Privacy Policy
Last updated: 2 July 2026
1. Who is responsible for your data
The data controller is Nathan Collins, trading as AllyRadar. Contact for anything privacy-related: me@nathancollins.dev.
2. What we collect and why
Account data — your email address, used to sign you in (magic links), to send the service emails described below, and to associate your sites and scans with your account. Legal basis: performance of a contract.
Billing data — payment is handled by Stripe; we never see or store your card details. We store your plan and subscription status. Legal basis: performance of a contract and legal obligation (accounting records).
Scan data — the URLs you add, the pages scanned, and the results, which include fragments of HTML from the scanned pages where issues were found. If the pages you scan contain personal data, those fragments may include it — you are the controller for the content of the sites you choose to scan, and we process it only to show you your reports. Legal basis: performance of a contract.
Scan authentication secrets — if you configure headers or cookies for scanning pages behind a login, they are encrypted (AES-256-GCM) before storage, are never displayed back to anyone, and are decrypted only at scan time. Legal basis: performance of a contract.
We do not use advertising trackers or sell personal data. The only cookies we set are those strictly necessary for signing in.
3. Emails we send
Sign-in magic links, and — on paid plans — accessibility regression alerts for your own sites. Service and billing notices as needed. We do not send marketing email without separate consent.
4. Who processes data on our behalf
Supabase (database, authentication — hosted in the EU, Ireland), Stripe (payments), Resend (transactional email), and Fly.io (application hosting). Each processes data under their own data-processing agreements. Where data is transferred outside the UK/EEA, transfers rely on adequacy decisions or standard contractual clauses.
5. Retention
Account and scan data are kept while your account is active. If you delete your account, we delete your data within 30 days, except minimal billing records we must keep for tax purposes (6 years). You can delete individual sites at any time, which deletes their scans and any stored scan credentials.
6. Your rights
Under UK and EU data protection law you can ask for access to, correction of, deletion of, or a portable copy of your personal data, and you can object to or restrict certain processing. Email me@nathancollins.dev and we will respond within one month. You also have the right to complain to the ICO (ico.org.uk) or your local EU supervisory authority.
7. Changes
We will notify you by email of material changes to this policy before they take effect.