Privacy Policy
Last updated: February 2026
This policy explains how Ambit Labs Ltd (company number 16980164), trading as usability.cat ("we", "us", "our"), collects, uses, and protects your information. Ambit Labs Ltd is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Information We Collect
Information you provide
- Account details: Email address and name when you sign up via GitHub OAuth or join the waitlist.
- URLs: The web addresses you submit for auditing.
- Payment information: Processed securely by Stripe. We do not store card details.
- Referral information: Referral codes you share or use when signing up.
- Feedback: Any feedback, bug reports, or feature requests you submit.
Information collected automatically
- Usage data: Pages visited, features used, scans run, paw ratings received, and lives balance changes.
- Device data: Browser type, operating system, screen resolution, and viewport size.
- Analytics data: Page views, feature usage, and conversion events via PostHog (self-hosted/EU instance). See Section 8 for details.
- Cookies: We use essential cookies for session management. See Section 8 for details on analytics cookies.
Information collected during scans
When you submit a URL for scanning, our system collects and processes:
- Page HTML, DOM structure, and metadata
- Desktop and mobile screenshots of the page
- Client-side JavaScript bundle content (for security analysis)
- HTTP response headers and SSL/TLS configuration
- Accessibility tree data
- Performance metrics
This data relates to the websites you submit, not to you personally, unless the submitted page contains personal data.
2. How We Use Your Data
We use your information to:
- Generate usability and security audit reports for the URLs you submit.
- Process payments for lives packs via Stripe.
- Manage your account, lives balance, and referral rewards.
- Send service-related communications (e.g., report completion, low-lives notifications, referral rewards).
- Improve our AI models, scoring accuracy, and service quality.
- Detect and prevent abuse of the service (rate limiting, referral fraud).
- Generate anonymised, aggregate analytics (e.g., "average score by framework").
- Display public leaderboards and hall of fame (only with your consent).
We do not sell your personal data to third parties.
Legal Basis for Processing (UK GDPR)
| Purpose | Legal Basis |
|---|---|
| Providing the service (scans, reports, account management) | Contract performance |
| Processing payments | Contract performance |
| Service-related emails (report ready, low lives) | Legitimate interest |
| Improving AI models and service quality | Legitimate interest |
| Abuse prevention and security | Legitimate interest |
| Analytics (PostHog) | Consent (via cookie preferences) |
| Marketing emails | Consent |
3. Data We Process During Audits
When you submit a URL, our system:
- Loads the page via automated crawling tools and captures screenshots.
- Analyses page structure, performance, accessibility, and usability patterns.
- For security scans: analyses HTTP headers, JavaScript bundles, SSL/TLS configuration, and authentication surfaces.
- Generates a report with scores, findings, and fix prompts.
Audit data (screenshots, page analysis, JavaScript bundle snapshots) is retained to deliver your reports and improve our service. We do not audit pages you have not submitted. We do not perform active exploitation or penetration testing.
4. Data Sharing & Sub-processors
We share data only when necessary to provide the service:
| Sub-processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Convex | Backend, database, real-time infrastructure | Account data, scan data, reports | US |
| Vercel | Frontend hosting, edge functions | Page requests, cookies | Global (CDN) |
| Stripe | Payment processing | Payment details, email | US/EU |
| Resend | Transactional email delivery | Email address, notification content | US |
| Anthropic (Claude) | AI analysis and report generation | Page content, screenshots (no personal data) | US |
| Firecrawl | Web page crawling | Submitted URLs, page content | US |
| Browserbase | Headless browser screenshots | Submitted URLs | US |
| GitHub | OAuth authentication | OAuth tokens, basic profile | US |
| PostHog | Product analytics | Usage events, anonymised device data | EU |
We do not share your data with advertisers or data brokers. We will also share data when required by law or to protect our legal rights.
5. International Transfers
Your data may be transferred to and processed in countries outside the United Kingdom, including the United States. Where data is transferred internationally, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the ICO
- Adequacy decisions where applicable
- Sub-processor compliance with equivalent data protection standards
6. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
- Audit reports: Retained indefinitely for your access unless you request deletion.
- Scan data (screenshots, HTML, JS bundles): Retained for the lifetime of the associated report.
- Payment records: Retained for 7 years as required by UK tax law.
- Usage analytics: Aggregated and anonymised data may be retained indefinitely for service improvement.
- Waitlist data: Retained until the waitlist is closed or you request removal.
7. Your Rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate information.
- Delete your account and associated data ("right to be forgotten").
- Export your data in a portable format (data portability).
- Object to processing based on legitimate interests.
- Restrict processing in certain circumstances.
- Withdraw consent for analytics or marketing at any time.
To exercise any of these rights, contact us at meow@usability.cat. We will respond within one month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been mishandled.
8. Cookies & Analytics
Essential Cookies
We use essential cookies for:
- Session management and authentication
- Referral code tracking (30-day expiry)
These cookies are necessary for the service to function and cannot be disabled.
Analytics (PostHog)
We use PostHog for product analytics to understand how the service is used and improve it. PostHog data is processed on EU servers. Analytics cookies are set only with your consent.
Analytics data collected includes page views, feature usage, and anonymised device information. We do not use analytics data to identify individual users for advertising purposes.
You can opt out of analytics at any time through your browser settings or by contacting us.
9. Children
usability.cat is not intended for users under 16. We do not knowingly collect data from children. If you believe a child under 16 has provided us with personal data, contact us and we will delete it.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via the website or email. Continued use of the service constitutes acceptance of the updated policy.
11. Contact
Questions about your privacy? Reach us at meow@usability.cat.
Data Controller: Ambit Labs Ltd Company number: 16980164 Registered in England and Wales
Supervisory Authority: Information Commissioner's Office (ICO) ico.org.uk