Privacy Policy

Controller: The controller responsible for data processing on the websites accesstra.tech and app.accesstra.tech is Accesstra UG (haftungsbeschränkt), Hermann-Renner-Straße 34, 51645 Gummersbach, Germany. You can reach us via email at contact@accesstra.tech. We are pleased about your interest in our services; protecting your privacy is very important to us. Below, we provide detailed information about how we handle your data. A data protection officer has not been appointed, as the legal requirements for such an appointment are not met (Art. 37 GDPR in conjunction with § 38 BDSG).

Hosting and Server Log Files

External Hosting: Our websites are operated by an external hosting service provider. Personal data collected on our websites is processed on the host’s servers. This includes, among other things, access data that your browser automatically transmits to us or our hosting provider when you visit our websites. Each time the website is accessed, the servers automatically store a log (server log file) that includes, for example, the name of the accessed file, your IP address, the date and time of the access, the amount of data transferred, and the requesting provider. This access data is technically necessary to deliver the website to you and to ensure the stability and security of our system. This log file data is not merged with other data sources.

API Usage: Our app at app.accesstra.tech communicates with our API at api.accesstra.tech to provide the platform’s functionalities (e.g., registration, audits, payment processing). This API is also operated on the servers of our hosting provider. As part of the API communication, access data (e.g., IP address, date and time of the request) and other personal data (e.g., user or project data) necessary for the provision of the services may be processed. This processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in the technical provision of our services.

Purpose and Legal Basis: The processing of the aforementioned access data is carried out for the purpose of providing the website in a technically error-free manner and for IT security (e.g., attack detection) based on our legitimate interest (Art. 6(1)(f) GDPR) in the secure and efficient operation of our online offering. We have entered into a data processing agreement with the hosting provider in accordance with Art. 28 GDPR to ensure the protection of your data.

Storage Duration: Server log files are stored only for a limited period and are automatically deleted once the purpose has been fulfilled. Log data stored for security purposes is retained for a maximum of 7 days in anonymized or deleted form, unless a security incident occurs that requires longer retention.

Registration and User Account

You can register on app.accesstra.tech to use our services. As part of the registration, we collect the personal data you provide. Mandatory fields include, in particular, your name, email address, and a self-chosen password (the password is stored encrypted/hashed). This data is necessary to create a user account; without providing it, registration and use of our services are not possible. After entering your data, you will receive a confirmation email to verify your email address (double opt-in). Your account will only be activated after successful confirmation.

Purpose and Legal Basis: We process registration data to provide you with a password-protected user account and to enable access to the app (Art. 6(1)(b) GDPR, contract fulfillment). The email confirmation serves to verify and secure your account, which is in our legitimate interest to prevent misuse (Art. 6(1)(f) GDPR). Note: We do not offer registration via third-party providers (social login via GitHub, Google, etc.) – registration is only possible directly through our website.

Profile Data: In your user account, you may optionally provide additional information (e.g., a profile name). These details are optional and, if provided, are processed based on your consent or to display your profile (Art. 6(1)(a) GDPR). You can modify or delete optional profile data at any time within your account.

Storage Duration and Account Deletion: The data in your user account will be stored as long as the account exists. You can terminate/delete your user account at any time – either via the corresponding function in the app (if available) or by sending us a message. In this case, we will delete the personal data stored in your account, provided there are no legal retention obligations. Please note that we may need to retain transaction data from purchases (see Payment Processing) for a longer period due to commercial and tax law requirements. Login request data and technical usage data (logs) may also be retained for a short period after deletion for security reasons before being permanently removed.

Cookies and Similar Technologies

Our websites use cookies and similar storage technologies (e.g., Local Storage) to provide you with basic functionalities. Cookies are small text files that your browser stores on your device. We use exclusively technically necessary cookies, for example, to maintain your login session in the app and to save settings (e.g., language preferences). These cookies are necessary to enable the functions you explicitly request (user login). For such necessary cookies, no consent is required (§ 25(2)(2) TTDSG). We do not use cookies for advertising, tracking, or analytics purposes.

