Privacy
a14y — the spec, the CLI, and the Chrome extension — runs entirely on your machine. Nothing about the sites you audit, the URLs you enter, or the pages you fetch is transmitted to a14y-owned servers. There are no a14y servers.
What the tools do locally
Both the CLI
and the Chrome extension run the open
a14y scorecard against a URL you provide. The
only network traffic they generate is the HTTP request to fetch the page (or,
in site mode, the same-origin pages the crawler follows from
the entry URL). Those requests originate from your machine or your browser,
not from a14y infrastructure, and they behave exactly like any other
browser tab you open to the same site.
What the extension stores
The Chrome extension uses chrome.storage.local to remember the
last twenty audit runs — URL, scorecard version, timestamp, pass/fail
summary. That history is visible on the extension's report page and is
never sent anywhere. You can clear it at any time by removing the extension
from Chrome; uninstalling wipes chrome.storage.local.
What the CLI stores
The CLI writes its output to stdout (or to a file if you pass
--output). It does not write anywhere else. There is no
telemetry, no metrics endpoint, no analytics hook. You can verify this by
reading the source at
github.com/timothyjordan/a14y
.
No third parties
a14y has no third-party dependencies that phone home. No Google Analytics, no error-reporting SDKs, no A/B-testing frameworks, no feature flags. The site you're reading right now is a static site on GitHub Pages; the CLI and extension are installable packages you run yourself.
Contact
Questions, concerns, or security reports can go to timothy@timothyjordan.com.
Last updated: 2026-04-24.