Privacy PolicyPrivacy Policy
AllyUp is built on trust. This policy explains what personal data we collect, why we collect it, and how you can control it, in plain language.
Who we are
AllyUp is a service operated by Allxs B.V., a private limited company registered in the Netherlands (KVK: NL866167110B01).
For GDPR purposes, Allxs B.V. is the data controller.
Contact: privacy@allyup.ai
What data we collect
Account data
Email address and hashed password, stored in Supabase (EU region).
Configuration data
Your AI provider choice, API key (stored encrypted), AI Organisation Profile, and knowledge base content.
Scan reports
URLs you scan and the resulting accessibility report data (violations, scores).
Scanned PDFs (optional)
PDFs you upload for accessibility scanning. Off by default. Stored in private Supabase Storage (EU region) only when you turn on “Save PDFs for re-scan and download” in Scanner Configuration. Only you can read them. Deleted automatically when you delete the corresponding report.
Usage logs
Structured logs of scan events and errors for operational purposes, stored in Better Stack (EU region).
Error data
Unhandled exceptions and stack traces, sent to Sentry (EU region). No passwords or API keys included.
Legal basis for processing
GDPR requires us to have a lawful basis for each type of processing. The table below sets out our basis.
| Data type | Legal basis | Detail |
|---|---|---|
| Account & configuration data | Contract performance | Necessary to create your account and deliver the Service (GDPR Art. 6(1)(b)). |
| Scan reports | Contract performance | Necessary to deliver and display your accessibility scan results (GDPR Art. 6(1)(b)). |
| Usage logs | Legitimate interests | Ensuring operational reliability and diagnosing performance issues (GDPR Art. 6(1)(f)). |
| Error data | Legitimate interests | Identifying and fixing software defects to maintain service quality (GDPR Art. 6(1)(f)). |
How we use your data
- To provide and improve the AllyUp service.
- To send you accessibility scan results and reports.
- To diagnose and fix errors in the application.
- To monitor uptime and service availability.
Third-party processors
| Processor | Purpose | Region |
|---|---|---|
| Supabase | Database & authentication | EU |
| Vercel | Hosting & edge functions | EU (primary) / Global CDN |
| Sentry | Error tracking | EU |
| Better Stack | Logs & uptime monitoring | EU |
| OpenAI / Anthropic / Google | AI inference (when you use those providers) | US |
International transfers: Where processors are located outside the EU/EEA (in particular US-based AI providers), personal data is transferred on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission, or where applicable the EU–US Data Privacy Framework. Vercel’s global CDN may process edge requests outside the EU; Vercel provides SCCs for such transfers.
Data retention
| Data type | Retention period |
|---|---|
| Account & configuration data | Duration of account + 30 days after account deletion |
| Scan reports | 24 months from creation, or until you delete them |
| Scanned PDFs (optional) | Linked to the corresponding scan report. Deleted when the report is deleted, otherwise the same 24-month retention as the report. |
| Usage logs | 90 days |
| Error data (Sentry) | 30 days |
You may request deletion of your account and all associated data at any time (see section 7).
Your rights (GDPR)
Access
Request a copy of all data we hold about you.
Rectification
Correct inaccurate data.
Erasure
Request deletion of your account and all associated data.
Portability
Export your data in a machine-readable format.
Restriction
Request that we pause processing of your data while a dispute is resolved.
Objection
Object to processing where we rely on legitimate interests.
Complaint
Lodge a complaint with the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), the Dutch supervisory authority.
To exercise these rights, use the Account section in the app settings, or email privacy@allyup.ai. We will respond within 30 days.
Minimum age
AllyUp is intended for users aged 16 and over. By using the Service, you confirm that you meet this requirement. If you become aware that a minor under 16 has provided us with personal data, please contact us so we can delete it.
Security
We protect your data using industry-standard measures: encryption in transit (TLS) and at rest, strict access controls, and encrypted storage of API keys. In the event of a personal data breach we will notify affected users and the Autoriteit Persoonsgegevens as required by law.
Changes to this policy
We will notify you of material changes by email at least 14 days before they take effect. Non-material changes (corrections, clarifications) are reflected in the “Last updated” date above. If you do not accept a material change, you may delete your account before the effective date.
Questions about this policy?
Email privacy@allyup.ai and we will respond within 30 days.