Note on Third Parties: Some integrated third-party services may use their own cookies or similar technologies (see the sections on Stripe, GitHub/GitLab, etc.). For example, the payment provider Stripe may set cookies for fraud detection during the payment process. Such cookies – if they are technically necessary to provide the respective third-party service – are also used without consent. They will be marked as “essential” in our cookie banner settings if a cookie banner is used on our pages.

Cookie Settings: You can delete or block cookies at any time through your browser settings. However, please note that disabling technically necessary cookies may cause some features of our websites (particularly the login process on app.accesstra.tech) to no longer function properly.

Payment Processing (Stripe)

Description: If you use paid services (subscriptions or token purchases) on our platform, payment processing is handled by the external payment provider Stripe. We have integrated Stripe into our app, allowing you to make payments, for example, via credit card. The provider is Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland (EU branch of Stripe, Inc., USA). Stripe processes your payment data to execute the transaction. This includes, in particular, information such as the cardholder’s name, email address, customer number, order number, payment amount, and data specific to the payment method (e.g., credit card number, expiration date, card verification number). Technical information such as your IP address and any additional data required for payment processing may also be transmitted to Stripe. We also store certain data as part of payment processing: for example, the payment method you selected, the date and time of the transaction, the status (successful/failed), and, for subscription customers, information about the purchased package.

Purpose and Legal Basis: The integration of Stripe is carried out to fulfill the contract with you (Art. 6(1)(b) GDPR), as this payment method is necessary to process your order. Additionally, we have a legitimate interest in offering you an efficient and secure payment method (Art. 6(1)(f) GDPR). Stripe will also use the transmitted data to comply with legal obligations (e.g., under financial and anti-money laundering laws); in this context, Stripe acts as an independent controller with a legitimate interest in meeting regulatory requirements. To the extent that Stripe processes data solely on our behalf for payment processing (e.g., the technical execution of the transaction via credit card networks), we have entered into a contract with Stripe pursuant to Art. 28 GDPR. In this regard, Stripe acts as a data processor following our instructions.

International Data Transfer: Stripe may transfer or process data in the USA (e.g., to Stripe, Inc.). According to its own statements, Stripe has implemented compliance measures for international data transfers based on EU Standard Contractual Clauses (SCCs). This ensures a level of data protection equivalent to European standards. Additionally, Stripe is certified under the EU-US Data Privacy Framework (as of 2023) and thereby guarantees compliance with data protection principles for transfers to the USA.

Additional Information: For details on data processing by Stripe, please refer to Stripe’s Privacy Policy (available at https://stripe.com/en/privacy). There, you will also find information about your rights vis-à-vis Stripe. You can generally object to the processing of your data by Stripe; however, this is not possible for data necessary for payment processing if you wish to use our payment function. We may offer alternative payment methods (if available) if you do not wish to use Stripe.

Storage Duration: We store payment and transaction data for as long as necessary for processing and subsequent management (invoicing, customer service, potential refunds). After the transaction is completed, the data is initially retained for the duration of any chargeback periods. Furthermore, certain payment information is subject to legal retention obligations – for example, we are required to retain invoices and accounting records for 10 years (§ 147 AO, § 257 HGB). During this time, the data is stored solely for archiving and auditing purposes and is deleted thereafter.

Usage and Validity of Audits

Description: When you purchase a subscription on our platform, you receive a specific number of audits depending on the selected plan. These audits are valid for a limited period: one month for monthly subscriptions or one year for annual subscriptions, regardless of whether they have been used. Unused audits will expire at the end of the respective validity period and cannot be carried over to the next billing cycle.

Purpose and Legal Basis: The limitation of audit validity is part of the contractual agreement for the subscription service (Art. 6(1)(b) GDPR). We have a legitimate interest (Art. 6(1)(f) GDPR) in ensuring fair usage and resource allocation across our user base.

Storage and Deletion: Data related to your audit usage (e.g., number of audits performed) is stored for the duration of your subscription and deleted after the validity period or upon termination of your account, unless required for billing or legal retention purposes.

Repository Integration (GitHub and GitLab)

Our platform optionally allows you to connect your code repositories from GitHub and/or GitLab to your Accesstra user account. This integration enables us to retrieve repository content from your external Git accounts and push changes back to your repository (pull/push), for example, to perform accessibility checks and error analysis directly on your code.

