Privacy Policy
Company: Inclusive Digital, Co.
Website: www.inclusivedigital.co
Contact: hello@inclusivedigital.co
Effective Date: 25 April 2026 · Last Reviewed: 9 May 2026 · Next Review: April 2027
1. Introduction
Inclusive Digital, Co. (“Inclusive Digital,” “we,” “us,” or “our”) is committed to protecting the privacy of our users and customers. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the Inclusive Digital platform available at www.inclusivedigital.co (the “Platform”).
The Platform includes: our VPAT® Evaluator and HECVAT Evaluator (AI-powered document scoring tools for accessibility and security procurement due diligence), and our free Access Plan and Accessibility Remediation Roadmap templates (browser-based tools that generate downloadable DOCX files entirely within your browser — no data is submitted to our servers from these tools).
By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Platform.
2. Information We Collect
2.1 Account Information
We collect the following personal information when you create an account or use the Platform:
- Email address (required for account creation, authentication, and communication)
- First and last name (if provided during registration)
- Organization name and role (if provided)
- Payment information (processed securely by Stripe; we do not store full card details)
- Subscription tier, usage counts, and billing status (stored as metadata on your account)
2.2 Documents and Evaluation Data
When you use the VPAT or HECVAT Evaluator, we collect:
- Documents you upload for analysis (VPATs, ACRs, HECVATs — in PDF, DOCX, XLSX, or CSV format)
- Scores, risk tiers, assessments, and evaluation reports generated from your submissions
- Product names, vendor names, and URLs associated with evaluations
- Evaluation history associated with your account
2.3 Usage and Technical Data
- IP address (pseudonymized via HMAC-SHA256 with a daily-rotating salt before logging)
- Browser type, operating system, and device information
- Page views, feature interactions, and navigation paths
- Referring URLs and session data
- Error reports and performance data
- Communications with our support team
3. Legal Basis for Processing
We process personal information on the following legal grounds:
| Legal Basis | Examples |
|---|---|
| Contract Performance | Providing and maintaining the Platform; processing payments; managing subscriptions; delivering evaluation scores and reports |
| Legitimate Interests | Improving the Platform; developing new features; analyzing usage patterns; maintaining security and preventing fraud |
| Legal Obligation | Complying with applicable laws and regulations; responding to lawful requests; maintaining audit logs |
| Consent | Sending marketing communications (where you have opted in); use of non-essential analytics cookies |
4. How We Use Your Information
- Provide, operate, and improve the Platform and its features
- Process uploaded documents through our AI scoring engine to generate risk scores, assessments, and downloadable evaluation reports
- Process payments and manage your subscription
- Communicate with you about your account, billing, updates, and support requests
- Send marketing communications where you have opted in
- Detect and prevent fraud, abuse, and security incidents
- Maintain compliance audit logs (ISO 27001-aligned)
- Comply with legal obligations
5. Information Sharing
We do not sell, trade, or rent your personal information. We share information only with the following trusted third-party service providers who help us operate the Platform. All service providers are bound by data processing agreements and may only use your information to provide services to us.
