1. Who We Are
All Access World ("we", "us", "our") operates the marketplace at accessaro.com. We are an online marketplace for assistive technology products, built by and for people with disabilities. We are the data controller responsible for your personal information under the General Data Protection Regulation (GDPR) and applicable data protection legislation. For any privacy-related inquiries, please contact us at hello@accessaro.com.
2. Data We Collect
We collect the following categories of personal data:
- Account information: Name, email address, phone number, and profile photo.
- Shipping addresses: Street address, city, country, and postal code.
- Order data: Items purchased, order status, shipping carrier, and tracking details.
- Payment data: Processed securely by Stripe. We do not store credit or debit card numbers on our servers.
- Communications: Support tickets, community feedback, and product reviews (including review title, content, ratings, and verified purchase status).
- Technical data: IP address (anonymised for analytics), browser type, and device information.
- Usage data: Pages visited and features used, collected via analytics cookies only with your consent.
- Accessibility preferences: Your chosen accessibility profile, contrast mode, text scale, dyslexia font preference, and announcement timeout settings. These are stored locally on your device and, if you are signed in, synchronised to your account.
- Ambassador Programme data: Referral codes, referral history, tier status, and credit balance if you participate in our Ambassador Programme.
Vendor-specific data: If you register as a vendor, we additionally collect your company name, website URL, business information, and payout method details.
3. How We Use Your Data
We process your personal data for the following purposes and on the following legal bases:
- Contract performance (Article 6(1)(b) GDPR): Processing and fulfilling orders, managing your account, providing customer support, and operating the Ambassador Programme.
- Legitimate interests (Article 6(1)(f) GDPR): Fraud prevention and detection, security monitoring, platform improvement, product review moderation, and abandoned cart recovery communications.
- Consent (Article 6(1)(a) GDPR): Marketing communications, analytics cookies, and AI-powered product recommendations.
- Legal obligation (Article 6(1)(c) GDPR): Tax record keeping, regulatory compliance, and responding to lawful requests from authorities.
4. Payment Processing
We use the following payment methods and processors:
- Stripe: Our primary payment processor, which is PCI DSS Level 1 compliant. Stripe processes all credit and debit card transactions (Visa, Mastercard, American Express). Card data is handled entirely by Stripe and never touches our servers. Stripe uses 256-bit SSL encryption and supports 3D Secure (Strong Customer Authentication) for added security.
- PayPal: We are in the process of integrating PayPal as an additional payment method.
- Bank transfers: We are in the process of integrating bank transfer payments.
- Insurance and grant funding: If your purchase is funded through a disability insurance scheme or grant programme, you may select this option at checkout. We will provide the necessary documentation and invoicing to support your claim. We do not process card payments for these orders until alternative arrangements are confirmed.
When you make a payment, Stripe receives your card details, billing address, and transaction amount. We receive only a confirmation of payment and a transaction reference. We do not have access to your full card number at any point.
5. Order Processing and Fulfilment
When you place an order, we process it through the following stages:
- Payment verification: Your payment is verified through Stripe before the order is confirmed.
- Order confirmation: Once payment is successful, your order status moves to confirmed and you receive a confirmation email.
- Shipping: We use DHL Express for European and worldwide deliveries, and Aramex for Middle East and North Africa (MENA) region deliveries. We share your name and shipping address with the relevant carrier to fulfil your order.
- Tracking: When your order is dispatched, you will receive a shipping notification email containing your carrier name, tracking number, and a link to track your delivery.
Order records include your name, email, shipping address, items purchased, payment status, and shipping details. These records are retained for 7 years for tax and legal compliance purposes.
6. Email Communications
We send the following categories of email communications:
Transactional emails (sent automatically based on your actions):
- Order confirmation: Sent when your payment is successfully processed.
- Order status updates: Sent when your order moves to processing, shipped, delivered, completed, cancelled, or refunded status.
- Shipping notification: Sent when your order is dispatched, including carrier name, tracking number, and tracking link.