Data and Process: If you choose to link a repository service, we will redirect you to GitHub or GitLab, where you can log in and grant our application the necessary access rights (OAuth authentication). In this process, we receive a token or authorization from the respective provider to access your selected repositories. Additionally, personal data from your Git account may be transmitted to us as part of the integration – such as your GitHub/GitLab username, repository names, metadata (e.g., descriptions, branch names, commit history), and the content of repository files (code). We securely store the OAuth token and necessary identification data on our servers to maintain the integration. Naturally, we use this data exclusively for the repository integration you requested and not for any other purposes.

Purpose and Legal Basis: Linking a repository is on a voluntary basis and only upon your explicit request. The associated data processing (retrieval of code from your GitHub/GitLab account) serves the fulfillment of the contract for the service you wish to use (analysis of your code for accessibility, error correction, etc.) and is based on Art. 6(1)(b) GDPR. Alternatively, it can be considered covered by your consent (Art. 6(1)(a) GDPR), which you provide by activating the integration. In both cases, we use the data only to the extent necessary to provide the function, and you can revoke the connection at any time (see below).

Data Sharing and Recipients: Through the repository integration, our application exchanges data with the servers of GitHub, Inc. (GitHub) or GitLab, Inc. (GitLab). This means that during a repository sync, personal data (in particular, the content of your code, which may contain references to individuals, as well as technical usage data) is transferred to these third-party providers. Both providers are headquartered in the USA. GitHub is certified under the EU-US Data Privacy Framework (DPF) and has committed to complying with data protection principles for EU data. GitLab ensures data protection for EU citizens, according to its own statements, through the use of Standard Contractual Clauses and additional security measures for data transfers. We have entered into appropriate contracts/data processing agreements with both providers as necessary.

Please note that the use of Git integration is optional. If you do not activate it, no data will be transferred to GitHub or GitLab. If you have activated the integration, you can deactivate it at any time in your account settings. In this case, we will delete the stored access permissions/tokens from our system, and no further data exchange with the repositories will take place. Data already synchronized from the repositories (e.g., analyzed code snippets or test results) will be deleted from our system unless it is still required for other functions.

For more information on data protection at Git services, please refer to the providers’ privacy policies: GitHub (https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement) and GitLab (https://about.gitlab.com/privacy). These include details on the purpose and scope of their respective data processing and your rights with them.

Automated Error Correction (OpenAI API)

A special feature of our service is AI-supported error correction: When you click on “Fix Error” within the app, for example, during an accessibility test, the relevant code snippet (in particular, the code line with the error message or necessary context) is sent to an artificial intelligence API from OpenAI. OpenAI (the provider of the AI models GPT-3.5/4) analyzes this snippet and provides us with a suggestion for correction of the error, which we display directly in the app. This allows us to offer intelligent assistance for code optimization without you having to leave the system.

Scope of Transmitted Data: We take care to send only the minimum necessary data to OpenAI. Typically, this involves isolated code snippets or error message texts, not entire files or extensive personal information. However, please avoid intentionally entering personal data at this point (e.g., real names, email addresses, etc., in code comments) to ensure data protection. The content sent to OpenAI may theoretically contain personal references (e.g., if your code includes such data), which is why we treat this transmission as personal data processing.

OpenAI as a Data Processor: When using the OpenAI API in our product, we are the data protection controller, and OpenAI acts on our behalf as a service provider (so-called data processor under Art. 28 GDPR). We have entered into a Data Processing Addendum (DPA) with OpenAI (or its European branch, OpenAI Ireland Ltd.), which ensures that OpenAI processes the transmitted data only according to our instructions and implements appropriate safeguards. In particular, the API agreement we use stipulates that OpenAI will not use the data sent by us for its own purposes – especially not for training its AI models. OpenAI uses the data exclusively for the analysis and response to our request.

Third-Country Transfer: OpenAI may perform the analysis on servers in the USA. To ensure an adequate level of data protection, we have agreed with OpenAI on the Standard Contractual Clauses approved by the EU Commission. Additionally, services for EU customers are provided through OpenAI Ireland Ltd. (which is contractually subject to EU law). OpenAI has announced its commitment to comply with the requirements of the EU-US Data Privacy Framework and offers comprehensive technical and organizational security measures to protect the processed data.

