Privacy Policy
Controller: The controller responsible for data processing on the websites accesstra.tech and app.accesstra.tech is Accesstra UG (limited liability), Hermann-Renner-Straße 34, 51645 Gummersbach. You can reach us via email at contact@accesstra.tech. We are delighted about your interest in our services; the protection of your privacy is very important to us. Below, we provide detailed information about how we handle your data. A data protection officer has not been appointed, as the legal requirements for such an appointment are not met (Art. 37 GDPR in conjunction with § 38 BDSG).
Hosting and Server Log Files
External Hosting: Our websites are operated by an external hosting provider. Personal data collected on our websites is processed on the host’s servers. This includes, among other things, access data that your browser automatically transmits to us or our hosting provider when you visit our websites. With each visit to the website, the servers automatically store a log (server log file) containing, for example, the name of the requested file, your IP address, date and time of the request, the amount of data transferred, and the requesting provider. This access data is technically necessary to deliver the website to you and to ensure the stability and security of our system. This log file data is not merged with other data sources.
API Usage: Our app at app.accesstra.tech communicates with our API at api.accesstra.tech to provide the platform’s functionalities (e.g., registration, audits, payment processing). This API is also operated on our hosting provider’s servers. In the context of API communication, access data (e.g., IP address, date, and time of the request) and other personal data (e.g., user or project data) necessary for providing the services may be processed. The processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in the technical provision of our services.
Purpose and Legal Basis: The processing of the aforementioned access data is carried out for the purpose of providing the website without technical errors and for IT security (e.g., attack detection) based on our legitimate interest (Art. 6(1)(f) GDPR) in the secure and efficient operation of our online offering. We have concluded a data processing agreement with the hosting provider in accordance with Art. 28 GDPR, which ensures the protection of your data.
Storage Duration: Server log files are stored only for a limited period and are automatically deleted once the purpose is fulfilled. Log data stored for security purposes is retained for a maximum of 7 days in anonymized or deleted form, unless a security incident requires longer retention.
Registration and User Account
You can register on app.accesstra.tech to use our services. As part of the registration, we collect the personal data you provide. Mandatory fields include, in particular, name, email address, and a password of your choice (the password is stored encrypted/hashed). This data is necessary to set up a user account; without providing it, registration and use of our services are not possible. After entering your data, you will receive a confirmation email to verify your email address (double opt-in). The account is activated only after successful confirmation.
Purpose and Legal Basis: We process registration data to provide you with a password-protected user account and to enable access to the app (Art. 6(1)(b) GDPR, contract performance). The email confirmation serves to verify and secure your account; this is in our legitimate interest in preventing misuse (Art. 6(1)(f) GDPR). Note: We do not offer login via third-party providers (social login via GitHub, Google, etc.) – registration is only possible directly through our website.
Profile Data: In the user account, you may optionally provide additional information (e.g., profile name). These details are optional and, if provided, are processed based on your consent or for displaying your profile (Art. 6(1)(a) GDPR). You can modify or delete optional profile data at any time within your account.
Storage Duration and Account Deletion: The data in your user account is stored as long as the account exists. You can cancel/delete your user account at any time – either via the corresponding function in the app (if available) or by sending us a message. In this case, we will delete the personal data stored in your account unless legal retention obligations apply. Please note that, for example, transaction data from purchases (see payment processing) may need to be retained longer due to commercial and tax law requirements. Login request data and technical usage data (logs) may be retained for a short period after deletion for security reasons before being permanently removed.
Cookies and Similar Technologies
Our websites use cookies and similar storage technologies (e.g., local storage) to provide you with basic functionalities. Cookies are small text files stored by your browser on your device. We use exclusively technically necessary cookies, such as those needed to maintain your login session in the app and to store settings (e.g., language). These cookies are necessary to enable the function you explicitly requested (user login). No consent is required for such necessary cookies (§ 25(2)(2) TTDSG). We do not use cookies for advertising, tracking, or analytics purposes.
