Privacy Policy
Effective May 2, 2026 · UAIU Holdings Corp d/b/a ADAWCAG.org
1. Who we are
ADAWCAG.org is operated by UAIU Holdings Corp, a U.S. corporation (CAGE 1AUK4, UEI WNZJXHNPC2K3). For privacy questions, contact contact@adawcag.org or call 530-808-5208. Our founder is Justin Zaragoza.
2. What we collect
We collect only what we need to deliver accessibility scans, audits, and reports.
- Account information. Email, name, password hash, organization name, and (optionally) phone, when you sign up or request a free pass.
- Site & scan data. URLs you submit for scanning, the resulting HTML snapshots, accessibility findings, screenshots, and PDF reports we generate for you. We do not proxy or store visitor data from your scanned site beyond what is needed to render the report.
- Payment information. Card numbers and bank details are collected and stored by Stripe (our payment processor). We only retain the last four digits, billing email, and Stripe's opaque customer/session identifiers.
- Page-view analytics. When you browse the public site, we record the path you visited, your locale, and a one-way HMAC-SHA256 hash of your IP address (salted with a server secret). The raw IP is never written to disk. This is used solely to count distinct anonymous visitors.
- Quiz funnel data. If you take the “Find your fit” quiz, we record the answers you give, your device type and browser (parsed from the User-Agent), UTM parameters from the inbound URL, and your approximate city/region (looked up from your IP via IPinfo). If you submit the report-by-email form, booking form, or grant form, your email and name are linked to the quiz session.
- Cookies. Two strictly-necessary cookies only — see our Cookie Policy for details. We do not use Google Analytics, Facebook Pixel, Hotjar, or any third-party advertising or session- replay tracker.
3. How we use it
- To run the accessibility scans and audits you request.
- To send the operational and transactional emails you opt into (scan results, billing receipts, dispute alerts, audit deliverables).
- To detect abuse, rate-limit our APIs, and prevent fraud.
- To improve the product through aggregate, de-identified usage trends.
- To comply with our legal, tax, and accounting obligations.
We do not sell your personal information, and we do not share it for cross-context behavioural advertising. We do not use your data to train third-party AI models. (Anthropic and OpenAI are used to generate report summaries and remediation suggestions — those vendors are contractually prohibited from training on customer inputs under their enterprise terms.)
4. Lawful bases for processing (GDPR Article 6)
For visitors in the EU/UK, we rely on the following lawful bases:
| Processing activity | Lawful basis (Art. 6) | Notes |
|---|---|---|
| Account creation, authentication, dashboard access | Art. 6(1)(b) — performance of contract | Required to deliver the SaaS you signed up for. |
| Running scans you submit; generating reports | Art. 6(1)(b) — performance of contract | The core service. |
| Billing, invoicing, payment processing via Stripe | Art. 6(1)(b) + 6(1)(c) — contract & legal obligation | Tax and accounting law also requires retention. |
| Transactional email (receipts, scan-complete alerts) | Art. 6(1)(b) — performance of contract | Cannot be opted out without losing service. |
| Page-view analytics (HMAC-hashed IP) | Art. 6(1)(a) — consent | Off until you opt in via the cookie modal. |
| Calendly booking widget (third-party script) | Art. 6(1)(a) — consent | Script does not load until you opt in. |
| Quiz funnel telemetry | Art. 6(1)(a) — consent (analytics) + 6(1)(f) for the lead-capture step you submit | You actively submit name + email to receive a deliverable. |
| Abuse / fraud prevention, rate-limiting, audit logs | Art. 6(1)(f) — legitimate interest | Balanced against your interests; you may object. |
| Compliance with court orders, subpoenas, tax authorities | Art. 6(1)(c) — legal obligation | Limited to what the law requires. |
5. Sub-processors we share with
The following service providers process limited categories of personal data on our behalf under written data-processing agreements (DPAs). Each is bound by confidentiality, security, and purpose-limitation obligations consistent with GDPR Art. 28 and the EU Standard Contractual Clauses (SCCs) where applicable.
