Privacy Policy
Version 1.0 | Effective: April 18, 2026
View change history1. Introduction and Data Controller
Akaya Ltd (trading as Scanlix), a company registered in England and Wales (Company No. 16713855), with registered address at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, is the data controller for personal data collected through this service (referred to as "we", "us", or "Scanlix").
Akaya Ltd is registered with the UK Information Commissioner's Office (ICO). ICO Registration No.: TODO_ICO_NUMBER.
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services at scanlix.app.
Contact: privacy@scanlix.app
2. Data We Collect
We collect the following categories of data:
- Email address and name (account registration)
- Website URLs scanned
- Scan results and accessibility reports
- Payment information (processed by Stripe; we do not store card details)
- Cookies and similar technologies (see our Cookie Policy)
2A. Lawful Basis for Processing
We process your personal data on the following lawful bases under UK GDPR Article 6:
| Data Category | Purpose | Lawful Basis |
|---|---|---|
| Name and email address | Account creation and login | Contract performance |
| Website URLs scanned | Providing the scanning service | Contract performance |
| Scan results and reports | Delivering accessibility data | Contract performance |
| Payment data | Processing billing | Contract performance, legal obligation |
| Analytics (PostHog) | Improving our product | Legitimate interests |
| Cookies (non-essential) | Analytics tracking | Consent |
3. Data Storage & Security
Your data is stored in EU data centres (Hetzner, Nuremberg). All data is encrypted at rest and in transit. We implement industry standard security measures to protect your information.
4. Third-Party Processors
We use the following third-party processors:
- Stripe — Payment processing
- Resend — Transactional email delivery. Resend operates infrastructure based in the United States (via Amazon Web Services). Personal data (name and email address) is transferred to the US under Standard Contractual Clauses approved by the UK ICO (UK IDTA).
- Cloudflare — CDN and DNS
- Groq / Google Gemini / OpenAI — AI processing for fix generation. Only HTML snippets are sent to AI providers. These providers may retain data for up to 30 days for abuse monitoring purposes unless a zero-data-retention agreement is in place. We take steps to strip personal data from HTML before processing, but HTML from scanned pages may incidentally contain personal information (e.g. author names, email addresses in page content)
5. Your Rights (GDPR)
If you are in the European Economic Area or United Kingdom, you have the following rights under the UK GDPR and EU General Data Protection Regulation:
- Access — Request a copy of your personal data
- Rectification — Correct inaccurate data
- Erasure — Request deletion of your data
- Portability — Receive your data in a machine-readable format
- Restrict processing — Limit how we use your data
- Object — Object to processing based on legitimate interests
To exercise any of these rights, contact us at privacy@scanlix.app. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at any time: ico.org.uk | 0303 123 1113. If you are in the EEA, you may also lodge a complaint with your local EU data protection authority.
5A. US Privacy Rights
If you are a resident of California or another US state with applicable privacy legislation, you may have the following rights:
- Right to know what personal data we collect and how it is used
- Right to request deletion of your personal data
- Right to correct inaccurate personal data
- Right to opt out of the sale or sharing of your personal data
We do not sell or share your personal data with third parties for their own marketing purposes.
To exercise your rights, contact us at privacy@scanlix.app. We will respond within 45 days as required by applicable law.
6. Cookie Categories
- Essential — Required for session, authentication, and CSRF protection
- Analytics — PostHog (anonymised product analytics)
- Marketing — None currently used
7. Data Retention
- Account data (name, email): retained for the duration of your account, and deleted within 30 days of account closure
- Scan results and reports: deleted after 90 days of account inactivity, or within 30 days of account deletion request
- Payment records: retained for 7 years in accordance with UK financial record-keeping obligations
- Analytics data: retained for a maximum of 24 months
We do not retain personal data for longer than is necessary for the purposes for which it was collected.
8. Children
Scanlix is not intended for users under 16 years of age. We do not knowingly collect personal data from children.
9. Contact
For privacy-related enquiries: privacy@scanlix.app
Website: scanlix.app