Privacy Policy

How we collect, use and protect your personal data in compliance with GDPR.

Last updated: February 17, 2026

Includdy SAS ("Includdy," "we," "us," "our," or "ours") is committed to protecting your privacy. This Privacy Policy explains how the Includdy platform and browser extension (collectively, "the Service") collect, use, and manage data.

1. Overview

Includdy is an accessibility testing and audit platform designed for web developers and accessibility specialists. The Service comprises:

  • The Includdy Platform ("the Platform") — a web application that allows you to manage projects, view accessibility reports, collaborate with team members, and receive AI-assisted code correction suggestions.
  • The Includdy Browser Extension ("the Extension") — a Chrome DevTools extension that analyzes web pages to verify their EAA, WCAG, and RGAA compliance by inspecting page structure, images, colors, headings, languages, interactive elements, accessible names, and element visibility.

2. Data Controller

The data controller is:

  • Legal Entity: Includdy SAS
  • Address: 1 avenue Général Weygand, 06000 Nice, France
  • Email: [email protected]

3. Data Collected

3.1 Extension — Page Content Analysis

When you actively launch an analysis, the Extension examines the DOM structure of the current web page, including:

  • HTML element structure (headings, lists, images, links, interactive elements)
  • CSS properties (colors, contrast ratios, visibility)
  • Image attributes (alt text, dimensions, ARIA labels)
  • Language attributes and text content
  • Calculation of accessible names for interactive elements, headings, images, and lists
  • Visibility analysis (visual visibility on screen and visibility for screen readers)

This data is processed locally in your browser by the Extension. Only analysis results (not raw page content) are transmitted to our servers when you choose to save a report.

3.2 Extension — Data Transmitted to Our Servers

The following data may be transmitted to Includdy servers when you save a report:

  • Analysis Results: EAA/WCAG/RGAA compliance findings (violations, passes, incomplete checks)
  • Page Metadata: URL and title of the analyzed page
  • Screenshots: cropped screenshots of elements for accessibility reports (obtained via the Chrome DevTools Protocol)
  • Manual Verification Results: user decisions during accessibility manual verification steps, with context of associated elements

3.3 Extension — Third-Party Services

The Extension does not transmit any data to third-party services. All analysis is performed locally in your browser, and data is sent only to Includdy's own servers.

3.4 Platform — Account Data

When you use the Includdy Platform, the following account data is processed:

  • Authentication: we use Kinde as the identity provider. Your email address, name, and profile photo are managed by Kinde. We store your email and a unique identifier in our database to link your account.
  • Team Membership: team name, your role (owner, administrator, member, observer), and invitation details.
  • API Access Key: a generated key stored in our database to authenticate requests from the Extension.

3.5 Platform — Project and Analysis Data

  • Project Information: website names, base URLs, and root domains you configure for auditing.
  • Analysis Results: accessibility test results including rule violations, HTML snippets, CSS selectors, and DOM structure fragments of analyzed sites.
  • Browser Environment: user agent string and window dimensions captured during analyses (for test reproducibility).
  • AI Interactions: when you use AI-assisted features, accessibility context (HTML snippets, rule descriptions) is processed by AI models to generate code correction suggestions. No personal data is included in these requests.
  • Chat Messages: questions you ask the AI assistant and responses, stored for session continuity.

3.6 Platform — Cookies

The Platform uses the following cookies:

  • Authentication Cookies (strictly necessary): managed by Kinde for session authentication.
  • Functional Cookies (first-party, 30 days): remember your analysis and page selection preferences by project.

No advertising, analytics, or tracking cookies are used.

3.7 Platform — Email Communications

When you invite team members to a project, the invitee's email address is transmitted to Resend (our email delivery provider) to send the invitation email. This email contains the inviter's name, project name, assigned role, and an invitation link with a 7-day expiration.

