Skip to main content

Privacy Policy

Last updated: March 3, 2026

1. Introduction

bee2.io LLC ("we," "our," or "us") operates SCOUTb2, a browser extension and web service for website quality analysis. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our browser extension and website (collectively, the "Service").

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices described here, please do not use the Service.

2. Data We Collect

2.1 Account Data

When you create an account, we collect and store the following:

  • Email address
  • Subscription status (FREE or PRO) and subscription dates
  • Billing customer and subscription IDs (assigned by our payment processor)
  • Authentication token (internally generated, stored as a one-way hash)
  • AI usage quota (credits used, limit, reset date)
  • Last login timestamp

We do not store passwords. Authentication is managed by a third-party identity provider. You can sign in via magic link (OTP) or OAuth (Google/GitHub). No password is required or stored by us.

2.2 Scan Data and Client-Side Processing

Single-page scans run entirely in your browser. Full scan results are stored locally in chrome.storage.local (on your computer). If you are signed in, aggregated scan metrics (URL, category scores, issue counts by severity, scan duration, and scan type) are reported to our servers for scan history and analytics. No page HTML, content, screenshots, or detailed issue descriptions are sent to our servers during scan reporting.

For multi-page scans (PRO tier), the extension uses Chrome's background service worker. Your computer must remain on during the scan. For PRO features such as scheduled scans and scan history, scan summaries and results may be temporarily stored on our servers for up to 90 days to enable email notifications and scan history access. Server-stored scan data is automatically purged after 90 days.

Scheduled scan data: Scheduled scan configuration (URL, frequency, notification preferences) is stored locally in the extension (chrome.storage.sync). Scan results are stored locally in the extension. Email notifications include only the scanned URL hostname, overall score, issue counts, and scan duration -- no page content or HTML. Transactional emails (scan notifications, subscription confirmations) are sent from [email protected] or [email protected].

2.3 Usage Analytics

We use Google Analytics 4 on our website (scoutb2.io) to understand how visitors use the site and to improve the service. Analytics cookies are enabled by default. You may opt out at any time by selecting "Essential Only" on our cookie banner. If you opt out, no Google Analytics tracking occurs.

When analytics consent is granted, Google Analytics may collect the following anonymized data:

  • Pages visited: Which pages on scoutb2.io you view and how long you spend on them
  • Clicks and interactions: Interactions with buttons, links, and other UI elements on our website
  • Referral source: How you arrived at our website (e.g., search engine, direct link)
  • Device type and browser: General device category (desktop/mobile) and browser type
  • Geographic region: Approximate location based on IP address (country/city level)

Google Analytics data is anonymized and is not used to create advertising profiles. We do not enable Google advertising features or data sharing with Google for ad purposes. You can withdraw your analytics consent at any time by clearing your browser cookies and selecting "Essential Only" on the cookie banner. For more details on how Google processes data, see Google's Privacy Policy.

In addition to website analytics, we collect minimal internal analytics:

  • Extension usage patterns: Aggregate counts of scans performed, features used (anonymized, no user identification)
  • API request logs: IP address, user agent, endpoint, and method for security monitoring and abuse prevention (retained for 30 days, then automatically deleted)
  • Error logs: Technical error messages for debugging (no personal information included)
  • Performance metrics: Page load times, scan completion rates (aggregate data only)

2.4 Free Tools (scoutb2.io/tools)

Our free web-based tools (contrast checker, meta tag analyzer, heading checker, etc.) process all content entirely in your browser. No data you paste or enter into any free tool is collected, transmitted, or stored - not to our servers, not to any third party. The tools do not use cookies, localStorage, or any persistence mechanism. No account or sign-in is required.

