Privacy Policy
Last updated: 9 April 2026
This policy explains how Keogh Ltd, trading as AccessibilityRef ("we", "us", "our"), collects, uses, and protects personal data in accordance with the EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679.
This policy applies to the AccessibilityRef website (accessibilityref.eu).
1. Data Controller
Legal entity: Keogh Ltd
Trading as: AccessibilityRef
Website: accessibilityref.eu
For data protection enquiries, contact us via the contact page.
2. Data We Collect
Account data: Email address and password (hashed) when you register. Stored securely via Firebase Authentication (Google LLC).
Payment data: When purchasing Pro tools, payment is processed by Stripe Inc. We receive only a transaction confirmation and your email. We do not store card details.
Usage data: Page views and tool interactions via Google Analytics 4. This data is anonymised and aggregated, and only collected with your consent.
AI tool input data: When using AI-powered tools (ARIA Assistant, Alt Text Prompter), the content you submit is sent to Anthropic's Claude API for processing. We do not store this input data after the response is returned.
3. Legal Basis for Processing
Contract (Art. 6(1)(b)): Processing your account and payment data to provide the service you purchased.
Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, crash reporting, and improving the platform and app.
Consent (Art. 6(1)(a)): Advertising and analytics cookies — only after you click "Accept All" in the cookie banner.
4. Third-Party Processors
| Processor | Purpose | Location |
|---|---|---|
| Firebase (Google LLC) | Authentication and database | USA (SCCs) |
| Google Analytics 4 | Usage analytics (consent required) | USA (SCCs) |
| Stripe Inc. | Payment processing | USA (SCCs) |
| Resend Inc. | Transactional email (account and payment notifications) | USA (SCCs) |
| Anthropic PBC | AI processing for ARIA Assistant and Alt Text Prompter tools | USA (SCCs) |
| Vercel Inc. | Website hosting | USA/EU (SCCs) |
SCCs = Standard Contractual Clauses, ensuring GDPR-compliant international transfers.
5. Cookies & Analytics
We use Google Analytics 4 to understand how the site is used. Analytics cookies are only set after you click "Accept All" in the cookie banner. We implement Google Consent Mode v2, which signals your consent choice to Google. We do not display advertisements. See our Cookie Policy for full details.
6. Your Rights Under GDPR
Right of Access
Request a copy of your personal data.
Right to Rectification
Correct inaccurate data we hold.
Right to Erasure
Request deletion of your account and data.
Right to Restriction
Limit how we process your data.
Right to Portability
Receive your data in a machine-readable format.
Right to Object
Object to processing based on legitimate interests.
Right to Withdraw Consent
Withdraw advertising consent at any time via the cookie banner.
Right to Lodge a Complaint
Contact your national data protection authority.
To exercise any right, use our contact form. We will respond within 30 days as required by GDPR Article 12(3).
Right to erasure (Article 17) — how to exercise it
You can submit a deletion request at any time from the Privacy & Your Data section of your account page. Every request is reviewed manually by our admin team and actioned within 7 days under normal circumstances, and within 30 days at the latest as required by GDPR Article 12(3). You will receive an email confirmation once the deletion has been completed. The manual review step exists to verify identity, check for active billing disputes or legal holds, and prevent malicious deletions of compromised accounts.
What is deleted: your profile, saved checklists and assessments, team membership, and Firebase Authentication record.
What is retained (and why): anonymised Stripe billing records (with your name and email removed) are retained for the period required by EU tax law — typically 7 years — under the legal obligation exemption in GDPR Article 17(3)(b). These records cannot be linked back to you.
You can also use the Export your data button on the same page to download a JSON copy of all personal data we hold (Article 20).
7. Data Retention
Account data: Retained while your account is active. Deleted within 7 days of an approved deletion request, and within 30 days at the latest (GDPR Article 12(3)).
Payment records: Anonymised Stripe billing records (with personally identifying fields removed) are retained for 7 years to comply with EU tax and accounting obligations under GDPR Article 17(3)(b).
Analytics data: Retained for 14 months (Firebase Analytics default), then automatically purged.
Audit logs: Server-side audit logs of administrative actions and security events are retained for 12 months for security and compliance purposes.
8. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. All data in transit is encrypted via TLS. Authentication credentials are hashed and never stored in plain text. Access to production systems is restricted to authorised personnel only.
9. Changes to This Policy
We may update this policy periodically. Material changes will be communicated by updating the date above. Continued use of the site after changes constitutes acceptance of the revised policy.
Related Policies