Frequently asked questions

No. Automated scanners like ours catch a meaningful portion of issues — for accessibility, roughly 50–60% of WCAG violations. Privacy and tracker scans are similarly limited to what an automated tool can see from outside. Use auditly for continuous monitoring and a structured punch list, then bring in human auditors and legal counsel for formal certification or any high-stakes regulatory work.

Because that's the truth. We can verify that a domain is monitored and that scans are passing today. We can't certify legal compliance — no automated tool can. Vendors that put "Compliant" on a badge are setting themselves and their customers up for legal exposure.

We don't ask the LLM whether a policy is "compliant." We ask 14 structured yes/no questions tied to specific GDPR / CCPA / COPPA citations, each requiring an evidence quote when the answer is yes. This makes the scoring deterministic and reviewable. That said, the LLM can still miss nuance, especially for unusual policy structures — treat the rubric output as a strong signal that flags items for human review, not a verdict.

Policy discovery currently matches link text in 8 languages: English, German, French, Spanish, Italian, Portuguese, Dutch, and Japanese. URL-path probing covers an additional handful of conventions. The text grading itself is language-agnostic — modern LLMs grade German policies as fluently as English ones.

A GitHub Action is on the near-term roadmap. The API is already designed for it — your CI script can POST to /api/v1/scans, poll the resulting scan ID, and fail the build on regressions. Authenticate with a per-account API key from your settings page.

Yes. We use Playwright with networkidle waits, so JavaScript-rendered content is fully loaded before scans run. The accessibility scan operates on the live DOM, the cookie scan reads cookies after JS settles, and the tracker scan listens to the entire request lifecycle.

axe DevTools is excellent — it's the same engine we use. The differences: continuous scanning instead of point-in-time, multi-domain dashboards, three additional pillars (cookies, trackers, privacy) bundled, the public verification badge, an API and MCP server for automation, and credit-based pricing rather than enterprise licensing.

Currently we scan public pages only. Authenticated scans (where the scanner logs in with stored credentials) are on the roadmap. If you need this now, contact us and we'll prioritize.

Each pillar scan on a single domain costs 1 credit. A 4-pillar scan on one domain is 4 credits. Failed pillars are automatically refunded. Free plan: 25 credits/month. Pro: 100/$20. Business: 250/$35. Enterprise: 500/$70. Credits don't roll over month to month.

A curated dictionary that's seeded with the most common trackers. The full production sync target is DuckDuckGo's Tracker Radar (Apache 2.0 — commercially safe). We don't use Disconnect's services.json because its CC BY-NC-SA license is not commercial-safe.

Every scan result is a JSON document. The dashboard shows a summarized view; the full result is downloadable from the scan detail page or via the API.

Account data is soft-deleted for 30 days (so you can recover if you change your mind), then hard-deleted. Scan results are deleted with the corresponding domain. You can also explicitly delete data on demand at any time.