Privacy Policy

Alto ("we," "us," or "our") operates the website at www.altopages.com and the Alto document accessibility remediation platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree with the terms of this policy, please do not access or use the Service.

2.1 Account Information

When you create an account, we collect your email address and a hashed version of your password. If you sign in with Google OAuth, we receive your name, email address, and profile picture from Google. We do not store your Google password.

2.2 Uploaded Documents

When you upload PDF, Word, PowerPoint, Excel, or other Office documents for remediation, we temporarily store those files on our servers for processing. This includes:

• The original uploaded document
• The remediated (accessible) version of the document
• Audit and conformance reports generated during processing
• AI-generated alt text descriptions for images within your documents

2.3 Usage Data

We automatically collect certain information when you use the Service, including your IP address, browser type, operating system, referring URLs, pages viewed, and the dates and times of your visits.

2.4 Payment Information

If you purchase credits, payment processing is handled by Stripe, Inc. We do not store your full credit card number, expiration date, or CVV on our servers. Stripe's privacy policy governs the collection and use of your payment information.

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process your document remediation requests
• Generate accessibility conformance reports
• Generate AI-powered alt text descriptions for images in your documents
• Manage your account and credit balance
• Process payments and prevent fraud
• Send you service-related communications
• Respond to your inquiries and support requests
• Monitor and analyze usage patterns to improve the Service
• Comply with legal obligations

4.1 How Documents Are Processed

When you upload a document, it is processed on our servers using a combination of open-source tools (pikepdf, pdfminer, veraPDF) and AI services. The processing includes structural analysis, tag tree construction, metadata remediation, table detection, and font embedding.

4.2 AI-Generated Alt Text

Images within your documents are sent to a third-party AI service (Anthropic's Claude API) for the purpose of generating descriptive alt text for accessibility. Only the individual images are sent — not the full document. The AI service processes the images in real-time and does not retain them after generating the description.

Anthropic's data retention and privacy practices are governed by their own privacy policy. We use Anthropic's API in a configuration that does not permit use of your data for model training.

4.3 OCR Processing

Scanned or image-only PDF pages are processed using AI-based optical character recognition (OCR). Page images are sent to the same AI service described above for text extraction. The extracted text is overlaid on the document as an invisible text layer to enable screen reader access.

4.4 Validation

Remediated documents are validated using veraPDF, an open-source PDF/UA-1 (ISO 14289-1) validator that runs entirely on our servers. No document content is sent to external services for validation.

Account data: We retain your account information for as long as your account is active or as needed to provide the Service. You may request account deletion at any time by contacting us.

Uploaded documents: Original and remediated documents are stored temporarily on our servers and are available for download from your results page. Documents are retained for a reasonable period to allow you to access your results. You may request deletion of your documents at any time.

Job metadata: Records of your remediation jobs (filename, dates, scores, fixes applied) are stored in our database and associated with your account for your History and reporting features.

Usage logs: Server logs are retained for up to 90 days for security and debugging purposes, then automatically deleted.

We do not sell, rent, or trade your personal information or document content to third parties. We may share information in the following limited circumstances:

• Service providers: We use third-party services to operate our platform, including Supabase (authentication and database), Railway (hosting), Stripe (payments), and Anthropic (AI processing). These providers access only the data necessary to perform their functions and are bound by their own privacy policies and data processing agreements.
• Legal requirements: We may disclose your information if required by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction.

We implement appropriate technical and organizational measures to protect your information, including:

• All data in transit is encrypted via TLS/HTTPS
• Passwords are hashed using industry-standard algorithms (scrypt)
• Authentication sessions use signed, httpOnly cookies
• Database access is protected by row-level security policies
• API keys and secrets are stored in environment variables, never in source code
• Document processing occurs on isolated server infrastructure

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your account and associated data
• Export your data in a portable format
• Withdraw consent for optional data processing
• Object to processing of your information
• Lodge a complaint with a supervisory authority

To exercise any of these rights, contact us at privacy@altopages.com. We will respond within 30 days.

We use essential cookies to maintain your authentication session. These cookies are strictly necessary for the Service to function and cannot be disabled.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. We do not participate in cross-site tracking or behavioral advertising.

The Service is not directed at children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

Our servers are located in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States.

Many of our users are state, local, and educational agencies subject to specific data handling requirements. We are committed to supporting compliance with applicable regulations including:

• FERPA: We do not use education records for any purpose other than providing the Service. Documents containing student information are processed solely for accessibility remediation.
• State privacy laws: We comply with applicable state privacy laws including CCPA (California), VCDPA (Virginia), CPA (Colorado), and others.

Government and education customers requiring a Data Processing Agreement (DPA) or additional security documentation may contact us at legal@altopages.com.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, contact us at: