WebAuditFix.
Standards Examples Case studies Pricing Login

Privacy Policy

Last updated: 2026-06-30

This page explains what personal data WebAuditFix collects, why, how long we keep it, and your rights under the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

1. Who is the data controller

Data Vision IT Consulting Limited
Kilbride, Wicklow, Ireland
Companies Registration Office (CRO) number: 748035
VAT number: IE4212283KH
Privacy contact: [email protected]

We have not appointed a Data Protection Officer; the volume and nature of the personal data we process does not require one under GDPR Article 37. Privacy enquiries can be sent to the address above and will be answered by a member of Data Vision IT Consulting Limited.

2. What data we collect

WebAuditFix does not require an account for free audits, and the audit pages themselves do not collect names, email addresses, or analytics about your browsing. The Premium Compliance PDF that accompanies every scan is free and involves no payment step. An optional portal subscription at portal.webauditfix.com (Starter, Pro, or Founder — see the Pricing page) lets you manage multiple client sites; that flow processes account + payment data, and payment is handled by Stripe — your card details never reach our servers. Specifically:

DataSourcePurpose
The URL you submit for audit Your form submission To perform the audit and display the results to you
The audit results we compute (scores, per-check status, technical detail) Generated by our scanner To display results and provide a shareable result link
Your IP address Your network connection Rate limiting — to prevent abuse of the service
A session cookie Set in your browser by our server Cross-site request forgery (CSRF) protection on the audit form
Account email address (portal subscribers only) You, at portal signup To send the magic-link sign-in email and operational service notices
Subscriber email + Stripe customer / subscription reference (portal subscribers only) Stripe Checkout, after a successful payment To issue the receipt / VAT invoice, to support refunds, and to keep accounting records as required by Irish tax law
Subscriber VAT number (portal subscribers only, if entered at Checkout) You, at Stripe Checkout To apply EU B2B reverse-charge VAT treatment and produce a compliant cross-border invoice

We do not use third-party analytics, advertising trackers, social plugins, or fingerprinting. We do not embed third-party scripts in the audit pages. When you subscribe to a portal plan you are redirected to Stripe's hosted Checkout page (checkout.stripe.com); "Manage billing" from inside the portal opens Stripe's Customer Portal (billing.stripe.com) — see Section 5 for what happens there.

3. Legal basis for processing

We rely on the legal bases set out in GDPR Article 6:

  • Performance of a service you requested (Art. 6(1)(b)) — for processing the URL you submit, returning the audit results (free audit + free Premium Compliance PDF), and delivering the portal subscription you signed up for.
  • Legal obligation (Art. 6(1)(c)) — for retaining transaction records of any portal subscription as required by Irish tax law (six years per s. 886 Taxes Consolidation Act 1997).
  • Legitimate interests (Art. 6(1)(f)) — for IP-based rate limiting and CSRF protection. Our legitimate interest is keeping the service available and resistant to abuse; we balance this against your privacy by not storing IP addresses in our database and by using strictly necessary session cookies only.
  • Consent (Art. 6(1)(a)) — for the opt-in embeddable badge. If you verify domain ownership through DNS, a well-known file, or a meta tag, we issue a per-domain token and serve an SVG showing your scan score against that domain. You initiate this flow; you can disable the badge at any time by deleting the proof artefact you published (the re-check job revokes the row after three consecutive failures) or by contacting [email protected] for immediate removal.
  • Consent (Art. 6(1)(a)) — for the founder trial. If you sign up at /founder-trial, we process your name + email address to deliver a sign-in link, a 14-day expiry reminder, and an end-of-trial follow-up. You confirm consent at signup by ticking an unchecked-by-default box. You can withdraw consent + request deletion at any time by emailing [email protected] or by cancelling your trial from the portal account page.

4. How long we keep it

DataRetention
Submitted URLs and audit results Kept indefinitely while the service runs, so the /results/<id> link remains usable. You can request deletion at any time — see Section 7.
IP address (rate-limit counter) Held in our cache for the rate-limit window (one hour) and then expires automatically. Not written to our database.
Session cookie Expires when you close your browser. Not associated with a stored record on our side beyond signature verification.
Web server access logs Held by our hosting provider for up to 14 days for operational and security purposes (debugging, abuse investigation).
Portal account record (email address, magic-link signing seed, last sign-in timestamp) Held for the lifetime of the subscription plus a 30-day grace period after cancellation, so you can reactivate without losing scan history. After that we delete the email and magic-link seed; an anonymised account row may remain to preserve referential integrity of historical scan rows.
Portal subscription record (account ID, Stripe customer + subscription IDs, tier, amount, currency, subscriber email, VAT number if any, billing cycle) Six years from the end of the tax year of the transaction, in line with s. 886 Taxes Consolidation Act 1997 (Irish bookkeeping requirement). After that we anonymise the accounting reference and delete the subscriber email address.
Badge verification (verified hostname, per-domain token, chosen proof method) Held until you withdraw consent (delete the proof artefact, or email [email protected]). A weekly re-check revokes the row automatically after three consecutive proof failures. The token is not a secret — it appears in the public badge URL.
Founder trial signup (name, email, consent timestamp) Held for the 60-day trial duration plus a 30-day grace period for end-of-trial follow-up (90 days total). After that we delete the name + email unless you have an active paid subscription. You can request earlier deletion at any time by emailing [email protected].

