policy last updated 2026-06-04

Privacy

We collect a small amount of anonymous usage data, on by default, to help us improve a14y. We never collect personally identifiable information, the URLs you audit, or the content of any page you visit with the extension or CLI. You can turn telemetry off on every surface, and the controls are listed below.

What we collect

All telemetry goes to a single Google Analytics 4 property, anonymized, with Google Signals and ad personalization disabled. We never set or send a user identifier; CLI and extension events are tied to a random UUID generated locally on first run.

On a14y.dev

Standard GA4 web measurement: page views, referrers, approximate region (IP is anonymized at ingest), and clicks to outbound destinations grouped into a fixed enum (github / npm / chrome_web_store / other). GA4 sets a _ga cookie. The site honors your browser’s Do Not Track header. If it’s set, no GA script is loaded. You can also opt out for this site explicitly with the toggle below. That flips a flag in localStorage and the GA script stops loading on every subsequent visit.

Each CLI invocation and each browser-extension audit also generates a random per-run id (run_id) that is attached to every event from that run. It exists only to group events from the same audit together for analytics and is not retained anywhere on your machine.

From the CLI

The CLI sends an event for each of:

cli_command_invoked: the command name (check / scorecards), output format, mode, scorecard version, and run_id.
cli_run_completed: bucketed score (e.g. 76-100), bucketed page count, bucketed run duration, bucketed counts of failed, warned, and errored checks, and run_id. No URL.
cli_error: the error class name (no message, no stack trace), the phase it happened in, and run_id.
scorecard_check_result: one event per scorecard check that ran. Carries the stable check id (e.g. html.canonical-link), the resulting status (pass / fail / warn / error / na), the scorecard version, the surface (cli), and run_id. For checks that run on every crawled page, also includes aggregate failed_pages and total_pages counts. No URL, no per-page outcomes.

From the Chrome extension

The extension sends an event for each of:

ext_installed: whether the install was a fresh install or an update.
ext_audit_started: mode (page / site), scorecard version, and run_id. No URL.
ext_audit_completed: bucketed score, bucketed page count, bucketed duration, and run_id. No URL.
ext_audit_error: error class name, phase, and run_id.
ext_settings_changed: the name of the setting that changed (e.g. maxPages). No values. We deliberately do not track changes to the telemetry toggle itself.
scorecard_check_result: same shape as the CLI version, with surface set to ext.

What we don’t collect

The URLs you audit, or any part of them.
The content of any page the CLI or extension fetches.
Per-page check outcomes (page-level checks are rolled up into a single status per check id, plus aggregate counts).
Your real IP address (anonymized at ingest by GA4).
Any user-agent string detail beyond OS family.
Names, email addresses, or anything that could tie events to a real person.
Stack traces, error messages, or any free-text content from errors.

How to opt out

Website

Set your browser’s Do Not Track header (every browser supports this in privacy settings). We honor it and never load the GA script. Or use the in-page toggle below; it persists in localStorage on this site only.

For a system-wide opt-out, install Google’s Google Analytics opt-out browser add-on.

CLI

Any of the following disables CLI telemetry. The first match wins:

Pass --no-telemetry to a single command.
Set the env var A14Y_TELEMETRY=0.
Set "telemetryEnabled": false in ~/.a14y/config.json (the CLI creates this file on first run).
Set DO_NOT_TRACK=1 or run with CI=true. Both auto-disable.

Chrome extension

Open the extension’s Options page (right-click the action icon, then Options) and toggle off Send anonymous usage data. Or click Turn off on the popup banner the first time you open the popup. Both write the same flag in chrome.storage.local; no further events leave your machine until you re-enable.

All events go to Google Analytics 4. Google’s privacy policy is at policies.google.com/privacy; Google’s overview of GA data controls is at support.google.com/analytics/answer/6004245. Data resides on Google’s global infrastructure. We have not enabled Google Signals or ad personalization on the property.

What the extension still stores locally

The Chrome extension uses chrome.storage.local to remember the last twenty audit runs: URL, scorecard version, timestamp, pass/fail summary. That history stays on your device, is visible on the extension’s report page, and is never sent anywhere. Uninstalling the extension wipes chrome.storage.local.

Data retention

The GA4 property is configured for the longest standard retention window (14 months). Older events are deleted by Google automatically.

Contact

Questions, concerns, or security reports can go to agentreadability@gmail.com.

Changelog

v3 (2026-06-04): CLI and extension now record per-check scorecard outcomes (stable check id + status), grouped by an ephemeral random run id. Replaces the previous “per-check scorecard details not collected” guarantee. URLs and page content remain off-limits.
v2 (2026-04-28): introduced opt-out anonymous telemetry across the website, CLI, and Chrome extension.
v1: “no telemetry, no third parties.” Superseded by v2.

Last updated: 2026-06-04.