- Payment failure notification: Sent if a payment attempt fails, with the reason and a link to retry.
- Support ticket confirmation: Sent when you create a support ticket.
- Support ticket response: Sent when our support team replies to your ticket.
- Welcome email: Sent when you create a new account.
Vendor emails:
- Vendor application received: Sent when a vendor submits a registration application.
- Vendor application decision: Sent when an application is approved or rejected.
Marketing emails (sent only with your consent):
- Abandoned cart reminders: If you add items to your cart but do not complete the purchase, we may send you a reminder after 1 hour and a second reminder after 24 hours. These emails are only sent if you have opted in to promotional emails.
All of our emails are available in English, Arabic, Italian, and German, based on the language preference set in your profile. You can manage your email preferences from your account notification settings. You can unsubscribe from marketing emails at any time by clicking the unsubscribe link included at the bottom of every marketing email we send. Transactional emails related to your orders and account security cannot be opted out of, as they are necessary for the performance of our contract with you.
7. Product Reviews
Our platform allows customers to leave product reviews. The following data is collected and displayed as part of the review process:
- Overall rating: A star rating from 1 to 5.
- Accessibility rating: A separate star rating from 1 to 5, specific to the product's accessibility.
- Review content: A title and written review.
- Reviewer disability profile: You may optionally associate your accessibility profile with your review. This is entirely voluntary and is intended to help other customers understand the reviewer's perspective.
- Verified purchase status: If you purchased the product through our platform, your review will display a verified purchase badge.
All reviews are moderated before publication. Reviews may be approved, rejected, or flagged for further review. We moderate reviews to ensure they are genuine, relevant, and do not contain harmful or misleading content.
8. Ambassador Programme
If you participate in our Ambassador Programme, we collect and process the following data to operate the referral reward system:
- Referral code: A unique code assigned to your account.
- Referral history: A record of the users you have referred, including timestamps.
- Tier status: Your current tier (Bronze, Silver, or Gold), determined by the number of successful referrals.
- Credit balance: The monetary credit earned through referrals, which can be applied to future purchases.
This data is processed on the basis of contract performance, as participation in the Ambassador Programme constitutes an agreement between you and All Access World. Referral data is retained for as long as your account is active and you remain enrolled in the programme.
9. AI-Powered Features
Our platform includes an AI-powered product recommendation assistant. This feature operates as follows:
- How it works: The assistant uses pattern matching to understand your queries and suggest relevant products from our catalogue. For more complex queries, it may use a large language model to provide a more detailed response.
- Conversation memory: The assistant retains a sliding window of your most recent messages within a single session to maintain conversational context. This data is not stored after your session ends.
- No medical advice: The assistant is designed to help you find products. It does not provide medical advice, diagnoses, or treatment recommendations. Guardrails are in place to prevent the assistant from responding to medical queries.
- Consent-based: Use of the AI assistant is entirely optional and initiated only by you.
AI-powered recommendations are processed on the basis of your consent. You may choose not to use the assistant at any time, and no conversation data is retained beyond your active session.
10. Cookies
We use the following categories of cookies:
Essential cookies (always active):
| Cookie | Purpose |
|---|
| Authentication session | Keeps you signed in to your account |
| CSRF token | Protects against cross-site request forgery attacks |
| Language preference | Remembers your selected language |
| Cookie consent | Records your cookie preference choice |
| Guest checkout token | Links guest orders to your session (30-day expiry) |
Analytics cookies (consent required):
| Cookie | Purpose |
|---|
| Google Analytics (_ga, _gid) | Measures website usage with IP anonymisation enabled |
You can manage your cookie preferences at any time using the cookie consent banner or by clearing your browser cookies. If you reject analytics cookies, Google Analytics will not be loaded on the page.
11. Special Category Data (Article 9 GDPR)
As a marketplace for assistive technology, certain data we process may indirectly reveal information about a disability or health condition. Under Article 9 of the GDPR, this constitutes special category data and requires additional safeguards.
