SiteBrace

Privacy policy

Site Brace collects no analytics, sets no tracking cookies, and runs no third-party scripts on this marketing site. Your audit reports are private, hosted on a separate subdomain blocked from search engines and AI crawlers, and delivered only to the email address you provide. This page is here so you do not have to take our word for it.

Effective date: 2026-04-26. Last updated: 2026-04-26. Related: Terms of Service.

Use of the Site and the audit Service is also governed by the Terms of Service. The two documents are intended to be read together; the Terms of Service control on non-privacy matters and incorporate this Privacy Policy by reference.

The short version

  • No cookies. Site Brace sets zero first-party or third-party cookies on the marketing site or on the audit-report subdomain.
  • No analytics. No Google Analytics, no Plausible, no Fathom, no server-side analytics. We do not count visits, sessions, or referrers.
  • No third-party scripts on the marketing site. No ad networks, no chat widgets, no embedded video, no marketing pixels, no fingerprinting.
  • One use of local storage, only to remember that you dismissed the on-site privacy notice. The flag never leaves your browser.
  • Your audit report is private. It lives on a separate subdomain (audit.sitebrace.com) that is blocked from search engines and AI crawlers via robots.txt, HTTP headers, and meta tags. The report URL is sent only to the email you provided on intake.
  • If you submit the intake form, the contact form, or email us, we have what you sent us. Nothing more. The sections below describe exactly where that data goes and for how long.

What we do not collect

Site Brace does not access, store, or use your IP address, browser, device, location, referrer, or any other identifier when you visit any page on sitebrace.com. We run no first-party analytics events. We make no third-party requests from this site: every script, style, font, and image loaded on a marketing page is served from the same domain.

Our hosting and content-delivery providers (described in Hosting below) may process IP addresses and request metadata at the network level for security, abuse prevention, and content delivery; that processing is governed by the providers' own privacy policies. Site Brace does not request, retrieve, or use those infrastructure logs for analytics.

Local storage

Our privacy notice (the bar that appears at the bottom of the screen on your first visit) needs to remember that you have dismissed it, so we do not show it again on every page. To do that we set a single key in your browser's local storage:

  • sitebrace-notice-dismissed-v1, value "1", set when you click "Got it".

Local storage is first-party and is never transmitted to any server, including ours. You can clear it any time via your browser's site-data controls. Clearing it will simply make the notice reappear on your next visit.

If you submit the intake form, the contact form, or email us

The intake form at /audit sends the fields you fill in (the website URL you want audited, the email address where you want the report delivered, optionally a list of specific pages you want scanned, and optionally a maximum page count) to our intake endpoint. From there, your submission triggers a Stripe payment session and, when payment clears, queues the audit job. The audit runs against your site, the resulting report is uploaded to private object storage (audit.sitebrace.com), and a link to the report is emailed to you. Your email is also stored in our customer-relationship-management system so you can request re-scans within the 12-month retention window.

The contact form at /contact sends your name, email, optional company, subject, and message to our intake endpoint, which records you as a contact in our customer-relationship-management system and emails the operator a notification. If you later submit an audit, the new audit record is associated with the existing contact automatically.

"Email us" links elsewhere on the site ([email protected]) open a standard email-client compose window, which transmits your email address to our inbox directly.

We use anything you send us solely to deliver the audit, reply to your inquiry, and (if you become a customer) to support re-scans within the retention window. We do not add you to a marketing list. We do not share, sell, or transfer your information to any third party beyond the service providers listed in the "Third parties" section below. If you ask us to delete your record and any associated data, we will. See Your rights for the process and timeline.

How long we keep your data

The retention periods below apply by default. You can request deletion at any time (see Your rights); a deletion request shortens the retention window for personal-data records to the timelines described there.