Note on Third Parties: Some integrated third-party services may use their own cookies or similar technologies (see sections on Stripe, GitHub/GitLab, etc.). For example, the payment provider Stripe may set cookies for fraud detection during the payment process. Such cookies – if technically necessary to perform the respective third-party service – are also used without consent. They are marked as “essential” in our cookie banner settings, if a cookie banner is used on our pages.
Cookie Settings: You can delete or block cookies at any time via your browser settings. However, please note that disabling technically necessary cookies may cause some functions of our websites (particularly the login process on app.accesstra.tech) to no longer function properly.
Payment Processing (Stripe)
Description: If you use paid services on our platform (subscriptions or audit purchases), payment processing is handled by the external payment service provider Stripe. We have integrated Stripe into our app, enabling you to make payments, for example, via credit card. The provider is Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland (EU branch of Stripe, Inc., USA). Stripe processes your payment data to execute the transaction. This includes, in particular, information such as cardholder name, email address, customer number, order number, payment amount, and data dependent on the payment method (e.g., credit card number, expiration date, card verification number). Technical information such as your IP address and other data necessary for payment processing may also be transmitted to Stripe. We ourselves store certain data as part of payment processing: for example, the payment method you selected, the date and time of the transaction, the status (successful/failed), and, for subscription customers, information about the purchased package.
Purpose and Legal Basis: The integration of Stripe is carried out to fulfill the contract with you (Art. 6(1)(b) GDPR), as this payment method is necessary to process your order. Additionally, we have a legitimate interest in offering you an efficient and secure payment method (Art. 6(1)(f) GDPR). Stripe will also use the transmitted data to comply with legal obligations (e.g., under financial and anti-money laundering laws); in this context, Stripe acts as an independent controller with a legitimate interest in complying with regulatory requirements. To the extent that Stripe processes data solely for payment processing on our behalf (e.g., the technical execution of the transaction via credit card networks), we have concluded a contract with Stripe in accordance with Art. 28 GDPR. In this regard, Stripe acts as a processor following our instructions.
International Data Transfer: Stripe may transfer or process data in the USA (e.g., to Stripe, Inc.). According to their statements, Stripe has implemented compliance measures for international data transfers based on the EU Standard Contractual Clauses (SCCs). This ensures a level of data protection consistent with European standards. Additionally, Stripe is certified under the EU-US Data Privacy Framework (as of 2023) and guarantees compliance with data protection principles for transfers to the USA.
Further Information: For details on data processing by Stripe, please refer to Stripe’s Privacy Policy (available at https://stripe.com/de/privacy). There, you will also find information about your rights vis-à-vis Stripe. You can generally object to the processing of your data by Stripe; however, this is not possible for data necessary for payment processing if you wish to use our payment function. We may offer alternative payment methods (if available) if you do not wish to use Stripe.
Storage Duration: We store payment and transaction data as long as necessary for processing and subsequent administration (invoicing, customer service, potential refunds). After the transaction is completed, the data is initially retained for the duration of any chargeback periods. Additionally, certain payment information is subject to legal retention obligations – for example, we are required to retain invoices and accounting records for 10 years (§ 147 AO, § 257 HGB). During this time, the data is stored solely for archiving and audit purposes and is deleted thereafter.
Use and Validity of Audits
Description: When you purchase a subscription on our platform, you receive a certain number of audits depending on the chosen plan. These audits are valid for a limited period: one month for monthly subscriptions or one year for annual subscriptions, regardless of whether they are used. Unused audits expire at the end of the respective validity period and cannot be transferred to the next billing period.
Purpose and Legal Basis: The limitation of audit validity is part of the contractual agreement for the subscription service (Art. 6(1)(b) GDPR). We have a legitimate interest (Art. 6(1)(f) GDPR) in ensuring fair usage and resource distribution across our user base.
Storage and Deletion: Data related to your audit usage (e.g., the number of audits conducted) is stored for the duration of your subscription and deleted after the validity period expires or upon termination of your account, unless required for billing purposes or legal retention obligations.
Repository Integration (GitHub and GitLab)
Our platform optionally allows you to connect your code repositories from GitHub and/or GitLab to your Accesstra user account. This integration enables us to retrieve repository contents from your external Git accounts and push changes back to your repository (pull/push), for example, to perform accessibility checks and error analyses directly on your code.
