Privacy Policy

This Privacy Policy describes how VPAT Score ("we," "us," or "our") collects, uses, stores, and protects information when you use our service at vpatscore.com. By using the Service, you agree to the practices described in this policy.

1. Information We Collect

Data	Why We Collect It
Name and email address	Account creation, authentication, and transactional emails (verification, password reset)
Password (hashed, never stored in plain text)	Account authentication
VPAT conformance data (criterion codes, conformance values, vendor remarks extracted from uploaded documents)	Powering your review history, scoring, and analysis features
Review metadata (vendor name, annual cost, user counts, review date)	Organizing and displaying your review history
Impact setting overrides	Personalizing scoring to your institution's priorities
Date and time of Terms acceptance	Legal compliance record
Security event logs (event type, IP address, timestamp)	Detecting unauthorized access, investigating security incidents, and maintaining an audit trail for account activity such as logins, password changes, and account deletion

We do not store uploaded files. Documents are processed in memory and discarded immediately after the conformance data is extracted.

2. Information We Do Not Collect

• Device identifiers or advertising IDs
• The full text or binary content of uploaded documents
• Data from third-party sources

3. How We Use Your Information

We use the information we collect solely to:

• Provide, operate, and improve the Service
• Authenticate your account and maintain session security
• Send transactional emails you request (email verification, password reset)
• Respond to support inquiries
• Comply with legal obligations

We do not sell, rent, or share your personal information with third parties for marketing purposes.

4. Third-Party Services

We use a limited number of third-party services to operate the platform:

• Google Analytics - we use Google Analytics to understand how visitors use the site (pages visited, session duration, traffic sources). Google may set cookies and collect your IP address and browser characteristics. See Google's Privacy Policy. You can opt out via the Google Analytics Opt-out Browser Add-on.
• Stripe - payment processing for paid subscriptions. Stripe collects and processes payment card information directly. We do not store your card number. See Stripe's Privacy Policy.
• Cloudflare Turnstile - bot detection on the registration form. Cloudflare may process your IP address and browser characteristics to determine whether you are human. See Cloudflare's Privacy Policy.
• A2 Hosting - server and email infrastructure. Your data is stored on servers operated by A2 Hosting in the United States.

We do not use Facebook Pixel or any advertising technology.

5. Data Retention

We retain your data for as long as your account is active. If you delete your account, all associated data — including your profile, reviews, vendors, and settings — is permanently and immediately deleted from our database. We do not retain backups of deleted account data beyond our standard backup rotation cycle (typically 30 days).

6. Security

We implement reasonable technical and organizational measures to protect your data, including:

• Passwords stored using industry-standard hashing (Werkzeug/PBKDF2)
• HTTPS encryption for all data in transit
• Email verification required before account activation
• Parameterized database queries to prevent SQL injection
• CSRF tokens on all forms to prevent cross-site request forgery
• Authenticated sessions expire after 2 hours of inactivity
• Sessions are immediately invalidated when a password is changed or reset
• Account lockout after repeated failed login attempts
• Audit logging of security-relevant events (logins, password changes, account deletion) with IP address and timestamp

No system is perfectly secure. We cannot guarantee that unauthorized parties will never circumvent our security measures. If you become aware of a security issue, please use our contact form.

7. Your Rights

You have the right to:

• Access - view all data associated with your account through the History and Settings pages
• Correction - update your name and email address through your Profile page
• Deletion - permanently delete your account and all associated data at any time through your Profile page
• Portability - contact us to request an export of your data

If you are located in the European Economic Area, you may have additional rights under the General Data Protection Regulation (GDPR). If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). To exercise any of these rights, use our contact form.

8. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the effective date and, where appropriate, by sending an email to the address on your account. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

10. Contact

If you have questions or concerns about this Privacy Policy or how we handle your data, please use our contact form.