  • Intake data and customer-relationship-management record (your email address, the audited website URL, the audit slug, payment status): retained for the 12-month audit-access period so you can return to your report and run re-scans. Deleted within 30 business days of a deletion request, subject to the legal-records carve-out below.
  • Contact-form data (name, email, optional company, subject, message): retained while the relationship is active, indefinite by default; deleted within 30 business days of a deletion request.
  • Audit report and per-page scan results in private object storage at audit.sitebrace.com: 12 months from delivery, then automatically deleted. Re-scans and verification scans extend the access window only for those individual scan files; the original audit's 12-month clock stays fixed.
  • Email correspondence (intake confirmations, report-ready emails, support, ad-hoc threads): retained in our email-delivery provider's logs and in our mail provider's archive while the relationship is active, unless you request deletion. Deleted within 30 business days of a deletion request, subject to the legal-records carve-out.
  • Paid invoices and tax records: 7 years, retained by our payment processor and by Site Brace as required by United States and California tax and accounting law. We can remove your name and company from any draft, unpaid, or voided invoice on request, but cannot delete paid-invoice records during the retention period.
  • Local-storage notice-dismissed key (sitebrace-notice-dismissed-v1): set in your browser only; never transmitted to Site Brace or any third party. Persists until you clear browser site data.

Legal-records carve-out: Site Brace may retain certain records longer than the periods above where required by law (for example, tax and accounting records under United States and California law; records under legal hold or active dispute resolution). The carve-out is narrow and applies only to the specific records covered.

Under applicable data-protection law (including the European Union and United Kingdom General Data Protection Regulation, where it applies, and California's Consumer Privacy Act and California Privacy Rights Act), we rely on the following legal bases to process your personal data:

  • Performance of a contract: to provide the audit Service you have engaged us to perform (intake, payment, audit execution, report delivery, re-scans, support).
  • Legitimate interests: to respond to inbound inquiries, to operate and secure the Site and audit pipeline, to maintain audit-trail integrity, and to prevent abuse. These interests are balanced against your rights and freedoms; if you object, contact us at the address in Your rights.
  • Legal obligation: to retain tax, accounting, and dispute-resolution records, to respond to lawful requests from public authorities, and to comply with applicable law.
  • Consent: where you provide it explicitly (the act of submitting an intake or contact form covers your assent to processing for the purposes above; consent is not the legal basis on which we rely for performance-of-contract or legal-obligation purposes).

Audit report privacy

Your audit report is delivered to you as a link, not an attachment. The report itself is hosted on a separate subdomain (audit.sitebrace.com) configured to:

  • Block all major search-engine crawlers via robots.txt.
  • Block known artificial-intelligence training crawlers (including GPTBot, ChatGPT-User, CCBot, Google-Extended, anthropic-ai, ClaudeBot, PerplexityBot, FacebookBot, Bytespider, and Amazonbot) by user-agent in the same robots.txt.
  • Return the X-Robots-Tag: noindex, nofollow, noarchive, nosnippet, noimageindex HTTP header on every report URL.
  • Include the equivalent <meta name="robots"> tag inside every rendered report page.
  • Use cryptographically random URL paths (about 192 bits of entropy) so the URL cannot be guessed and other reports cannot be enumerated from yours.

The report URL is sent only to the email address you provided on intake. Treat the URL like a shared password: anyone with the link can view the report for the duration of the 12-month retention window. Avoid pasting the URL into public channels (a public Slack channel, a public GitHub issue, a forum post) where someone could harvest it.

Hosting

The marketing site you are reading is a static collection of HTML, CSS, JavaScript, and images served by Cloudflare Pages. The intake endpoint at api.sitebrace.com runs on Cloudflare Workers. The audit pipeline runs in GitHub Actions per dispatched job. Audit reports and per-page scan results are stored in Cloudflare R2 object storage and served from audit.sitebrace.com. Inbound mail to [email protected] and [email protected] is handled by Cloudflare Email Routing, which forwards messages to the operator's personal email address.

DNS for sitebrace.com is provided by Cloudflare (authoritative). Each of these providers may retain access logs (including IP addresses and request headers) at the infrastructure level for security and content delivery, governed by the provider's own privacy policy. Site Brace does not access, request, or retrieve any of these providers' infrastructure logs for analytics.

Third parties

When you submit the intake or contact form, your data flows through a short list of service providers we need to actually deliver the audit. The full list is grouped by what each provider handles.

Personal-data processors (handle your contact details and your payment information):

  • Cloudflare: runs our intake endpoint at api.sitebrace.com, hosts the marketing site at sitebrace.com via Cloudflare Pages, hosts your audit report at audit.sitebrace.com via Cloudflare R2, and forwards inbound mail to the operator via Cloudflare Email Routing.
  • HubSpot: customer-relationship-management system holding your contact record. Site Brace uses a HubSpot account separate from any other business operated by the same operator; your data is not co-mingled with other businesses.
  • Resend: email-delivery service for intake confirmations, report-ready emails, contact-form notifications, and re-scan notifications.
  • Brevo: email-delivery service used as a sending relay so the operator can reply from [email protected] or [email protected] when answering customer email.
  • Stripe: payment processor for the audit purchase. Site Brace never sees your card data.
  • GitHub: hosts the audit pipeline code and runs the per-audit job in GitHub Actions. Your audited website URL and the per-page scan results pass through the GitHub Actions runner during the audit.

Audit-engine components (do not directly receive your name, email, or other contact details):

  • axe-core: open-source accessibility-rule engine, vendored as a JavaScript file. Runs inside our headless browser; makes no network calls.
  • Playwright: open-source headless browser driver. Runs inside the GitHub Actions runner; makes no network calls beyond fetching the pages of your website that we audit.

Each external provider acts as a data processor under our instructions and is governed by its own privacy policy and our agreement with it. We do not share, sell, or transfer your information to any third party beyond this list. For links to each provider's current privacy statement, email [email protected].

Outside of that pipeline, this site uses no analytics, no advertisement networks, no chat widgets, no embedded video, no marketing pixels, and no fingerprinting. We use the system font stack rather than a third-party font service. We do not embed YouTube, Vimeo, X, Twitter, Calendly, Intercom, or any other widget. Outside of form submission, the only outbound network call you will make from any page on this site is to follow a link you click yourself.

Artificial-intelligence training crawlers

The marketing site (sitebrace.com) is intentionally indexable by search engines and by artificial-intelligence training crawlers. We want our content to be findable and citable. The audit-report subdomain (audit.sitebrace.com) takes the opposite posture and explicitly blocks all known AI crawlers; see Audit report privacy for the full list and the technical mechanisms.

Children

This site is intended for an adult business audience. We do not knowingly collect any information from anyone under the age of 18.

Automated decision-making

Site Brace does not perform automated decision-making with legal or similarly significant effects under the European Union General Data Protection Regulation Article 22. The audit pipeline runs an automated accessibility test on the URLs you submit and renders a report; that is the deliverable, not a decision about you. There is no scoring, ranking, or evaluation that affects whether your intake is accepted; intake is accepted whenever payment clears.

Your rights

If you have not contacted us or submitted the intake or contact form, we do not have any record of you: rights such as access, rectification, deletion, and portability have nothing to act on. If you have submitted an intake, a contact-form message, or emailed us, you can exercise those rights by writing to [email protected]. We will acknowledge within 5 business days and complete the action within 30 business days, across each of the systems involved: our customer-relationship-management system, the email-delivery service's message logs, the intake endpoint's operational storage, the audit-report storage, and our email threads. Invoices already paid are retained by our payment processor for the period required by tax law (generally 7 years); we can remove your name and company from any draft, unpaid, or voided invoice, but cannot delete paid-invoice records.

The rights listed above (access, rectification, deletion, portability, and objection to processing) are intended to satisfy applicable obligations under California law (the California Consumer Privacy Act and the California Privacy Rights Act) and European Union and United Kingdom law (the General Data Protection Regulation and the United Kingdom GDPR), where each applies. Residents of those jurisdictions have any additional rights granted by local law; we will honor any such rights on the same email-request mechanism. You also have the right to lodge a complaint with your local data-protection authority (in California, the California Privacy Protection Agency; in the European Union, your member-state supervisory authority; in the United Kingdom, the Information Commissioner's Office).

Changes to this policy

If we ever introduce analytics, cookies, or third-party scripts on the marketing site, we will update this page, change the "Last updated" date at the top, and re-show the privacy notice on your next visit. Material changes will be reflected before, not after, the change goes live.

Contact

Questions about this policy or about Site Brace's data practices generally should go to [email protected] or via the contact form.