Privacy Policy

OnlyEnable ("we," "us," "our") provides a hosted accessibility widget and related compliance tools to website owners ("Customers"). This policy describes how we handle data from two distinct groups:

• Customers — people who sign up at onlyenable.com to install the widget on their sites.
• End users — visitors to a website that has the OnlyEnable widget installed.

• Email address and authentication credentials (managed by Supabase Auth).
• Site metadata you provide: site name, domain, branding preferences, widget settings.
• Billing information processed by Stripe — we receive customer ID, subscription status, and last-4 of card; we never see or store full card numbers.
• API key activity (key prefix, request timestamps) when you use the REST API or MCP server.

When the widget loads on a Customer's site, we record minimal anonymous usage events:

• Event type (widget loaded, panel opened, feature toggled).
• Page URL on the Customer's site.
• User agent string.
• A SHA-256 hash of the visitor's IP address, salted with a server-side secret. We do not store raw IP addresses.

We do not collect: names, email addresses, account IDs, fingerprinting data, cross-site behavior, or any personally identifiable information from end users. We do not set tracking cookies on end users.

• Operate, secure, and improve the Service.
• Authenticate Customers and authorize widget config requests.
• Show Customers usage analytics for their own sites.
• Bill subscriptions and prevent fraud.
• Send transactional email (account, billing, security). Marketing email only with opt-in consent.

We share data only with the following providers, each bound by a Data Processing Agreement:

• Supabase (US/EU) — database, authentication, storage.
• Vercel (US) — application hosting and edge delivery.
• Stripe (US) — payment processing.
• Google PageSpeed Insights (US) — only when a URL is submitted to our public audit tool. Submitted URLs are sent to Google for accessibility scanning.

Customer accounts and usage events are stored in Supabase Postgres. We retain account data for the lifetime of your subscription. Anonymous usage events are retained for 24 months, then deleted. You may request earlier deletion at any time.

If you are a Customer or an end user in a covered jurisdiction, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion ("right to be forgotten").
• Export your data in a portable format.
• Object to or restrict processing.
• Withdraw consent (where consent is the legal basis).
• Lodge a complaint with your local data protection authority.

For end users: because we identify visitors only via salted-hashed IP, we cannot match a request to specific records without you also providing the visited URL and approximate timestamp. We will action what we can within 30 days.

To exercise any of these rights, email privacy@onlyenable.com.

End-user cookies: the widget stores accessibility preferences (e.g. font size, contrast mode) in localStorageon the visitor's browser so their selections persist between visits. This is strictly necessary for the widget to function and does not require consent under ePrivacy / GDPR cookie rules.

Customer cookies: our dashboard uses a session cookie issued by Supabase Auth to keep you logged in. We do not use third-party advertising or analytics cookies on the dashboard.

We use TLS in transit and AES-256 at rest (via Supabase). Passwords are hashed with bcrypt. API keys are stored as SHA-256 hashes — we cannot recover a key after issuance. We follow the principle of least privilege for internal access and review subprocessors annually.

The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided personal data, contact us and we will delete it.

We rely on Standard Contractual Clauses (SCCs) for transfers of personal data out of the EEA / UK to our US-based subprocessors. Copies of the SCCs are available on request.

We'll post material changes here and notify Customers by email at least 30 days before they take effect.

Questions, requests, or complaints: privacy@onlyenable.com