Legal
Privacy Policy
Last updated: June 2026
1. Who we are
OverlayRiskWitness (“we”, “us”, “our”) is an evidence-documentation service that loads your web pages with and without an accessibility overlay, runs axe-core on both versions, and stores timestamped before-and-after findings. We are not a law firm and we do not provide legal advice. If you need guidance on your legal obligations, consult qualified counsel.
Questions about this policy may be sent to privacy@overlayrisk.com.
2. Data we collect
2.1 Account information
When you create an account we collect your email address and, if you choose to set one, a display name. We use Supabase Auth to manage authentication; passwords are hashed and never stored in plain text.
2.2 Google sign-in (Google OAuth)
If you choose “Continue with Google”, Google shares a limited set of Google user data with us: your name, email address, and profile picture, plus the Google account identifier used to sign you in. We use this data solely to create and authenticate your OverlayRiskWitness account. We do not access any other Google services or data, we do not use Google user data for advertising, and we do not sell it or share it with third parties except the infrastructure providers listed below that operate the service on our behalf. You can revoke our access at any time from your Google account permissions page. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
2.3 URLs you submit
To run a witness you provide one or more page URLs. We store those URLs in our database so we can re-run scans, detect drift over time, and show you your scan history. URLs are associated with your account.
2.4 Captured evidence
Each witness run produces evidence data including:
- axe-core rule violations captured with the overlay enabled and with it blocked
- DOM snapshots and screenshots of the page at the time of the run
- detected overlay vendor, script version, and injection method
- run timestamp, axe-core version pin, and a content hash for the evidence packet
This evidence is stored in your account and forms the Risk Packet you can download or share with counsel.
2.5 Usage and technical data
We collect standard server logs (IP address, browser user-agent, referring URL, pages visited, timestamps) to operate and secure the service. We may also collect aggregate, non-identified usage statistics such as which features are used most often.
2.6 Payment data
Payment card details are handled entirely by Stripe. We receive a non-sensitive payment token and your billing email from Stripe; we never store card numbers, CVVs, or full payment credentials on our systems.
3. How we use your data
- Run witnesses and deliver evidence packets. Your URLs and account data are used to execute scans, store results, and make them available to you in the dashboard and via download.
- Drift monitoring. If you subscribe to a Drift Monitor plan, we re-run your pages on a recurring schedule and notify you of changes.
- Billing and account management. We use your email and Stripe customer record to process payments, send receipts, and manage subscriptions.
- Transactional email. We send you emails for account events (scan complete, packet ready, drift alert, billing receipts). We do not send unsolicited marketing email without your consent.
- Service improvement and security. Aggregate, de-identified usage data helps us identify bugs, improve performance, and detect abuse.
4. Data processors
We engage the following sub-processors. Each is bound by its own privacy terms and, where applicable, a Data Processing Agreement.
| Processor | Purpose | Data shared |
|---|---|---|
| Supabase | Database, auth, storage | Account data, URLs, evidence |
| Stripe | Payment processing | Email, billing records |
| Resend | Transactional email | Email address, notification content |
| Vercel | Hosting and edge network | Request logs, IP addresses |
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
5. Data retention
We retain your account data and evidence for as long as your account is active. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain records for legal or tax compliance purposes (for example, billing records required under applicable law). De-identified aggregate statistics may be retained indefinitely.
6. Your rights
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — ask us to correct inaccurate data
- Deletion — request that we delete your account and associated personal data (subject to legal retention requirements)
- Portability — receive your data in a structured, machine-readable format
- Objection / restriction — object to certain processing activities
To exercise any of these rights, email privacy@overlayrisk.com. We will respond within 30 days.
7. Cookies and local storage
We use essential cookies and browser local storage to maintain your authenticated session (via Supabase Auth). We do not currently use advertising or cross-site tracking cookies. If that changes, we will update this policy and, where required by law, obtain your consent.
8. Children
OverlayRiskWitness is not directed to children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@overlayrisk.com and we will promptly delete it.
9. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the “Last updated” date at the top and, for significant changes, notify you by email or via an in-app notice. Continued use of the service after changes become effective constitutes your acceptance of the updated policy.
10. Contact
For privacy inquiries, data requests, or complaints, contact us at privacy@overlayrisk.com.