Legal Basis: The processing of code data by OpenAI is carried out to fulfill the service you requested (automated error correction as part of our contractual offering), making Art. 6(1)(b) GDPR the legal basis. Alternatively, we rely on our legitimate interest (Art. 6(1)(f) GDPR) in providing an innovative and efficient debugging tool for our users. We consider this interest justified, as the AI function provides significant added value for you as a user, and you activate it voluntarily. Your interests and rights remain protected, as only minimal code information and no extensive personal content is transmitted.

Storage Duration: The code snippets sent to OpenAI are not permanently stored by us but are only temporarily processed to display the AI result. According to OpenAI’s own statements, the data is currently retained for a maximum of 30 days (e.g., for abuse detection purposes) and then deleted. No longer-term use or sharing of the content by OpenAI takes place under our agreement.

Automated Image Analysis with Azure AI Vision

Description:
When using the “Automated Audit” feature within Accesstra, all images on a website – including existing or missing alternative texts (alt-texts) – are automatically analyzed. For this purpose, the image data is processed via the Microsoft Azure Computer Vision API (including OCR and visual content analysis).

The underlying artificial intelligence recognizes visual content such as objects, text elements, colors, and scene contexts and generates – based on this analysis – suggestions for accessible, context-relevant alt-texts.

This automated image processing ensures that, as part of the audit, all images are systematically checked for accessibility. Existing alt-texts are evaluated and, if necessary, supplemented or replaced with AI-supported alternatives.

Note: The image data is transmitted exclusively for temporary analysis to the Azure service and is subject to Microsoft’s security and data protection standards. Upon request, this data can be processed anonymously or automatically discarded after analysis.

What Data Is Processed?

Only the images contained in the source code of the audited website are processed – i.e., all graphics embedded via <img> tags, regardless of whether they are already provided with an alt attribute or not. No manual selection is required.

No additional personal data or metadata is transmitted to Azure. The transmission is limited to the image content required for analysis by the Microsoft Azure Computer Vision API.

How Your Data Is Processed: Microsoft acts as a data processor on our behalf (under a data processing agreement). The images are encrypted and transmitted to Microsoft Azure servers (EU or USA) and processed solely to create an alt-text suggestion. After the analysis is complete, the images are not permanently stored by either us or Microsoft. For more information, please refer to the Microsoft Privacy Statement (https://privacy.microsoft.com/en-us/privacystatement).

Legal Basis: The processing of images via Azure Vision AI is carried out at your explicit request and is necessary to fulfill the service you requested (Art. 6(1)(b) GDPR).

Contact Form and Communication

If you contact us (e.g., via the contact form on accesstra.tech or by email), we process the data you provide to handle your request. In the case of the contact form, we typically collect your name, email address, and your message; additional information may be provided voluntarily. Mandatory fields are marked as such in the form – without this information, we cannot process your request. The contact form is processed via the service NoteForms, which feeds your submitted form data directly into our internal Notion database.

NoteForms/Notion: NoteForms is a form service integrated with Notion (an online workspace platform). When you submit the contact form, your information is transmitted to Notion Labs, Inc. and stored in a database managed by us. Notion Labs, Inc. (548 Market St #74567, San Francisco, CA 94104, USA) is the provider of the Notion service. We have contractually engaged Notion as our data processor and have agreed on the new EU Standard Contractual Clauses to ensure the protection of your data. Notion Labs, Inc. is also certified under the EU-US Data Privacy Framework, which guarantees an adequate level of data protection under Art. 45 GDPR. The transfer of your contact data to the USA is thus legally safeguarded. Notion does not use your data for its own purposes but stores it solely on our behalf. Your message is not shared with third parties.

Purpose and Legal Basis: The processing of your contact data is exclusively for the purpose of responding to your inquiry and communicating with you. The legal basis for this is our legitimate interest in appropriately responding to inquiries (Art. 6(1)(f) GDPR). If your inquiry aims at concluding a contract or if you are already a customer, we alternatively base the processing on Art. 6(1)(b) GDPR (contract-related communication). Your data will only be used in this context; use for purposes such as advertising will not occur without your explicit consent.