Data and Process: If you choose to link a repository service, we will redirect you to GitHub or GitLab, where you can log in and grant our application the necessary access rights (OAuth authentication). The respective provider then provides us with an access token to access your selected repositories. Additionally, during the linking process, personal data from your Git account may be transmitted to us – such as your GitHub/GitLab username, repository names, metadata (e.g., descriptions, branch names, commit history), and the contents of repository files (code). We securely store the OAuth token and necessary identification data on our servers to maintain the integration. Naturally, we use this data exclusively for the repository integration you requested and not for other purposes.
Purpose and Legal Basis: Linking a repository is done on a voluntary basis and only upon your explicit request. The associated data processing (retrieval of code from your GitHub/GitLab account) serves the performance of the contract for the service you wish to use (analysis of your code for accessibility, error correction, etc.) and is based on Art. 6(1)(b) GDPR. Alternatively, it can be considered covered by your consent (Art. 6(1)(a) GDPR), which you provide by activating the integration. In both cases, we use the data only to the extent necessary to provide the function, and you can revoke the connection at any time (see below).
Data Sharing and Recipients: Through repository integration, our application exchanges data with the servers of GitHub, Inc. (GitHub) or GitLab, Inc. (GitLab). This means that during a repository sync, personal data (particularly the contents of your code, which may contain references to individuals, and technical usage data) may be transmitted to these third-party providers. Both providers are headquartered in the USA. GitHub is certified under the EU-US Data Privacy Framework (DPF) and is committed to complying with data protection principles for EU data. GitLab ensures data protection for EU citizens, according to their statements, through the use of Standard Contractual Clauses and additional security measures for data transfers. We have concluded appropriate contracts/data processing agreements with both providers as necessary.
Please note that the use of Git integration is optional. If you do not activate it, no data will be transmitted to GitHub or GitLab. If you have activated the integration, you can deactivate it at any time in your account settings. In this case, we delete the stored access permissions/tokens from our system, and no further data exchange with the repositories takes place. Data already synchronized from the repositories (e.g., analyzed code fragments or test results) will be deleted from our system unless required for other functions.
Further information on data protection at Git services can be found in the providers’ privacy policies: GitHub (https://docs.github.com/de/site-policy/privacy-policies/github-privacy-statement) and GitLab (https://about.gitlab.com/privacy). These include details on the purpose and scope of data processing and your rights in this regard.
Automated Error Correction (OpenAI API)
A special feature of our service is AI-supported error correction: When you click, for example, on “Fix Error” within an accessibility test in the app, the relevant code snippet (particularly the code line with the error message or necessary context) is sent to an artificial intelligence API from OpenAI. OpenAI (provider of the AI models GPT-3.5/4) analyzes this snippet and provides us with a suggested fix for the error, which we display directly in the app. This allows us to offer intelligent assistance for code optimization without you having to leave the system.
Scope of Transmitted Data: We ensure that only the minimum necessary data is sent to OpenAI. Typically, this involves isolated code fragments or error message texts, not complete files or extensive personal information. Nevertheless, please avoid intentionally entering personal data at this point (e.g., real names, email addresses, etc., in code comments) to ensure data protection. The content sent to OpenAI may theoretically contain personal data (e.g., if your code includes such data), which is why we treat this transmission as personal data processing.
OpenAI as Processor: When using the OpenAI API in our product, we are the data protection controller, and OpenAI acts on our behalf as a service provider (processor under Art. 28 GDPR). We have concluded a Data Processing Addendum (DPA) with OpenAI (or rather its European branch, OpenAI Ireland Ltd.), which ensures that OpenAI processes the transmitted data only in accordance with our instructions and maintains appropriate safeguards. In particular, the API agreement we use stipulates that OpenAI does not use the data we send for its own purposes – especially not for training its AI models. OpenAI uses the data exclusively for analysis and response to our request.
Third-Country Transfer: OpenAI may perform the analysis on servers in the USA. To ensure an adequate level of data protection, we have agreed with OpenAI on the Standard Contractual Clauses approved by the EU Commission. Additionally, services for EU customers are provided via OpenAI Ireland Ltd. (which is contractually subject to EU law). OpenAI has announced its compliance with the requirements of the EU-US Data Privacy Framework and provides comprehensive technical and organizational security measures to protect the processed data.