2.5 What We Do Not Collect

  • Page content: We do not permanently store the HTML, text, or images from pages you scan on our servers. When you use AI features, a truncated excerpt of page HTML (up to approximately 8,000 characters) is transmitted to our AI provider for analysis but is not retained after processing.
  • Personal browsing history: We only see URLs you explicitly scan with our extension
  • Form data: We do not capture any data you enter into web forms
  • Passwords: We do not use or store passwords -- authentication is via magic link (OTP) or OAuth

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), we process your personal data on the following legal bases under GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service to you, including account management, subscription billing, scan processing, and delivering scan results.
  • Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, including security monitoring, fraud and abuse prevention, API request logging, and service improvement through anonymized analytics. We balance these interests against your rights and only process data that is proportionate to the purpose.
  • Consent (Art. 6(1)(a)): Where you opt in to optional features such as email notifications for scan completions. You may withdraw consent at any time by disabling email notifications in your extension settings or by contacting us.
  • Legitimate interests (Art. 6(1)(f)): Analytics cookies (Google Analytics) are enabled by default under our legitimate interest in understanding site usage and improving the service. You may opt out at any time via the cookie banner.
  • Legal obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, such as retaining billing records for tax compliance.

4. How We Use Your Information

  • Provide, maintain, and improve the SCOUTb2 service
  • Process your subscription and payments
  • Send you browser notifications when multi-page scans complete (local, no data transmitted)
  • Send you email notifications with scan score summaries (PRO, opt-in only)
  • Respond to your support requests
  • Analyze anonymized usage patterns to improve our extension
  • Detect and prevent fraud, abuse, or unauthorized access
  • Comply with legal obligations

5. AI Processing (PRO Users)

PRO subscribers receive AI-powered insights generated by our AI provider. When you use AI features:

  • The page URL and a truncated excerpt of page HTML (up to approximately 8,000 characters) are sent to our server, which forwards the data to our AI provider for analysis. This HTML excerpt may include visible text, element attributes, and page structure.
  • Our AI provider does not train on your data (per their commercial API terms). We do not retain the transmitted HTML after AI processing is complete.
  • AI-generated insights are stored with your scan results
  • PRO users can manage their saved scan history. FREE tier does not store scan history.

6. Email Notifications (PRO)

PRO users may opt in to email notifications to receive scan completion summaries. When enabled, the following data is sent to our email delivery provider to deliver the notification:

  • Your email address
  • The scanned page URL and hostname
  • Overall score, issue counts (critical, high, total), pages scanned, and scan duration

No page content, HTML, or detailed scan data is included in email notifications. Browser notifications (scan completion alerts) are entirely local and do not transmit any data to our servers.

7. No Selling of Data

We do not sell, rent, lease, or trade your personal information to any third party for any purpose.

We do not share your data with data brokers, advertisers, or any entity for the purpose of targeted advertising or marketing by third parties. This applies to all users, regardless of tier. As defined under the California Consumer Privacy Act (CCPA) and other applicable laws, we have not sold personal information in the preceding 12 months and have no plans to do so.

8. Data Sharing and Third-Party Services

We share data only with the following trusted third-party service providers who act as data processors on our behalf. Each provider processes only the minimum data necessary for its function:

ProviderPurposeData SharedPrivacy Policy
Identity providerAuthentication (sign-in, session management)Email address, authentication tokensAvailable on request
PaddlePayment processing (Merchant of Record)Email, billing and payment informationView policy
AI providerAI analysis of scan results (PRO only)Page URL, truncated page HTML excerpt (up to ~8KB), scan issue dataAvailable on request
Resend, Inc.Email delivery (PRO scan notifications, transactional emails)Email address, scan score summariesAvailable on request
Anthropic, PBCAI-powered scan analysis (PRO tier only)Anonymized scan issue summaries (no personal data, no page content)Available on request
Google LLCGoogle Analytics 4 (website analytics)Anonymized page visits, UI interactions (consent required)View policy
Cloudflare, Inc.Hosting (Workers, Pages), CDN, database (D1), caching (KV)All server-side data (encrypted at rest and in transit)Available on request

For GDPR purposes, a complete list of named sub-processors and their privacy policies is available on request by contacting [email protected].