Storage Duration: We store the data collected during communication for as long as necessary to process your request. Once your matter is fully resolved, your data will be deleted unless there is a legal retention obligation. Business correspondence (e.g., emails related to a contract) may need to be retained for up to 6 years (§ 257 HGB). Pure inquiries without further relevance are typically deleted after a few weeks, at the latest after 12 months.

Your Rights as a Data Subject

As a data subject affected by data processing, you have the following rights under the GDPR:

  • Right to Information (Art. 15 GDPR): You have the right to obtain confirmation from us as to whether we are processing personal data concerning you. If so, you can request information about this data and additional details (processing purposes, data categories, recipients, storage duration, etc.).
  • Right to Rectification (Art. 16 GDPR): You have the right to request the immediate correction of inaccurate or incomplete personal data concerning you.
  • Right to Erasure (Art. 17 GDPR): You can request that we delete your personal data if the legal requirements are met. This applies, in particular, if the data is no longer necessary for the purposes for which it was collected, if you withdraw your consent and there is no other legal basis, or if you object to the processing and there are no overriding legitimate grounds for the processing.
  • Right to Restriction of Processing (Art. 18 GDPR): Under certain circumstances, you can request the restriction of the processing of your data (e.g., if you dispute the accuracy of the data, for the duration of the verification).
  • Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data concerning you, which you provided to us, in a commonly used, structured, and machine-readable format. You can also request that we transfer this data to another controller, where technically feasible.
  • Right to Object (Art. 21 GDPR): 1) If we process your data based on legitimate interests, you have the right to object to this processing at any time for reasons arising from your particular situation. We will then cease processing the data unless we can demonstrate compelling legitimate grounds that override your interests. 2) If we process your personal data for direct marketing purposes (which we would inform you about separately in each case), you have the right to object at any time to the processing for such marketing purposes; if you object, we will no longer use your data for direct marketing. 3) You can also withdraw any previously given consent to data processing at any time with effect for the future; the lawfulness of the processing prior to the withdrawal remains unaffected.
  • Automated Decisions in Individual Cases (Art. 22 GDPR): You have the right not to be subject to a decision based solely on automated processing – including profiling – that produces legal effects concerning you or significantly affects you. We do not make fully automated decisions of this kind about you.
  • Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR): If you believe that the processing of your personal data violates the GDPR, you can – without prejudice to any other legal remedies – lodge a complaint with a data protection supervisory authority at any time. The authority responsible for us is, in particular, the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, Germany, Tel.: +49 211 38424 0, Email: poststelle@ldi.nrw.de. However, you may also lodge your complaint with any other supervisory authority, particularly in the Member State of your residence or workplace.

Exercising Your Rights: To exercise your rights, you can contact us informally at any time, e.g., via email at contact@accesstra.tech. Please indicate which right you wish to exercise and provide additional information if necessary so that we can process your request. We will review your request promptly and implement it in accordance with legal requirements. You will receive a response from us within one month of receiving your request at the latest (Art. 12(3) GDPR).

Additional Information

Necessity of Data Provision: The provision of your personal data is, except for purely informational website use, voluntary. However, the use of certain features of our services is not possible without providing certain data. For example, for registration, you must provide your name, email address, and password – without this information, we cannot create a user account for you. Similarly, we require your payment data for an order, without which a contract cannot be concluded. In such cases, providing the data is contractually required. In other cases (e.g., contact inquiries), you are free to decide which information to share with us. If we mark fields as mandatory, it is because the information is absolutely necessary to process your request or the requested service.

Security: We implement technical and organizational security measures to protect your personal data from accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. Our security measures comply with the state of the art and are continuously updated in line with the risk.

Changes to This Privacy Policy: We reserve the right to update this privacy policy as needed to adapt it to changed legal frameworks or new features of our service. The current version will always be available at this location. If the changes are significant or require your involvement (e.g., consent), we will inform you about the changes.

Last updated: May 29, 2025, 06:02 PM CEST – This privacy policy takes into account the applicable requirements of the GDPR (including the current legal status as of 2025) and national laws.