6(1)(b)).

6. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy or as required by law. Specific retention periods are as follows:

• Scan results: 30 days, then automatically deleted.
• IP addresses: Anonymized after 30 days.
• Lead and contact data (email, name): 36 months from the date of last meaningful interaction (e.g., scan, email open, support request). Deleted upon unsubscribe or deletion request if earlier.
• Email communications: 24 months from the date of the communication.
• Payment records and financial transactions: 7 years from the transaction date, as required by UK HMRC and the Companies Act 2006.
• Client remediation engagement data (audit logs, scan data, remediation evidence, Audit Certificates): 7 years post-engagement, to support warranty claims, legal audit trails, and professional indemnity obligations.

7. Your Rights (GDPR)

Under GDPR and applicable data protection laws, you have the right to:

• Access the personal data we hold about you
• Request correction or deletion of your data
• Restrict or object to the processing of your data
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent for email communications at any time
• Lodge a complaint with a supervisory authority

8. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know: You may request details about the categories and specific pieces of personal information we have collected about you.
• Right to delete: You may request the deletion of personal information we have collected from you, subject to certain exceptions.
• Right to opt-out: You may opt out of the sale of personal information. Note: we do not sell personal information.
• Non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, contact us at hello@fix47.com.

8a. Children's Data

Fix47's services are intended for businesses and adult professionals. We do not knowingly collect personal data from individuals under 13 (USA, COPPA 16 CFR §312) or under 16 (EU/UK GDPR Art. 8). If we become aware that we have collected data from a child below these ages, we will delete it promptly. If you believe we may have inadvertently collected such data, please contact us at hello@fix47.com.

9. International Data Transfers and Sub-processors

Fix47 uses the following third-party sub-processors who may process personal data outside the UK or EU. Where data is transferred to the United States, we rely on the EU-US Data Privacy Framework (where the processor is certified) or Standard Contractual Clauses (SCCs) approved by the European Commission and UK ICO, as indicated below.

This list reflects our current sub-processors. We will update this section if we add new sub-processors. Where sub-processors change, material updates will be communicated as described in Section 11.

10. Security

We implement industry-standard security measures including encryption in transit (TLS), secure hosting, and access controls. No method of transmission over the Internet is 100% secure, but we strive to protect your information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We distinguish between material and non-material changes:

• Material changes (e.g., new data uses, new sub-processors, changes to your rights): we will provide at least 30 days' advance notice via email or in-product notice, and re-request consent where lawfully required.
• Non-material changes (e.g., clarifications, typo corrections, formatting): continued use of our services after the update date constitutes acceptance.

12. Data Controller

Data Controller: Carlo Anselmi, trading as Fix47 (UK sole trader).
Address: 124 City Road, London EC1V 2NX, United Kingdom.
ICO Registration: ZC137959.
Legal / data subject requests: carlo@fix47.com
General enquiries: hello@fix47.com
Supervisory authority: UK Information Commissioner's Office (ico.org.uk).

13. Contact

For privacy-related inquiries, contact us at hello@fix47.com.