We may also disclose your information if required by law, court order, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

Data Processing Agreements (DPAs)

All sub-processors are bound by data processing agreements (DPAs) or standard contractual clauses (SCCs) that ensure GDPR-compliant data handling. These agreements include:

  • Obligation to process data only on our documented instructions
  • Appropriate technical and organizational security measures
  • Restrictions on sub-processor engagement without our prior approval
  • Data subject rights facilitation (access, deletion, portability)
  • Data breach notification within 72 hours
  • Data return or deletion upon termination of the agreement

9. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

  • Account data: Retained until you delete your account. Upon account deletion, all personal data is purged immediately and a deletion audit record (anonymized, containing only a hashed identifier and timestamp) is retained for GDPR Article 17 compliance.
  • Server-side scan results (PRO only): We store the scanned URL, category scores (overall, accessibility, performance, SEO, security), issue counts by severity (critical, high, medium, low), scan duration, and scan timestamp. We do not store page HTML, page content, screenshots, or detailed issue descriptions on our servers. This data is automatically deleted after 90 days.
  • Local scan results: PRO users' reports are stored locally in chrome.storage.local (max 10 MB, last 100 reports). FREE tier does not persist scan history -- results are shown in the current session only. Local data remains on your device until you uninstall the extension or clear storage manually.
  • API request logs: Retained for 30 days, then automatically deleted.
  • Billing records: Retained for 7 years per applicable tax regulations.
  • Anonymized analytics: Retained indefinitely (contains no personal information).

10. Your Privacy Rights

10.1 Rights Under GDPR (EEA/UK Users)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). If you have an active PRO subscription, you must cancel it before account deletion can be processed. Upon cancellation and deletion request, we will delete your account and all associated data.
  • Right to data portability (Art. 20): Request your data in a structured, commonly used, machine-readable format (JSON). PRO users can export scan history directly from the extension.
  • Right to restrict processing (Art. 18): Request that we limit how we process your data in certain circumstances.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7): Where processing is based on your consent (e.g., email notifications), you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.
  • Automated decision-making (Art. 22): We do not make any decisions based solely on automated processing that produce legal effects or similarly significantly affect you. AI-generated scan insights are informational only and do not affect your account status, pricing, or access to features.

10.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Categories of Personal Information Collected

CCPA CategoryExamples CollectedBusiness Purpose
IdentifiersEmail address, authentication tokens, Paddle customer IDAccount management, billing
Commercial informationSubscription tier, billing dates, transaction historyService delivery, billing
Internet or network activityScanned URLs, IP address (logs), user agentService delivery, security
InferencesAI-generated scan insights (PRO)Service delivery

Your CCPA/CPRA Rights

  • Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal obligations).
  • Right to opt-out of sale or sharing: We do not sell or share (as defined under CPRA) your personal information for cross-context behavioral advertising. No opt-out is necessary, but you may still contact us to confirm.
  • Right to correct: You may request correction of inaccurate personal information we hold about you.
  • Right to limit use of sensitive PI: We do not collect sensitive personal information as defined under CPRA.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing or quality of service for exercising these rights.
  • Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require the agent to provide proof of written authorization and may verify your identity directly.

10.3 Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond to verifiable requests within 30 days (GDPR) or 45 days (CCPA). We may need to verify your identity before processing your request.

You may also opt out of email notifications at any time by disabling them in the extension settings.

11. Security

We implement commercially reasonable technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • TLS encryption for all data in transit
  • Encryption at rest for stored data
  • API key hashing (SHA-256) -- API keys are hashed for secure lookup. During a limited migration period, a plaintext copy may also be stored to ensure backward compatibility; this will be removed once migration is complete.
  • Refresh token hashing and rotation-based revocation
  • Tier-based access controls and admin authorization
  • HMAC-SHA256 webhook signature verification for payment events
  • Infrastructure and identity providers that maintain SOC 2 Type II compliance (bee2.io LLC itself is not SOC 2 certified)

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining commercially reasonable safeguards and promptly addressing any vulnerabilities.

