Privacy Policy
Last updated: 19 May 2026
AllyUp is built on trust. This policy explains what personal data we collect, why we collect it, and how you can control it, in plain language.
Who we are
AllyUp is a service operated by Allxs B.V., a private limited company registered in the Netherlands (KVK: 92771467).
For GDPR purposes, Allxs B.V. is the data controller.
Contact: privacy@allyup.ai
What data we collect
Account data
Email address and hashed password, stored in Supabase (EU region).
Configuration data
Your AI provider choice, API key (stored encrypted), system prompt, and knowledge base content.
Scan reports
URLs you scan and the resulting accessibility report data (violations, scores).
Usage logs
Structured logs of scan events and errors for operational purposes, stored in Better Stack (EU region).
Error data
Unhandled exceptions and stack traces, sent to Sentry (EU region). No passwords or API keys included.
Legal basis for processing
GDPR requires us to have a lawful basis for each type of processing. The table below sets out our basis.
| Data type | Legal basis | Detail |
|---|---|---|
| Account & configuration data | Contract performance | Necessary to create your account and deliver the Service (GDPR Art. 6(1)(b)). |
| Scan reports | Contract performance | Necessary to deliver and display your accessibility scan results (GDPR Art. 6(1)(b)). |
| Usage logs | Legitimate interests | Ensuring operational reliability and diagnosing performance issues (GDPR Art. 6(1)(f)). |
| Error data | Legitimate interests | Identifying and fixing software defects to maintain service quality (GDPR Art. 6(1)(f)). |
How we use your data
- To provide and improve the AllyUp service.
- To send you accessibility scan results and reports.
- To diagnose and fix errors in the application.
- To monitor uptime and service availability.
Third-party processors
| Processor | Purpose | Region |
|---|---|---|
| Supabase | Database & authentication | EU |
| Vercel | Hosting & edge functions | EU (primary) / Global CDN |
| Sentry | Error tracking | EU |
| Better Stack | Logs & uptime monitoring | EU |
| OpenAI / Anthropic / Google | AI inference (when you use those providers) | US |
International transfers:Where processors are located outside the EU/EEA (in particular US-based AI providers), personal data is transferred on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission, or where applicable the EU–US Data Privacy Framework. Vercel's global CDN may process edge requests outside the EU; Vercel provides SCCs for such transfers.
Data retention
| Data type | Retention period |
|---|---|
| Account & configuration data | Duration of account + 30 days after account deletion |
| Scan reports | 24 months from creation, or until you delete them |
| Usage logs | 90 days |
| Error data (Sentry) | 30 days |
You may request deletion of your account and all associated data at any time (see section 7).
Your rights (GDPR)
Access
Request a copy of all data we hold about you.
Rectification
Correct inaccurate data.
Erasure
Request deletion of your account and all associated data.
Portability
Export your data in a machine-readable format.
Restriction
Request that we pause processing of your data while a dispute is resolved.
Objection
Object to processing where we rely on legitimate interests.
Complaint
Lodge a complaint with the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), the Dutch supervisory authority.
To exercise these rights, use the Account section in the app settings, or email privacy@allyup.ai. We will respond within 30 days.
Cookies & analytics
Strictly necessary
A single session cookie is set by Supabase when you log in. It is required for the app to function and cannot be disabled. No advertising cookies are used.
Analytics (only with your consent)
With your permission we load the following analytics tools to understand how visitors use AllyUp and improve the product:
- Google Analytics 4 — sets cookies (
_ga,_ga_*) and sends anonymised usage data to Google Ireland Ltd. Data is retained for 14 months. You can opt out at any time via Google's opt-out tool. - Plausible Analytics — cookieless, does not track individuals across sites, and does not share data with third parties.
We implement Google Consent Mode v2: analytics storage is denied by default and only activated after you accept. You can withdraw or change your consent at any time using the Cookie settings link in the footer.
Other tools loaded regardless of consent: PostHog (product analytics, memory-only, no cookies, EU data residency) and Sentry (error monitoring, cookies stripped from all reports). Neither sets cookies nor shares data with third parties.
Minimum age
AllyUp is intended for users aged 16 and over. By using the Service, you confirm that you meet this requirement. If you become aware that a minor under 16 has provided us with personal data, please contact us so we can delete it.
Security
We protect your data using industry-standard measures: encryption in transit (TLS) and at rest, strict access controls, and encrypted storage of API keys. In the event of a personal data breach we will notify affected users and the Autoriteit Persoonsgegevens as required by law.
Changes to this policy
We will notify you of material changes by email at least 14 daysbefore they take effect. Non-material changes (corrections, clarifications) are reflected in the “Last updated” date above. If you do not accept a material change, you may delete your account before the effective date.
We're here to help
Reach out and we'll respond within 30 days.