Privacy Policy
Last updated: March 2026
Daelys ("we", "our", "us") collects, uses, stores, and protects the personal information of users (hereinafter "you", "your") of the Daelys service (hereinafter "the Service").
By using our Service, you consent to the collection and use of your personal information in accordance with this Policy.
1. Data controller
Daelys is the data controller for your personal data. The data controller can be contacted via Our contact page.
2. Data collected
2.1. Data provided directly by you
- Registration data: email address, password (encrypted)
- Profile data: your site name, site URL
- Payment data: handled by Stripe (we do not store your banking data)
- Communications: support requests, messages via the contact form
2.2. Data collected automatically
- Dashboard usage data: pages visited, features used
- Technical data: IP address, browser type, operating system
- Widget data: anonymized usage statistics of accessibility features activated by your site's visitors (Pro plan only)
2.3. Data collected via the diagnostic tool
When you use our accessibility diagnostic tool, we collect:
- The URL of the analyzed site (kept for 30 days to allow you to retrieve your scan history)
- The public HTML content of the analyzed pages (used only during the analysis, not retained afterwards)
- The diagnostic results (score, detected issues, categories). Retained as long as your account is active
The diagnostic tool only accesses publicly accessible pages of the analyzed site. No personal data of the analyzed site's visitors is collected.
2 bis. The Daelys widget and the privacy of your site's visitors
Daelys is built around a simple principle: a visitor's preferences are none of our business.
Concretely, the Daelys widget does not collect, transmit, or process any personal data from your site's visitors. Specifically:
- Preferences stored locally only. Settings activated by a visitor (text size, contrast, profile, etc.) are saved in their browser's localStorage. This data never leaves their device and is never transmitted to our servers.
- No cookies set. The Daelys widget sets strictly no cookie: no session, no tracking, no cross-site.
- No detection of assistive technologies. Daelys does not detect whether a visitor is using a screen reader, a braille display, screen magnification software, voice control, or any other assistive tool. A visitor's disability status is never revealed to us. Detecting such tools would amount to collecting health data within the meaning of the GDPR, which would expose your site to legal liability. Daelys does not do this.
- No tracking, no fingerprinting, no third-party tools. Daelys does not identify the device, browser, IP address, or any other signal allowing visitor tracking. No third-party analytics tool is bundled. The widget reads your page structure only to apply requested display settings, never to extract data from it.
Implication for you, the site owner: installing the Daelys widget does not require any additional consent banner under GDPR or the ePrivacy directive. The widget is compatible with any deployment, including in strict jurisdictions (France, Germany, public-sector sites).
3. Purposes of processing
3.1. Service delivery
- Creating and managing your user account
- Providing and configuring the accessibility widget for your site
- Managing your subscription and payments
- Providing customer support
3.2. Service improvement
- Analyzing widget usage and performance
- Developing new accessibility features
- Fixing bugs and optimizing the experience
3.3. Security and compliance
- Detecting and preventing fraud and abuse
- Meeting our legal obligations
3.4. Advertising
No advertising on Daelys. Your data is never sold to third parties.
4. Legal bases for processing
- Contract: To perform our Terms of Service and provide the Service
- Consent: For processing requiring your explicit agreement
- Legitimate interest: To improve the Service, ensure security
- Legal obligation: To comply with applicable legislation
5. Data sharing
Your personal data is never sold. It may be shared with:
5.1. Technical subcontractors
- Supabase (hosting, database. Servers in Europe)
- Stripe (payment processing)
- Vercel (dashboard hosting)
- Cloudflare (widget CDN)
- Resend (email sending)
5.2. Transfers outside the European Union
Some of our subcontractors (Vercel, Cloudflare) may process data on servers located in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of protection for your data.
5.3. Authorities and legitimate third parties
- Law enforcement upon legal request
- Courts in the context of legal proceedings
5.4. Subcontractor changes
Daelys reserves the right to add, replace, or remove a subcontractor at any time for technical, economic, or security reasons. Any material change to the list of subcontractors will be notified by email or via the dashboard with reasonable notice, allowing customers who object to terminate their Pro subscription free of charge before the change takes effect.
6. Retention period
- Account data: Until account deletion + 3 years for legal obligations
- Payment data: 10 years in accordance with accounting obligations
- Widget analytics data: 2 years maximum
- Technical logs: 13 months maximum
- Support data: 3 years after resolution
7. Your rights
In accordance with GDPR, you have the following rights:
- Right of access: Obtain a copy of your personal data
- Right of rectification: Correct inaccurate or incomplete data
- Right of erasure: Delete your data under certain conditions
- Right to restriction: Restrict the processing of your data
- Right to portability: Retrieve your data in a structured format
- Right to object: Object to processing on legitimate grounds
- Right to withdraw consent: Withdraw your consent at any time
To exercise these rights, contact us via Our contact page with proof of identity.
8. Data security
We implement appropriate technical and organizational measures:
- Encryption: Data encrypted in transit (TLS) and at rest
- Access control: Strong authentication, principle of least privilege (Supabase RLS)
- Passwords: Hashed and salted, never stored in plain text
- Payments: Handled entirely by Stripe (PCI DSS certified)
9. Data from your site's visitors
The Daelys widget installed on your site only collects:
- The visitor's accessibility preferences (stored in localStorage on their browser, never transmitted to our servers)
- Anonymized usage statistics (Pro plan only): features activated, with no personally identifiable data
The widget sets no cookies and collects no personal data from your site's visitors.
Anonymized usage statistics collected via the widget may be used by Daelys to improve the Service and its accessibility features, without any personally identifiable data being processed.
10. Access to your site and responsibility
By installing the Daelys widget on your site, you grant Daelys the right to access your website as part of providing the Service (loading the widget, accessibility analysis, reporting anonymized statistics).
You are responsible for informing your visitors of the presence of the Daelys widget on your site, in accordance with the legal obligations applicable to you.
Under the Pro plan, when Daelys collects widget usage statistics on your behalf, Daelys acts as a data processor within the meaning of GDPR. The data is processed in accordance with this Policy and solely for the purpose of providing you with the Service.
11. Cookies
The Daelys dashboard may use strictly necessary cookies for the Service to function (session, authentication). No advertising or tracking cookies are set.
The Daelys widget installed on your site sets no cookies. Visitors' accessibility preferences are stored exclusively in localStorage on their browser.
12. Retention and deletion
When you delete your account:
- Your personal data is deleted from our servers
- Your analytics data is deleted
- The widget ceases to function on your sites
- Certain accounting data may be retained in accordance with legal obligations
13. Data Processing Agreement (DPA)
For customers with specific GDPR obligations (notably public authorities, healthcare institutions, large accounts), a formal Data Processing Agreement (DPA) specifying the terms of processing carried out by Daelys as a data processor can be provided upon request via our contact page.
14. Contact
For any questions about this Policy or to exercise your rights:
© 2026 Daelys - All rights reserved