12. Data Breach Notification

In the event of a data breach that affects your personal data, we commit to:

  • Notification to authorities: Notifying the relevant data protection supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR (Article 33).
  • Notification to affected users: Notifying affected users without undue delay when the breach is likely to result in a high risk to your rights and freedoms (GDPR Article 34). Notification will be sent via email and/or a prominent notice on our website.
  • Details provided: The nature of the breach, the categories and approximate number of affected individuals, likely consequences, and the measures taken or proposed to address the breach and mitigate potential adverse effects.
  • US state breach notification laws: We comply with applicable US state breach notification requirements (including but not limited to California Civil Code 1798.82, New York General Business Law 899-aa, and other state laws). Where required, we will notify affected residents and the relevant state attorney general within the timeframes mandated by applicable law.

13. Cookies and Local Storage

We use cookies that are strictly necessary for the operation of the Service. User preferences (such as theme/dark mode) are stored in browser localStorage, not cookies.

Cookie Inventory

CookieProviderPurposeTypeDuration
__sessionIdentity providerAuthentication session (short-lived JWT)EssentialSession (minutes)
__client_uatIdentity providerSession freshness checkEssentialPersistent (days)
_cfuvidCDN/security providerBot detection and rate limitingEssential (security)30 minutes
__cf_bmCDN/security providerBot managementEssential (security)30 minutes
_gaGoogle AnalyticsDistinguishes unique visitors (anonymized)Analytics (opt-out available)2 years
_ga_*Google AnalyticsMaintains session stateAnalytics (opt-out available)2 years

Our payment processor (Paddle) may set additional cookies when its checkout script is loaded or during the checkout flow for fraud prevention purposes. These cookies are governed by Paddle's Privacy Policy.

Analytics cookies (Google Analytics _ga and _ga_*) are enabled by default to help us improve the service. If you select "Essential Only" on our cookie banner, analytics cookies are removed and no further data is sent to Google Analytics. You can change your preference at any time by clearing your browser cookies and revisiting the site. We do not use advertising or marketing cookies.

Essential cookies (authentication, security, bot protection) do not require consent under the ePrivacy Directive (Article 5(3) of Directive 2002/58/EC). Analytics cookies require explicit opt-in consent. You can manage or delete cookies through your browser settings at any time, though this may affect Service functionality (e.g., you may be signed out). To withdraw analytics consent, clear your browser cookies for scoutb2.io and select "Essential Only" on the cookie banner.

14. Do Not Track Signals

Our Service does not track users across third-party websites. We honor the intent of Do Not Track ("DNT") by providing an opt-out mechanism for analytics via our cookie banner. If you select "Essential Only," no Google Analytics tracking occurs. We do not engage in cross-site tracking or create advertising profiles.

15. International Data Transfers

SCOUTb2 is operated by bee2.io LLC from the United States. If you are located outside the United States, your data will be transferred to and processed in the United States.

For transfers of personal data from the EEA, UK, or Switzerland, we rely on the following legal mechanisms to ensure adequate protection:

  • Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our sub-processors to ensure data transferred outside the EEA receives equivalent protection.
  • Data Processing Agreements: All sub-processors maintain appropriate data processing agreements that include GDPR-compliant safeguards.
  • Infrastructure providers: Our primary infrastructure provider offers a global network with data localization options and maintains GDPR compliance, including the EU-U.S. Data Privacy Framework.