| Vendor | Purpose | Data shared | Processing location |
|---|---|---|---|
| Stripe, Inc. | Payments & subscription billing | Name, email, billing address, card data | United States (EU SCCs in place) |
| Zoho Corporation (Zeptomail) | Transactional email delivery | Email address, message body | United States / India (EU SCCs in place) |
| Calendly LLC | Meeting scheduling (loaded only after Functional consent) | Name, email, selected time, time zone | United States (EU SCCs in place) |
| IPinfo.io (Tahoe Compute LLC) | Approx. geolocation & org enrichment | IP address (one-time lookup, cached by ASN) | United States |
| Anthropic, PBC | AI summaries on accessibility findings | Scan-result snippets only; no PII | United States (zero data-retention API tier; no training) |
| OpenAI, L.L.C. | AI lead triage & copy generation | Lead form text only; no payment data | United States (enterprise terms; no training) |
| Google LLC (Places API) | Address autocomplete on contact forms | Address fragment you type | United States / EU edge (EU SCCs in place) |
| Replit, Inc. | Hosting, database, and object storage | All operational data | United States |
We will notify active customers by email at least 14 days before adding or replacing a sub-processor that handles personal data.
6. Global Privacy Control & opt-out signals
We honor the Global Privacy Control browser signal. When your browser sends GPC (via the JavaScript flag navigator.globalPrivacyControl), we treat your visit as a deny-all opt-out: no analytics fire, the Calendly script is not loaded, and the cookie banner does not appear. The preferences modal still opens from the footer link, but non-essential toggles are locked off and a notice explains why. California (CCPA/CPRA), Colorado (CPA), and Connecticut (CTDPA) all legally require us to honor this signal as a valid opt-out.
We do not engage in “automated decision-making, including profiling” that produces legal or similarly significant effects on you under GDPR Art. 22. Our AI features generate human-reviewable summaries; they do not deny service, set pricing, or make eligibility decisions automatically.
7. How long we keep it
- Account & tenant records: for as long as your account is active, plus 7 years for tax records.
- Scan results & reports: retained while your subscription is active; deleted within 30 days of account closure on request.
- Page-view rows: 24 months, then aggregated.
- Quiz sessions: 24 months, then deleted.
- Audit logs: 7 years (compliance requirement for procurement-grade work).
- Stripe payment records: retained by Stripe per their policy; we keep only metadata.
8. Your rights
Depending on where you live, you may have the right to access, correct, delete, port, or restrict the processing of your personal information, and to object to or opt out of certain uses.
- California (CCPA / CPRA): right to know, delete, correct, and to limit the use of sensitive personal information. We do not sell or share personal information for cross-context behavioural advertising — see our Do Not Sell or Share My Personal Information page.
- EU / UK (GDPR): rights of access, rectification, erasure, restriction, portability, and objection.
- Other U.S. states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Florida, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Rhode Island): comparable rights.
To exercise any right, email contact@adawcag.org or use the form on our Do Not Sell or Share page. We respond within 45 days (CCPA) or one month (GDPR), and we will not retaliate against you for exercising any privacy right.
9. Security
We hash passwords with bcrypt, encrypt sensitive customer fields with AES-256-GCM envelope encryption (master key in a dedicated secret store), enforce per-tenant isolation in PostgreSQL, sign all webhooks, and rotate session tokens. The full technical posture is published at /security.
10. Children
ADAWCAG.org is a B2B accessibility-compliance product. It is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact contact@adawcag.org and we will delete it.
11. International transfers
Our infrastructure is hosted in the United States. If you access the service from outside the U.S., your information will be transferred to and processed in the U.S. We rely on the EU Standard Contractual Clauses where applicable.
12. Changes to this policy
We may update this policy as the product evolves. The “Effective” date at the top reflects the most recent revision. Material changes will be announced by email to active customers at least 14 days in advance.
13. Contact
UAIU Holdings Corp
Attn: Privacy
contact@adawcag.org
530-808-5208