3.8 Data NOT Collected

The Service does not collect:

  • Personal browsing history
  • Cookies or tracking identifiers for advertising purposes
  • Data from pages you do not actively analyze
  • Form field values or user inputs from analyzed pages
  • Passwords or authentication credentials from analyzed pages
  • IP addresses or fingerprints for profiling purposes

4. Data Use

All collected data is used exclusively for:

  • Accessibility Analysis: generation of EAA/WCAG/RGAA compliance reports for pages you test
  • Report Generation: creation and storage of accessibility audit results on the Platform
  • AI-Assisted Corrections: provision of automated code correction suggestions for accessibility violations
  • Collaboration: management of team projects and sharing of audit results
  • Service Improvement: analysis of aggregated and anonymized usage trends to improve the Service

We do not:

  • Sell your data to third parties
  • Use your data for advertising purposes
  • Track your browsing activity
  • Create user profiles for marketing purposes

5. Subprocessors

The following third-party services process data on our behalf:

Service Purpose Data Processed Server Location
Vercel Hosting and deployment HTTP requests, server logs Paris, France (cdg1)
Supabase PostgreSQL database All application data (encrypted at rest) Frankfurt, Germany (eu-central-1)
Kinde Authentication and identity Email, name, profile photo Dublin, Ireland (eu-west-1)
Nebius AI processing (code corrections) HTML snippets, accessibility context (no personal data) Amsterdam, Netherlands
Groq AI processing (code corrections) HTML snippets, accessibility context (no personal data) United States
Resend Transactional email Recipient email, invitation details Frankfurt, Germany (eu-central-1)
Cloudflare CDN, DDoS protection, and Turnstile (anti-spam) No user data European network (EU points of presence)
Google Tag Manager Audience measurement (subject to consent) Anonymized analytics data Proprietary server (sgtm.includdy.com)
Hotjar Behavioral analytics — heatmaps and session recordings (subject to consent) Anonymized interactions (clicks, scrolls, mouse movements) Dublin, Ireland (eu-west-1)

Although some of these service providers are US-based companies, the servers used by Includdy are, unless otherwise stated, exclusively located in the European Union.

6. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your data on the basis of:

  • Contract Performance (Article 6(1)(b)): provision of the Service to which you have registered, transmission of analysis results, management of your account.
  • Legitimate Interest (Article 6(1)(f)): local processing of page content for accessibility analysis, improvement of the Service.
  • Consent (Article 6(1)(a)): you initiate each analysis explicitly; no background data collection is performed.

7. Data Storage and Retention

  • Local Storage (Extension): access keys and preferences are stored in your Chrome extension's local storage on your device.
  • Server-Side: analysis results, project data, and account data are stored on PostgreSQL servers hosted by Supabase within the European Union.
  • Temporary Data: page analysis data in the Extension is processed in memory and deleted after analysis completes.
  • Screenshots: stored on Includdy's CDN (hosted in the European Union) as part of accessibility reports for as long as the report exists.
  • Account Deletion: when you delete your account, all associated data (projects, analyses, team memberships) is deleted.

8. International Data Transfers

Data is processed and stored within the European Union (Supabase's EU region). Authentication data is processed by Kinde in accordance with their data processing agreement. We ensure appropriate safeguards for any international data transfers in compliance with the GDPR.

9. Your Rights

Under GDPR (EU/EEA Residents)

  • Right of Access: request a copy of your data
  • Right to Rectification: request correction of inaccurate data
  • Right to Erasure: request deletion of your data ("right to be forgotten")
  • Right to Data Portability: receive your data in a machine-readable format
  • Right to Object: object to processing based on legitimate interest
  • Right to Restriction: request limitation of processing

Under CCPA (California Residents)

  • Right to Know: know what personal information is collected and how it is used
  • Right to Delete: request deletion of personal information
  • Right to Opt-Out: refuse the sale of personal information (we do not sell your data)
  • Right to Non-Discrimination: equal service regardless of exercising your privacy rights

To exercise these rights, contact us at [email protected].

10. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be communicated via Extension release notes, the Platform interface, and our website. The "Last updated" date at the top of this document indicates the most recent revision.

11. Contact

For any privacy-related questions or to exercise your rights:


This translation is provided for convenience only. In case of any discrepancy, the French version prevails.