EAAGuard Privacy Policy

Last updated: 2026-05-14. DRAFT - pending review by qualified EU counsel before first paying customer.

EAAGuard handles your personal data in line with the EU General Data Protection Regulation (GDPR).

1. Who we are

EAAGuard ("we", "us") is the controller of personal data described in this policy. Contact: [email protected].

2. What we collect

Account data - name, email, password hash, locale, country (optional), 2FA secret if you enable it.

Site data - the URLs you ask us to scan and any metadata you provide (site name, language, custom fields the admin has defined).

Scan data - automated scan output for each URL: HTTP status, load time, axe-core rule findings, DOM snippets sufficient to identify the violation. We do not deliberately capture visitor data from the scanned sites.

Billing data - payment processing is handled by Paddle, our Merchant of Record. EAAGuard does not store credit card numbers or full payment details. Paddle may share transaction-level information (subscription status, a customer reference, billing history) with us.

Marketplace data - your audit requests, bids you accept, ratings you leave, and any messages you send through the platform.

Operational data - IP address, user-agent and session timestamps for security, fraud prevention, rate limiting, and the legal-acceptance audit trail.

3. Why we process it (legal bases under GDPR)

• Performing the contract you signed up for (account, scans, marketplace).
• Legitimate interest in keeping the service secure (rate limits, abuse prevention).
• Compliance with legal obligations (accounting and tax record-keeping, legal-acceptance audit).
• Consent where we ask for it explicitly (cookie acceptance, marketing emails).

4. Who sees your data

• Paddle - Merchant of Record. Processes payments, issues invoices, and manages subscriptions. Paddle operates under its own privacy notice; please review it before subscribing.
• Resend - sends transactional emails.
• Hetzner Cloud (EU datacentre) - hosts EAAGuard.
• Cloudflare - DNS, TLS, DDoS mitigation in front of EAAGuard.
• Independent marketplace auditors - only the request details you share when opening a marketplace request. We never share your account password or unrelated scan data.

We do not sell personal data and we do not use third-party advertising trackers.

5. Where your data lives

EAAGuard's servers are in the European Union (Hetzner Falkenstein/Helsinki). Sub-processors may transfer limited data to jurisdictions covered by the EU adequacy framework or Standard Contractual Clauses; their own privacy notices govern those transfers.

6. How long we keep it

• Account data: while your account is active.
• Transaction records: as required by applicable accounting and tax law (typically up to 7 years).
• Scan data: while your account is active, then 90 days after deletion for backups to age out.
• Operational logs: 90 days rolling.
• Legal-acceptance audit log: kept while you have an account so we can prove what you agreed to.

7. Your rights (GDPR)

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your account and personal data (right to be forgotten), subject to legal retention.
• Export your data in a portable format.
• Object to processing or restrict it.
• Lodge a complaint with your national data-protection authority.

Write to [email protected] to exercise any of these rights.

8. Cookies

We use a single first-party session cookie and a CSRF cookie. We do not use third-party trackers, no Google Analytics, no Facebook pixel. See the Cookie Policy for the full list.

9. Security

Passwords are hashed with bcrypt. 2FA secrets and notifier credentials are encrypted at rest. JWT access tokens expire after 15 minutes. Refresh tokens are stored as SHA-256 hashes and rotated on use. The host runs unattended security updates and is firewalled.

10. Changes

Material updates are notified by email at least 14 days before they take effect.