Legal Basis: The processing of code data by OpenAI is carried out to fulfill the service you requested (automated error correction as part of our contractual offering), so Art. 6(1)(b) GDPR serves as the legal basis. Alternatively, we rely on our legitimate interest (Art. 6(1)(f) GDPR) in providing an innovative and efficient debugging tool for our users. We consider this interest justified, as the AI function provides significant added value for you as a user and is voluntarily initiated by you. Your interests and rights are safeguarded, as only minimal code information and no extensive personal content is transmitted.
Storage Duration: The code fragments sent to OpenAI are not permanently stored by us but are only temporarily processed to display the AI result. According to OpenAI’s own statements, the data is currently retained for a maximum of 30 days (e.g., for misuse detection purposes) and then deleted. No longer-term use or sharing of the content by OpenAI takes place under our agreement.
Automated Alt-Text Generation (Azure Vision AI/OCR)
Automated Image Analysis with Azure AI Vision
Description:
When using the “Automated Audit” function within Accesstra, all images on a webpage – including existing or missing alternative texts (alt texts) – are automatically analyzed. For this purpose, the image data is processed via the Microsoft Azure Computer Vision API (including OCR and visual content analysis).
The underlying artificial intelligence identifies visual content such as objects, text components, colors, and scene contexts and generates – based on this analysis – suggestions for accessible, context-related alt texts.
This automated image processing ensures that all images are systematically checked for accessibility during the audit. Existing alt texts are evaluated and, if necessary, supplemented or replaced by AI-supported alternatives.
Note: The image data is transmitted to the Azure service solely for temporary analysis and is subject to Microsoft’s security and data protection standards. Upon request, this data can be processed anonymously or automatically discarded after analysis.
Which Data is Processed?
Only the images contained in the source code of the audited webpage are processed – i.e., all graphics embedded via <img> tags, regardless of whether they already have an alt attribute. No manual selection is required.
No additional personal data or metadata is transmitted to Azure. The transfer is limited to the image content necessary for analysis by the Microsoft Azure Computer Vision API.
How Your Data is Processed: Microsoft acts as a processor for us (under a data processing agreement). The images are encrypted and transmitted to Microsoft Azure servers (EU or USA) and processed solely to generate an alt text suggestion. After the analysis is complete, the images are not permanently stored by either us or Microsoft. Further information can be found in Microsoft’s Privacy Statement (https://privacy.microsoft.com/de-de/privacystatement).
Legal Basis: The processing of images via Azure Vision AI is carried out based on your explicit request and is necessary to fulfill the service you requested (Art. 6(1)(b) GDPR).
Contact Form and Communication
If you contact us (e.g., via the contact form on accesstra.tech or by email), we process the data you provide to handle your inquiry. In the case of the contact form, we typically collect your name, your email address, and your message; additional information may be provided voluntarily. Mandatory fields are marked as such in the form – without this information, we cannot process your inquiry. The contact form is processed via the NoteForms service, which feeds your entered form data directly into our internal Notion database.
NoteForms/Notion: NoteForms is a form service integrated with Notion (an online workspace platform). When you submit the contact form, your data is transmitted to Notion Labs, Inc. and stored in a database managed by us. Notion Labs, Inc. (548 Market St #74567, San Francisco, CA 94104, USA) is the provider of the Notion service. We have contractually engaged Notion as our processor and agreed to the new EU Standard Contractual Clauses to ensure the protection of your data. Notion Labs, Inc. is also certified under the EU-US Data Privacy Framework, ensuring an adequate level of data protection under Art. 45 GDPR. The transfer of your contact data to the USA is thus legally secured. Notion does not use your data for its own purposes but stores it solely on our behalf. Your message is not shared with third parties.
Purpose and Legal Basis: The processing of your contact data is exclusively for the purpose of responding to your inquiry and communicating with you. The legal basis for this is our legitimate interest in appropriately responding to inquiries (Art. 6(1)(f) GDPR). If your inquiry aims at concluding a contract or you are already a customer, we alternatively rely on Art. 6(1)(b) GDPR (contract-related communication). Your data is used only in this context; it is not used for purposes such as advertising without your explicit consent.
