Privacy Policy

Pricesenz LLC ("Company", "we", "our", or "us") operates Compass (https://compass.pricesenz.com), an ADA and WCAG accessibility compliance evaluation platform (the "Service"). This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and what rights you have with respect to your information.

By accessing or using the Service you agree to the collection and use of information as described in this policy. If you do not agree, please discontinue use of the Service.

1. Who We Are

Pricesenz LLC is a technology company incorporated in the State of Texas. We build and operate Compass, a compliance-as-a-service platform designed to help public sector organizations — including Texas municipalities, school districts, and government agencies — evaluate and remediate web accessibility barriers in accordance with the Americans with Disabilities Act (ADA), Section 508 of the Rehabilitation Act, and WCAG 2.1/2.2 AA standards.

For the purposes of applicable data protection law, Pricesenz LLC acts as the data controller for personal information submitted directly to us (account registration, contact forms, billing). We act as a data processor on behalf of our organizational customers ("Clients") for information that Clients submit to us when using the Service.

2. Information We Collect

2.1 Information You Provide to Us

• Account registration: name, work email address, organization name, job title, and password (stored as a bcrypt hash).
• QuickScan submissions: the URL you submit for scanning and the email address you provide to receive the report. No account is required.
• Evaluation requests: organization name, contact name, email address, website URL, and any notes you include in the request form.
• Billing information: payment details processed by Stripe, Inc. We do not store raw card numbers; Stripe provides us only a tokenized payment method ID and last-four digits.
• Communications: email messages you send us, support requests, and survey responses.

2.2 Information We Collect Automatically

• Log data: IP address, browser type and version, operating system, referring URL, pages visited, timestamps, and error logs.
• Usage data: features used, scan frequency, dashboard interactions, and report downloads. Collected via server-side logging and Google Analytics 4.
• Cookies and similar technologies: session cookies (required for authentication), preference cookies, and analytics cookies. See Section 9 for details.
• Device identifiers: anonymized browser fingerprint data used solely for security and abuse prevention.

2.3 Scan Data

When the Service scans a URL submitted by you or a Client, it fetches and processes the publicly accessible HTML, CSS, JavaScript, and media of the target webpage using automated browser tooling. This data is used solely to produce accessibility reports. We do not use scan results for any purpose other than delivering the Service to the submitting party.

2.4 AI Processing

Scan findings are processed by large language models (currently Anthropic Claude) to generate plain-English fix guidance and severity classifications. We transmit only structured finding data (WCAG criterion, element selector, page URL) to the AI provider — no personal data of end users is included in AI prompts unless explicitly present in the scanned page's accessibility tree.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: running accessibility scans, generating reports, delivering results by email, and managing your account.
• Communication: sending scan result emails, account notifications, security alerts, and responding to support requests.
• Billing and payments: processing subscription payments and issuing invoices via Stripe.
• Service improvement: analyzing usage patterns to improve scan accuracy, UI, and feature prioritization.
• Security and fraud prevention: detecting and preventing unauthorized access, abuse, or fraudulent scan submissions.
• Legal compliance: meeting obligations under applicable law, responding to lawful requests from public authorities, and enforcing our Terms of Service.
• Marketing (with consent): sending product updates or newsletters only if you have opted in. You may unsubscribe at any time via the link in any marketing email.

We do not sell your personal information, rent it to third parties, or use it to serve targeted advertising on third-party platforms.

4. Legal Bases for Processing

Where the GDPR or similar framework applies, our legal bases for processing personal data are:

• Contract performance: processing necessary to deliver the Service you or your organization contracted for.
• Legitimate interests: security monitoring, fraud prevention, analytics, and service improvement — where those interests are not overridden by your rights.
• Legal obligation: processing required by applicable law or regulation.
• Consent: marketing communications and non-essential cookies — you may withdraw consent at any time.

5. Sharing and Disclosure

We share information only as described below:

• Service providers: trusted sub-processors who help operate the Service, including:
  • Amazon Web Services (S3 object storage, SES transactional email)
  • Stripe, Inc. (payment processing)
  • Anthropic, PBC (AI inference for finding triage)
  • Google LLC (Google Analytics 4, Google OAuth sign-in)
  • Upstash / Redis Labs (job queue)
  Each sub-processor is bound by contractual data protection obligations.
• Organizational administrators: if you use the Service through an employer or government entity account, that organization's designated administrators can access reports and account information associated with their account.
• Law enforcement and legal process: we may disclose information if required by a court order, subpoena, or other lawful governmental request, or to protect our legal rights, safety, or the safety of others.
• Business transfers: if we merge with or are acquired by another entity, your information may be transferred as part of that transaction. We will provide notice before any such transfer and before your information becomes subject to a materially different privacy policy.
• With your consent: in any other circumstance where you have given explicit consent.

6. Data Retention

We retain personal information for as long as necessary to provide the Service and comply with legal obligations:

• Account data: retained for the duration of your account and for 90 days after account deletion, then permanently deleted.
• Scan and report data: retained for the duration of your subscription. After account termination, reports are accessible for 30 days and then deleted from our primary systems. Backup copies are purged within 90 days.
• QuickScan submissions: email addresses are retained for 12 months from submission to allow result delivery and follow-up, then deleted.
• Billing records: retained for 7 years to comply with tax and accounting obligations.
• Log data: retained for 90 days for security purposes.

7. Security

We implement industry-standard technical and organizational measures to protect your information, including:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of sensitive data at rest in Amazon S3 using AES-256.
• Hashed passwords (bcrypt, cost factor ≥ 12); we never store plaintext passwords.
• Access controls and role-based permissions within the platform.
• Regular security reviews and dependency audits.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

8. Your Rights

Depending on your location and applicable law, you may have the following rights:

• Access: request a copy of the personal information we hold about you.
• Correction: request correction of inaccurate or incomplete information.
• Deletion: request deletion of your personal information, subject to our legal retention obligations.
• Portability: request your data in a structured, machine-readable format.
• Objection / restriction: object to or request restriction of certain processing activities.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Opt out of marketing: unsubscribe from marketing emails via the link in any such email or by contacting us.

To exercise any of these rights, contact us at privacy@pricesenz.com. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service:

You may disable non-essential cookies in your browser settings. Disabling strictly necessary cookies will prevent you from logging in to the Service.

10. Children's Privacy

The Service is intended for use by organizations and professionals aged 18 or older. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly. If you believe we may have inadvertently collected such information, contact us at privacy@pricesenz.com.

11. Third-Party Links

Reports and the Service website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies before providing any personal information.

12. Texas Privacy Law

The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, grants Texas residents additional rights, including the right to access, correct, delete, and obtain a portable copy of personal data, and to opt out of the processing of personal data for targeted advertising or the sale of personal data. As noted in Section 3, we do not sell personal data or use it for targeted advertising. To exercise TDPSA rights, contact us at privacy@pricesenz.com. We will respond within 45 days, with a possible 45-day extension where reasonably necessary.

If we deny a rights request, you may appeal by sending an email to privacy@pricesenz.com with the subject line "Privacy Rights Appeal." We will respond to appeals within 60 days.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy at https://compass.pricesenz.com/legal/privacy and update the effective date at the top of this page. If you have an account with us, we will additionally notify you by email. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: