SiteBrace

Privacy policy

Site Brace uses cookieless privacy-preserving analytics on this marketing site (Plausible; no IP retention), sets no tracking cookies, and runs no advertising or fingerprinting scripts. Your audit reports are private, hosted on a separate subdomain blocked from search engines and AI crawlers, and delivered only to the email address you provide. This page is here so you do not have to take our word for it.

Effective date: 2026-04-26. Last updated: 2026-06-10. Related: Terms of Service.

Use of the Site and the audit Service is also governed by the Terms of Service. The two documents are intended to be read together; the Terms of Service control on non-privacy matters and incorporate this Privacy Policy by reference.

The short version

  • No tracking cookies. Site Brace sets zero first-party or third-party tracking cookies on the marketing site or on the audit-report subdomain.
  • Cookieless aggregate analytics on the marketing site only. We use Plausible to count aggregate pageviews and a small number of named conversion events on sitebrace.com (for example, /audit clicks, /contact submissions, /compare and /watch page views). Plausible does not set cookies, does not retain Internet Protocol (IP) addresses, does not enable cross-site or cross-device tracking, and does not share data with advertising networks. No Google Analytics, no Fathom, no behavioral profiling. The intake API (api.sitebrace.com) and the audit-report subdomain (audit.sitebrace.com) are not instrumented with Plausible.
  • No advertising or fingerprinting scripts. The only third-party script that loads on the marketing site is the Plausible analytics beacon (above). No ad networks, no chat widgets, no embedded video, no marketing pixels, no fingerprinting libraries.
  • One use of local storage, only to remember that you dismissed the on-site privacy notice. The flag never leaves your browser.
  • Your audit report is private. It lives on a separate subdomain (audit.sitebrace.com) that is blocked from search engines and AI crawlers via robots.txt and a noindex robots meta tag, and is not linked from anywhere on the site. The report URL is sent only to the email you provided on intake.
  • If you submit the intake form, the contact form, or email us, we have what you sent us. Nothing more. The sections below describe exactly where that data goes and for how long.

What we do not collect

Site Brace does not retain your Internet Protocol (IP) address, does not set tracking cookies, and does not profile or fingerprint visitors. The public marketing site loads Plausible for cookieless aggregate analytics (see Third parties below); Plausible derives country-level geographic detail from a daily-rotating hash and does not retain the IP address itself. We make no requests to advertising networks, behavioral-profiling services, or fingerprinting libraries. Outside of the Plausible beacon, every script, style, font, and image loaded on a marketing page is served from the same domain.

Our hosting and content-delivery providers (described in Hosting below) may process IP addresses and request metadata at the network level for security, abuse prevention, and content delivery; that processing is governed by the providers' own privacy policies. Site Brace does not request, retrieve, or use those infrastructure logs for analytics.

Local storage

Our privacy notice (the bar that appears at the bottom of the screen on your first visit) needs to remember that you have dismissed it, so we do not show it again on every page. To do that we set a single key in your browser's local storage:

  • sitebrace-notice-dismissed-v1, value "1", set when you click "Got it".

Local storage is first-party and is never transmitted to any server, including ours. You can clear it any time via your browser's site-data controls. Clearing it will simply make the notice reappear on your next visit.

If you submit the intake form, the contact form, or email us

The intake form at /audit sends the fields you fill in (the website URL you want audited, the email address where you want the report delivered, optionally a list of specific pages you want scanned, and optionally a maximum page count) to our intake endpoint. From there, your submission triggers a Stripe payment session and, when payment clears, queues the audit job. The audit runs against your site, the resulting report is uploaded to private object storage (audit.sitebrace.com), and a link to the report is emailed to you. Your email is also stored in our customer-relationship-management system so you can request re-scans within the 12-month retention window.

The contact form at /contact sends your name, email, optional company, subject, and message to our intake endpoint, which records you as a contact in our customer-relationship-management system and emails the operator a notification. If you later submit an audit, the new audit record is associated with the existing contact automatically.

"Email us" links elsewhere on the site (hello@sitebrace.com) open a standard email-client compose window, which transmits your email address to our inbox directly. The contact form is the preferred channel for most inquiries.

We use anything you send us solely to deliver the audit, reply to your inquiry, and (if you become a customer) to support re-scans within the retention window. We do not add you to a marketing list. We do not share, sell, or transfer your information to any third party beyond the service providers listed in the "Third parties" section below. If you ask us to delete your record and any associated data, we will. See Your rights for the process and timeline.

How long we keep your data

The retention periods below apply by default. You can request deletion at any time (see Your rights); a deletion request shortens the retention window for personal-data records to the timelines described there.

  • Intake data and customer-relationship-management record (your email address, the audited website URL, the audit slug, payment status): retained for the 12-month audit-access period so you can return to your report and run re-scans. Deleted within 30 business days of a deletion request, subject to the legal-records carve-out below.
  • Contact-form data (name, email, optional company, subject, message): retained while the relationship is active, indefinite by default; deleted within 30 business days of a deletion request.
  • Audit report and per-page scan results in private object storage at audit.sitebrace.com: 12 months from delivery, then automatically deleted. Re-scans and verification scans extend the access window only for those individual scan files; the original audit's 12-month clock stays fixed.
  • Email correspondence (intake confirmations, report-ready emails, support, ad-hoc threads): retained in our email-delivery provider's logs and in our mail provider's archive while the relationship is active, unless you request deletion. Deleted within 30 business days of a deletion request, subject to the legal-records carve-out.
  • Paid invoices and tax records: 7 years, retained by our payment processor and by Site Brace as required by United States and California tax and accounting law. We can remove your name and company from any draft, unpaid, or voided invoice on request, but cannot delete paid-invoice records during the retention period.
  • Local-storage notice-dismissed key (sitebrace-notice-dismissed-v1): set in your browser only; never transmitted to Site Brace or any third party. Persists until you clear browser site data.

Legal-records carve-out: Site Brace may retain certain records longer than the periods above where required by law (for example, tax and accounting records under United States and California law; records under legal hold or active dispute resolution). The carve-out is narrow and applies only to the specific records covered.

Under applicable data-protection law (including the European Union and United Kingdom General Data Protection Regulation, where it applies, and California's Consumer Privacy Act and California Privacy Rights Act), we rely on the following legal bases to process your personal data:

  • Performance of a contract: to provide the audit Service you have engaged us to perform (intake, payment, audit execution, report delivery, re-scans, support).
  • Legitimate interests: to respond to inbound inquiries, to operate and secure the Site and audit pipeline, to maintain audit-trail integrity, and to prevent abuse. These interests are balanced against your rights and freedoms; if you object, contact us at the address in Your rights.
  • Legal obligation: to retain tax, accounting, and dispute-resolution records, to respond to lawful requests from public authorities, and to comply with applicable law.
  • Consent: where you provide it explicitly (the act of submitting an intake or contact form covers your assent to processing for the purposes above; consent is not the legal basis on which we rely for performance-of-contract or legal-obligation purposes).

Audit report privacy

Your audit report is delivered to you as a link, not an attachment. The report itself is hosted on a separate subdomain (audit.sitebrace.com) configured to:

  • Block all major search-engine crawlers via robots.txt.
  • Block known artificial-intelligence training crawlers (including GPTBot, ChatGPT-User, CCBot, Google-Extended, anthropic-ai, ClaudeBot, PerplexityBot, FacebookBot, Bytespider, and Amazonbot) by user-agent in the same robots.txt.
  • Include the equivalent <meta name="robots"> tag inside every rendered report page.
  • Use cryptographically random URL paths (about 192 bits of entropy) so the URL cannot be guessed and other reports cannot be enumerated from yours.

The report URL is sent only to the email address you provided on intake. Treat the URL like a shared password: anyone with the link can view the report for the duration of the 12-month retention window. Avoid pasting the URL into public channels (a public Slack channel, a public GitHub issue, a forum post) where someone could harvest it.

Hosting

The marketing site you are reading is a static collection of HTML, CSS, JavaScript, and images served by Cloudflare Pages. The intake endpoint at api.sitebrace.com runs on Cloudflare Workers. The audit pipeline runs in GitHub Actions per dispatched job. Audit reports and per-page scan results are stored in Cloudflare R2 object storage and served from audit.sitebrace.com. Inbound mail to hello@sitebrace.com is delivered to a mailbox hosted by Migadu, our email-hosting provider for the sitebrace.com domain.

DNS for sitebrace.com is provided by Cloudflare (authoritative). Each of these providers may retain access logs (including IP addresses and request headers) at the infrastructure level for security and content delivery, governed by the provider's own privacy policy. Site Brace does not access, request, or retrieve any of these providers' infrastructure logs for analytics.

Third parties

When you submit the intake or contact form, your data flows through a short list of service providers we need to actually deliver the audit. The full list is grouped by what each provider handles.

Personal-data processors (handle your contact details and your payment information):

  • Cloudflare: runs our intake endpoint at api.sitebrace.com, hosts the marketing site at sitebrace.com via Cloudflare Pages, hosts your audit report at audit.sitebrace.com via Cloudflare R2, and provides authoritative DNS for the domain.
  • HubSpot: customer-relationship-management system holding your contact record. Site Brace uses a HubSpot account separate from any other business operated by the same operator; your data is not co-mingled with other businesses.
  • Resend: email-delivery service for intake confirmations, report-ready emails, contact-form notifications, and re-scan notifications.
  • Migadu: email-hosting provider for the sitebrace.com domain; it receives inbound customer mail and is where the operator reads and replies from hello@sitebrace.com when answering customer email.
  • Stripe: payment processor for the audit purchase. Site Brace never sees your card data.
  • GitHub: hosts the audit pipeline code and runs the per-audit job in GitHub Actions. Your audited website URL and the per-page scan results pass through the GitHub Actions runner during the audit.

Audit-engine components (do not directly receive your name, email, or other contact details):

  • axe-core: open-source accessibility-rule engine, vendored as a JavaScript file. Runs inside our headless browser; makes no network calls.
  • Playwright: open-source headless browser driver. Runs inside the GitHub Actions runner; makes no network calls beyond fetching the pages of your website that we audit.

Marketing-site analytics (touches only the public marketing site at sitebrace.com; never the intake API, the audit pipeline, or audit-report content):

  • Plausible: aggregate website analytics on the public marketing site only (cookieless; no Internet Protocol address retention; country-level geographic detail derived from a daily-rotating hash; no audit-report content; no audited URL; no contact details). Plausible Insights OÜ is incorporated in Estonia and processes data on infrastructure operated by European companies within the European Union. Privacy and data processing addendum at plausible.io/data-policy and plausible.io/dpa.

Each external provider acts as a data processor under our instructions and is governed by its own privacy policy and our agreement with it. We do not share, sell, or transfer your information to any third party beyond this list. For links to each provider's current privacy statement, use the contact form or email hello@sitebrace.com.

Outside of that pipeline and the cookieless Plausible analytics beacon on the public marketing site, this site uses no advertising networks, chat widgets, embedded video, marketing pixels, or fingerprinting libraries. We use the system font stack rather than a third-party font service. We do not embed YouTube, Vimeo, X, Twitter, Calendly, Intercom, or any other widget. Outside of form submission and the Plausible beacon, the only outbound network call you will make from any page on this site is to follow a link you click yourself.

Artificial-intelligence training crawlers

The marketing site (sitebrace.com) is intentionally indexable by search engines and available for AI answer engines to cite. It sends a Content-Signal: search=yes, ai-input=yes, ai-train=no response header, which asks crawlers to index and cite our content but not to use it for model training. The audit-report subdomain (audit.sitebrace.com) takes the opposite posture and blocks all crawlers, including the named AI crawlers, via robots.txt; see Audit report privacy for the details.

Children

This site is intended for an adult business audience. We do not knowingly collect any information from anyone under the age of 18.

Automated decision-making

Site Brace does not perform automated decision-making with legal or similarly significant effects under the European Union General Data Protection Regulation Article 22. The audit pipeline runs an automated accessibility test on the URLs you submit and renders a report; that is the deliverable, not a decision about you. There is no scoring, ranking, or evaluation that affects whether your intake is accepted; intake is accepted whenever payment clears.

Your rights

If you have not contacted us or submitted the intake or contact form, we do not have any record of you: rights such as access, rectification, deletion, and portability have nothing to act on. If you have submitted an intake, a contact-form message, or emailed us, you can exercise those rights by using the contact form or by writing to hello@sitebrace.com. We will acknowledge within 5 business days and complete the action within 30 business days, across each of the systems involved: our customer-relationship-management system, the email-delivery service's message logs, the intake endpoint's operational storage, the audit-report storage, and our email threads. Invoices already paid are retained by our payment processor for the period required by tax law (generally 7 years); we can remove your name and company from any draft, unpaid, or voided invoice, but cannot delete paid-invoice records.

The rights listed above (access, rectification, deletion, portability, and objection to processing) are intended to satisfy applicable obligations under California law (the California Consumer Privacy Act and the California Privacy Rights Act) and European Union and United Kingdom law (the General Data Protection Regulation and the United Kingdom GDPR), where each applies. Residents of those jurisdictions have any additional rights granted by local law; we will honor any such rights on the same email-request mechanism. You also have the right to lodge a complaint with your local data-protection authority (in California, the California Privacy Protection Agency; in the European Union, your member-state supervisory authority; in the United Kingdom, the Information Commissioner's Office).

Changes to this policy

If we materially change how we process personal information on this site - for example, by introducing tracking cookies, behavioral profiling, an advertising network, or a new service provider that processes personal data - we will update this page, change the "Last updated" date at the top, and re-show the privacy notice on your next visit. Material changes will be reflected before, not after, the change goes live.

Contact

Questions about this policy or about Site Brace's data practices generally should go to the contact form or to hello@sitebrace.com.