Storage Duration: We store the data collected during communication as long as necessary to process your inquiry. Once your inquiry is fully resolved, your data is deleted unless legal retention obligations apply. Business correspondence (e.g., emails leading to a contract) may need to be retained for up to 6 years (§ 257 HGB). Simple inquiries without further context are typically deleted after a few weeks, at the latest after 12 months.
Your Rights as a Data Subject
As a data subject affected by data processing, you have the following rights under the GDPR:
- Right to Access (Art. 15 GDPR): You have the right to request confirmation from us as to whether we process your personal data. If so, you can request access to this data and further information (processing purposes, data categories, recipients, storage duration, etc.).
- Right to Rectification (Art. 16 GDPR): You have the right to request the immediate correction of inaccurate or completion of incomplete personal data concerning you.
- Right to Erasure (Art. 17 GDPR): You can request that we delete your personal data if the legal conditions are met. This applies, in particular, if the data is no longer needed for the purposes for which it was collected, you withdraw your consent and there is no other legal basis, or you object to the data processing and there are no overriding legitimate grounds for processing.
- Right to Restriction of Processing (Art. 18 GDPR): Under certain circumstances, you can request the restriction of processing your data (e.g., if you dispute the accuracy of the data, for the duration of the verification).
- Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data concerning you that you provided to us in a commonly used, structured, and machine-readable format. You can also request that we transfer this data to another controller, where technically feasible.
- Right to Object (Art. 21 GDPR): 1) If we process your data based on legitimate interests, you have the right to object to this processing at any time for reasons arising from your particular situation. We will no longer process the data unless we can demonstrate compelling legitimate grounds that outweigh your interests. 2) If we process your personal data for direct marketing purposes (which we would indicate separately in each case), you have the right to object at any time to processing for such marketing; in case of your objection, we will no longer use your data for direct marketing. 3) You can also revoke any consent given for data processing at any time with effect for the future; this does not affect the lawfulness of processing prior to revocation.
- Automated Decision-Making in Individual Cases (Art. 22 GDPR): You have the right not to be subject to a decision based solely on automated processing – including profiling – that produces legal effects concerning you or significantly affects you. We do not make fully automated decisions of this kind about you.
- Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR): If you believe that the processing of your personal data violates the GDPR, you can – without prejudice to other legal remedies – lodge a complaint with a data protection supervisory authority at any time. The competent authority for us is, in particular, the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, Tel.: +49 211 38424 0, Email: poststelle@ldi.nrw.de. However, you can also lodge your complaint with any other supervisory authority, particularly in the Member State of your residence or workplace.
Exercising Your Rights: To exercise your rights, you can contact us informally at any time, e.g., via email at contact@accesstra.tech. Please specify which right you wish to exercise and provide – if necessary – additional information so we can assign your request. We will review your request promptly and implement it in accordance with legal requirements. You will receive a response from us within one month of receiving your request at the latest (Art. 12(3) GDPR).
Additional Information
Necessity of Data Provision: Providing your personal data is voluntary except for purely informational website use. However, using certain functions of our services is not possible without providing specific data. For example, for registration, you must provide your name, email address, and password – without this information, we cannot create a user account for you. Similarly, we require your payment data for an order, without which a contract cannot be concluded. In such cases, providing the data is contractually required. In other cases (e.g., contact inquiries), you are free to decide which information to share with us. If we designate mandatory fields, it is because the respective information is strictly necessary to process your inquiry or requested service.
Security: We implement technical and organizational security measures to protect your personal data from accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. Our security measures comply with the state of the art and are continuously updated to match the risk level.
Changes to this Privacy Policy: We reserve the right to update this Privacy Policy as needed to adapt it to changed legal frameworks or new features of our service. The current version can always be found here. If the changes are significant or require your cooperation (e.g., consent), we will inform you about the changes.
Status: May 27, 2025 – This Privacy Policy takes into account the applicable requirements of the GDPR (including the current legal status of 2025) and national laws.