| Service Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Anthropic | AI-powered document analysis | Document content (PII automatically scrubbed before transmission) | United States |
| Clerk | User authentication and account management | Email address, name, user ID, subscription metadata | United States |
| Stripe | Payment processing and subscription management | Email address, name, payment information, billing history | United States |
| Supabase | Database storage for evaluation history and rate-limiting records | Evaluation data, scores, risk tiers; user ID; pseudonymized IP for rate limiting | United States (AWS us-east-1) |
| Vercel | Cloud hosting, CDN, and serverless compute | Application traffic and request metadata | United States / Global CDN |
| Loops | Transactional and product email delivery | Email address, name, subscription tier | United States |
| Google Analytics 4 | Website analytics — only activated after cookie consent | Anonymized page view data only. If you decline cookies, no identifiers are sent. | United States |
| Calendly | Demo scheduling (on request only) | Name and email address submitted via demo request form | United States |
5.1 Other Sharing Circumstances
- With your explicit consent for specific purposes
- When required by law, regulation, or lawful legal process
- To protect the rights, privacy, safety, or property of Inclusive Digital, our users, or the public
- In connection with a merger, acquisition, or sale of all or substantially all of our assets (with notice to you)
6. Data Security
We implement multiple layers of technical and organizational security measures to protect your information:
6.1 Transmission Security
- All data transmitted over HTTPS using TLS 1.3
- HTTP Strict Transport Security (HSTS) enforced
- Content Security Policy (CSP) headers implemented
- X-Frame-Options and anti-clickjacking protections active
6.2 Storage Security
- Data encrypted at rest
- Role-based access controls limiting data access to authorized personnel only
- Multi-factor authentication required for administrative access
- IP addresses pseudonymized using HMAC-SHA256 with a daily-rotating salt — not reversible
6.3 Application Security
- Rate limiting on all API endpoints
- PII scrubbing (email addresses, phone numbers, credentials) before document content is sent to AI processing
- Malware scanning on uploaded PDFs and DOCX files
- Input validation on all form submissions
- Cryptographic signature verification on all inbound webhooks (Clerk via Svix; Stripe)
While we implement industry-standard security measures, no system is completely secure. We encourage you to use a strong, unique password and to notify us immediately if you suspect unauthorized access to your account.
7. Your Rights
Under GDPR, CCPA, and other applicable data protection laws, you may have the following rights:
| Right | Description |
|---|---|
| Access | Request copies of the personal information we hold about you |
| Rectification | Request correction of inaccurate or incomplete personal data |
| Erasure | Request deletion of your personal data, subject to legal retention obligations |
| Portability | Request your data in a structured, machine-readable format |
| Object | Object to processing based on legitimate interests or for direct marketing |
| Restriction | Request that we limit how we process your data in certain circumstances |
| Withdraw Consent | Withdraw consent for consent-based processing at any time, without affecting prior processing |
| Opt Out | Unsubscribe from marketing communications at any time via the unsubscribe link in any email |
To exercise any of these rights, contact us at hello@inclusivedigital.co. We will respond within 30 days. We may need to verify your identity before processing your request.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information (name, email, preferences) | Duration of active account, plus 30 days following account deletion |
| Uploaded documents and evaluation reports | Duration of active account, plus 90 days for backup recovery |
| Payment information | Per Stripe retention policies (approximately 7 years for tax/legal compliance) |
| Audit and security logs | 1 year |
| Support communications | 2 years |
| Marketing preferences | Until you opt out or request deletion |
Access Plan and Remediation Roadmap template data is never transmitted to our servers and therefore is not retained by us.
9. International Data Transfers
Inclusive Digital, Co. is based in the United States. Our Platform is hosted on Vercel infrastructure, and we use service providers (including Anthropic, Clerk, and Stripe) that may process data in the United States and other countries. If you are located outside the United States, your information may be transferred to and processed in jurisdictions with different data protection laws. We ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission where applicable.
10. Cookies and Tracking
We use cookies and similar tracking technologies to operate and improve the Platform. Specifically:
- Essential cookies: Required for authentication and session management (provided by Clerk). Cannot be disabled without breaking Platform functionality.
- Consent preference cookie (
cookie_consent): Stores your accept/decline choice from the cookie banner for 12 months so we do not ask again on return visits. This cookie contains no personal data. - Analytics cookies: Google Analytics 4 (GA4) collects anonymized data about page views and user interactions to help us improve the Platform. GA4 is only activated after you explicitly accept cookies via our consent banner. If you decline, GA4 operates in cookieless consent-mode only — no cookies are set and no identifiers are collected. You can change your preference at any time by clearing your browser cookies (which will cause the banner to reappear) or via the Google Analytics opt-out browser add-on.
A cookie consent banner is shown on your first visit. You can accept or decline analytics cookies at that point. Disabling essential cookies will prevent you from signing in.
11. Children's Privacy
The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at hello@inclusivedigital.co and we will delete such information promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by posting the updated policy on the Platform with a revised effective date and, where appropriate, by email notification. Your continued use of the Platform following the effective date of any update constitutes acceptance of the updated policy.
13. Contact
For privacy inquiries, to exercise your rights, or to raise a complaint, please email hello@inclusivedigital.co
Website: www.inclusivedigital.co
If you are an EU/UK resident and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.