Privacy policy

How ADAComply PDF collects, uses, protects, and returns or deletes personal information. This policy applies to adacomplypdf.com, agency-branded portals operated on ADAComply PDF infrastructure, and the ADAComply PDF API. Last updated May 22, 2026.

Who we are

ADAComply PDF is a service of Vora Studios LLC, a privately held U.S. company. For questions about this policy or about your data, write to [email protected].

What we collect

  • Account information: email address, hashed password (bcrypt), display name, organization name, and role within the organization.
  • Billing information: handled entirely by Stripe. We store your Stripe customer ID and receipt metadata; we never see or store your card number, CVV, or bank details.
  • Usage data: remediation jobs, credit balances, login timestamps, IP address of the last login, and basic analytics about which pages of our marketing site were viewed.
  • PDF files: source files you upload, public website PDFs you direct the Service to retrieve for auditing or remediation, and remediated outputs we return. Uploaded source files and remediated outputs are retained per your site's retention settings; public website PDFs remain hosted by the source website unless uploaded directly.
  • Support conversations: messages you send to our support, sales, partnership, or security addresses, along with any attachments you choose to include.
  • Helper bot questions: text you type into the in-app helper bot, your account role, and the page you were viewing when you asked. These are sent to our generative AI provider (Google's Gemini) for processing. We ask you not to enter PII into the helper bot.

How we use it

  • To operate the service: authenticate your sessions, run audits, remediate documents, bill your account.
  • To provide support: respond to tickets and diagnose issues.
  • To keep the service safe: detect abuse, investigate security incidents, comply with legal obligations.
  • To improve the service: aggregated, de-identified usage patterns inform roadmap decisions.

We do not sell personal information and we do not "share" personal information for cross-context behavioral advertising, as those terms are defined under California law. We disclose your data to subprocessors only to deliver the service to you; our current subprocessor list is on the security page.

AI-assisted helper

The product includes an optional in-app helper bot that answers questions about how to use ADAComply PDF. The helper bot is powered by Google's Gemini API. When you submit a question:

  • Your typed question, your account role (regular / site admin / user admin), and the URL path of the page you are viewing are sent to Google for processing. Query strings are stripped before transmission to avoid leaking search terms or filenames.
  • We do not include document content, document IDs, your email address, your name, or any other personal data in the prompt sent to Google.
  • ADAComply PDF's account on the Gemini API is on a paid tier, under which Google does not use prompts to train its models. Google's terms apply to that transmission and may change; we will update this page if our provider relationship changes materially.
  • Helper bot responses are generated by AI and may be wrong. The bot is a usability aid, not legal or compliance advice; do not rely on it for accessibility-compliance decisions.
  • Use of the helper bot is optional. Ignoring or closing the bot has no effect on your account.

We log helper bot interactions (the question, the response summary, account ID, timestamp) under our standard application logging, retained for the same window as our other authentication and security logs (12 months). Logs are accessible only to authorized ADAComply PDF personnel for debugging, abuse investigation, and quality improvement.

Legal bases (GDPR)

For customers subject to GDPR, our legal bases are: contract performance (operating the service for you), legitimate interests (security monitoring and service improvement), consent (optional marketing communications, if you opt in), and legal obligation (tax, accounting, and regulatory record-keeping). You can withdraw consent at any time where consent is the basis we rely on; withdrawal does not affect processing done before the withdrawal. Personal information is collected directly from you when you register, use the service, or contact support. We do not engage in automated decision-making that produces legal or similarly significant effects on you.

Cookies and tracking

We use first-party cookies that are strictly necessary for session authentication and CSRF protection; these run without a separate consent prompt because the service cannot operate without them. On the marketing site we may use Google Analytics 4 (gtag.js) to measure which pages are visited and where visitors arrive from, when a GA property is configured; analytics cookies are only set after you accept them via the cookie banner (for EU/EEA/UK visitors) or if your browser does not send a Do Not Track or Global Privacy Control signal (for U.S. visitors). GA4 does not store full visitor IP addresses. You can block analytics with a standard browser privacy extension; doing so does not affect your ability to use the product.

California and other U.S. residents with "do not sell or share" rights: you can opt out of any sharing for cross-context behavioral advertising by enabling the Global Privacy Control (GPC) signal in your browser, which we honor as a valid opt-out, or by emailing [email protected] with "Do Not Sell or Share" in the subject line. We do not currently engage in sale or cross-context behavioral sharing, and this mechanism remains available if that ever changes.

Retention

  • Account records are retained for the life of your account, plus up to 90 days after deletion to complete billing reconciliation.
  • Uploaded PDFs and remediated outputs are retained for as long as your account is active. Public website PDFs remain hosted by the source website unless uploaded directly. You can delete stored files at any time.
  • Audit results and job metadata are retained for as long as your account is active, then purged with the rest of your account data after closure.
  • Support conversations are retained for 3 years.
  • Security and authentication logs are retained for 12 months.
  • Encrypted backups age out within 30 days. Point-in-time database recovery covers the last 7 days.

Your rights

Regardless of where you are located, you can request:

  • A copy of the personal information we hold about you (access / data export)
  • Correction of inaccurate information
  • Deletion of your account and its associated data
  • Restriction of processing while a dispute is being resolved
  • Portability in a commonly-used, machine-readable format
  • To object to processing based on our legitimate interests, including direct marketing (GDPR right to object)
  • To withdraw consent at any time, where consent is the legal basis for processing
  • To be free from retaliation for exercising any of these rights (CCPA right to non-discrimination)

Email [email protected]. We respond to GDPR requests within one month (extendable by up to two additional months for complex requests, with notice) and to CCPA/CPRA requests within 45 days (extendable by 45 additional days with notice). You may authorize an agent to submit a request on your behalf; we will ask for reasonable proof of authority. If you disagree with our decision on a CCPA/CPRA request, you may appeal by replying to our response email; we will confirm receipt and issue a decision within 60 days. If you believe we have handled your data improperly, residents of the EU/EEA may complain to their national data protection authority; UK residents may complain to the Information Commissioner's Office; California residents may contact the California Privacy Protection Agency or the California Attorney General.

International transfers

Our servers are in the United States. If you access ADAComply PDF from outside the U.S., your data will be transferred to and processed in the U.S. For EU/EEA data, we rely on Standard Contractual Clauses where required.

Children

ADAComply PDF is a business tool intended for adult users. We do not knowingly collect personal information from children under 13 (or, for users in the EU/EEA and the UK, under 16, or the applicable age set by the relevant member state). Accounts may only be created by individuals who are at least 18 years old or the age of majority in their jurisdiction. If you believe a child has provided personal information to us, email [email protected] and we will delete it.

Changes to this policy

We will post material changes to this page and update the "last updated" date at the top. Significant changes will be announced by email to active account holders at least 14 days before taking effect.

Contact

Privacy questions: [email protected]. Security reporting: [email protected].

Postal contact:
Vora Studios LLC, Attn: Privacy, for a current mailing address email [email protected] and we will respond within two business days.

See also our Terms of Service.