16. Browser Extension Permissions

The SCOUTb2 browser extension requires certain permissions to function. Here is what each permission is used for and why it is necessary:

Required Permissions

  • activeTab: Allows the extension to access the currently active tab's content when you explicitly click the extension icon. This is used to analyze the page for accessibility and performance issues. We only scan pages you explicitly choose to scan.
  • storage: Enables local storage of your scan results, settings, and account status on your device. Data is stored in chrome.storage.local (max 10 MB) and chrome.storage.sync. Single-page scan results are never stored on our servers.
  • scripting: Allows the extension to inject scanning scripts into pages you choose to analyze. This is necessary to collect accessibility data, performance metrics, and other page information.
  • tabs: Allows the extension to discover and access linked pages on a site for multi-page scanning (PRO tier) and to read the URL of the active tab for single-page scans. We do not track your general browsing activity.
  • notifications: Enables browser notifications when multi-page scans complete (PRO tier). Notifications are entirely local and do not transmit data to our servers.
  • alarms: Enables scheduled and recurring scans (PRO tier). Used to trigger in-browser scans at user-configured intervals (daily, weekly, or monthly). The alarm itself does not transmit page content.
  • identity: Enables secure sign-in via Google or GitHub OAuth. Used only during the authentication flow you initiate. We receive only your email address and authentication token -- never your password.

Host Permissions

  • All websites (http/https): The extension requests access to all websites so it can analyze any page you choose to scan. A lightweight content script is automatically loaded on all HTTP and HTTPS pages when they finish loading. This script listens for scan commands from the extension popup and does not collect, transmit, or modify any page data unless you explicitly initiate a scan. It also restores any previously enabled visual overlays (e.g., heatmap).

Website-to-Extension Communication

The scoutb2.io website can communicate with the installed extension to securely transfer your authentication credentials after sign-in. This communication is restricted to scoutb2.io only and is used solely for the login process. No browsing data flows from the extension to the website.

Session Cookies and Authentication

SCOUTb2 uses your existing browser session cookies to access pages during scans. We do not store, transmit, or access your login credentials. Authentication is handled entirely by your browser.

What We Do Not Do

  • We do NOT track your browsing history outside of pages you explicitly scan
  • We do NOT collect data from tabs you have not scanned
  • We do NOT inject ads or tracking scripts into pages you visit
  • We do NOT sell or share your browsing data with third parties
  • We do NOT access pages in incognito/private browsing mode (unless you explicitly grant permission)

17. Children's Privacy

The Service is not directed at children under the age of 13 (or under 16 in certain EEA member states). We do not knowingly collect personal information from children under these ages.

If we become aware that we have inadvertently collected personal information from a child under the applicable age, we will take steps to delete that information as quickly as possible. If you believe we have collected information from a child, please contact us immediately at [email protected].

18. Audit Data Disclaimer

Audit results provided by SCOUTb2 are for informational and reference purposes only. They do not constitute a professional accessibility audit, legal assessment, compliance certification, or guarantee of conformance with any standard (including but not limited to WCAG, Section 508, ADA, or EN 301 549).

SCOUTb2 does not guarantee the accuracy, completeness, or reliability of any audit results. Automated scanning tools, including SCOUTb2, can identify certain types of issues but cannot detect all accessibility, performance, or security problems. Results may contain false positives or false negatives.

Users should not rely solely on SCOUTb2 results for legal compliance decisions. We strongly recommend engaging qualified professionals for comprehensive audits, particularly where legal or regulatory compliance is at stake.

AI-generated insights (PRO feature) are provided by third-party AI models and may contain inaccuracies. Always verify AI-generated recommendations before implementing changes.

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

  • Material changes: We will notify you of material changes via email to your registered email address and/or a prominent notice in the extension or on our website at least 30 days before the changes take effect.
  • Minor changes: Non-material changes (e.g., formatting, clarifications) may be made without advance notice. The "Last updated" date at the top of this page will always reflect the most recent revision.
  • Continued use: Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

20. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Controller:
bee2.io LLC
United States

EU/EEA Representative (Art. 27 GDPR)

As bee2.io LLC is established outside the EU/EEA, we have not yet appointed a formal representative in the European Union under GDPR Article 27. Given the current scale of our operations, EEA/UK users may contact us directly at [email protected] for any data protection inquiries. We will appoint a formal EU representative and update this section if required by the scale of our data processing activities.

If you are located in the EEA or UK and are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with your local data protection supervisory authority.