5. Who we share it with

We do not sell, rent, or share personal data with third parties for marketing or advertising. The only places your data goes are:

  • The URL you submit. Our scanner makes HTTP requests to the host you ask us to audit (your homepage, plus standard paths like /robots.txt, /sitemap.xml, and /security.txt). The audited server will see our IP address and our User-Agent string (WebAuditFixBot/1.0 (+https://webauditfix.com/bot)).
  • Our hosting provider. The server hosting WebAuditFix processes incoming requests on our behalf as a data processor.
  • Stripe — portal subscriptions only. Subscription payments are processed by Stripe Payments Europe Ltd (1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, Ireland) as a data processor on our behalf, and by Stripe, Inc. in the United States as a sub-processor. When you subscribe to a portal plan you are redirected to Stripe's hosted Checkout page (checkout.stripe.com); "Manage billing" from inside the portal opens Stripe's Customer Portal (billing.stripe.com). At either you provide your email address, billing country, payment details, and optionally a VAT number. Stripe shares back to us a customer reference, a subscription reference, the subscriber email, the tier, the amount, the currency, and (if entered) the VAT number — we do not receive or store your card details. Stripe processes its own logs and fraud-prevention data under Stripe's privacy policy. Cross-border transfers to the US are governed by Standard Contractual Clauses and Stripe's certification under the EU-US Data Privacy Framework.
  • Brevo (Sendinblue) — transactional email only. Magic-link sign-in emails and other operational notices to portal subscribers (sign-in, billing receipts, trial reminders) are delivered through Brevo SAS (7 rue de Madrid, 75008 Paris, France) as a data processor on our behalf. We pass Brevo your email address and the message body; Brevo holds delivery logs for operational purposes. No marketing email is sent through this channel.
  • Regulators or law enforcement if we are legally compelled — none has happened to date and we will challenge overly broad requests where we can.

6. International transfers

Audit data (URLs you submit, results, IP addresses) is processed entirely within the European Union (Ireland) and never leaves the EEA.

Portal subscription data (Section 5) is processed by Stripe Payments Europe Ltd in Ireland with onward transfer to Stripe, Inc. in the United States as a sub-processor. That transfer is governed by the EU Standard Contractual Clauses incorporated into Stripe's Data Processing Agreement, and Stripe is certified under the EU-US Data Privacy Framework. If you do not subscribe to a portal plan, no subscription data is generated and no transfer to the United States takes place.

7. Your rights

Under GDPR you have the following rights:

  • Access — get a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete data we hold (e.g. a specific scan record).
  • Restriction — ask us to limit how we process your data.
  • Portability — get the data you provided in a portable format.
  • Objection — object to processing based on legitimate interests.
  • Complaint to the supervisory authority — the Irish Data Protection Commission.

To exercise any of these rights, email [email protected]. Please include the scan ID (visible in the URL of the results page) if your request relates to a specific audit.

8. Automated decision-making and AI training

WebAuditFix runs a fixed, deterministic set of technical checks against the URL you submit. There is no profiling and no decision that produces legal or similarly significant effects within the meaning of GDPR Article 22.

We do not use submitted URLs or audit results to train machine-learning models, and we do not pass them to third-party AI services.

9. Security

We use HTTPS with current TLS, deploy with a reverse proxy and least-privileged service users, and apply security headers recommended by current best practice (in fact, our own scanner audits the same signals). Despite this, no service is perfectly secure; please report any vulnerabilities responsibly to [email protected].

10. Changes to this policy

We may update this policy as the service changes. The "Last updated" date at the top of this page reflects the most recent revision. Material changes that affect how we process personal data will be reflected here before they take effect.

11. Contact

Questions, requests, or complaints: email [email protected] or write to Data Vision IT Consulting Limited, Kilbride, Wicklow, Ireland.

© 2026 WebAuditFix · a product of Data Vision IT Consulting Limited · CRO 748035

Contact  ·  Privacy  ·  Cookies  ·  Terms  ·  Bot  ·  Affiliates