The categories of data that may reveal disability status include:
- Product browsing and purchase history: The categories of products you view or purchase (such as mobility aids, vision devices, hearing aids, or cognitive support tools) may indicate a disability.
- Accessibility profile selection: Choosing a specific accessibility profile (for example, a profile optimised for low vision or cognitive accessibility) may indicate a disability or condition.
- Reviewer disability profile: If you voluntarily associate a disability profile with a product review.
Legal basis: We process this data on the basis of legitimate interest (Article 6(1)(f) GDPR), supplemented by the following safeguards to protect your rights and freedoms:
- We do not use disability-related data for advertising, profiling, or targeted marketing.
- Accessibility preferences are stored locally on your device by default. They are only synchronised to your account if you are signed in, and you may reset them at any time.
- Associating a disability profile with a product review is entirely voluntary.
- We apply a four-tier data classification system to ensure that sensitive fields receive appropriate access controls and masking.
- We do not sell, rent, or share special category data with third parties for their own purposes.
12. Third-Party Services
We share personal data with the following categories of third-party service providers, solely to the extent necessary for the purposes described:
- Supabase: Database hosting and user authentication. Data is stored on servers in the EU and US regions.
- Stripe: Payment processing for all credit and debit card transactions. Stripe is PCI DSS Level 1 compliant, the highest level of certification in the payment card industry.
- Vercel: Application hosting and content delivery via a global edge network.
- Sentry: Error monitoring and performance tracking. Personal identifiable information (PII) scrubbing is enabled to prevent personal data from being captured in error reports.
- Google Analytics: Website analytics for understanding usage patterns. IP anonymisation is enabled, and data is only collected with your explicit consent via our cookie banner.
- DHL Express: International shipping carrier for European and worldwide deliveries. We share your name and shipping address with DHL to fulfil your order.
- Aramex: Regional shipping carrier for Middle East and North Africa (MENA) deliveries. We share your name and shipping address with Aramex to fulfil your order.
We do not sell your personal data to any third party. Each service provider processes your data only for the specific purpose described above and in accordance with their own privacy policies and our data processing agreements.
13. Fraud Prevention
We employ the following measures to detect and prevent fraudulent transactions:
- Stripe Radar: All card payments are automatically screened by Stripe Radar, which uses machine learning to detect and block fraudulent transactions.
- 3D Secure and Strong Customer Authentication (SCA): Stripe automatically triggers 3D Secure verification when required, adding an additional layer of authentication for card payments in compliance with the Payment Services Directive 2 (PSD2).
- Rate limiting: Our checkout endpoint is rate-limited to prevent abuse. Excessive requests from a single IP address are temporarily blocked.
- Payment reconciliation: We run an hourly reconciliation process to match Stripe payment records against our order database, ensuring that all transactions are accounted for.
- Idempotency protection: Duplicate payment requests are detected and prevented to ensure you are never charged twice for the same order.
Fraud prevention is carried out on the basis of our legitimate interest in protecting our customers and our business from financial crime.
14. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. The specific retention periods are as follows:
- Account data: Retained while your account is active. Deleted upon account deletion, except where retention is required by law.
- Order records: Retained for 7 years from the date of the transaction to comply with tax and legal record-keeping obligations.
- Support tickets: Retained for 3 years after the ticket is resolved.
- Security audit logs: Retained for 2 years.
- Analytics data: Anonymised and aggregated after 26 months. Individual-level analytics data is not retained beyond this period.
- Marketing email preferences: If you unsubscribe from marketing emails by clicking the unsubscribe link in any marketing email we send, we will cease sending marketing communications to you immediately. We will retain a record of your unsubscribe preference to ensure we honour your request and do not send further marketing emails to your address.
- Ambassador Programme data: Retained for as long as your account is active and you remain enrolled in the programme. Upon withdrawal or account deletion, referral data is anonymised.
15. Your Rights
Under the GDPR and applicable data protection legislation, you have the following rights:
- Right of access (Article 15): Request a copy of the personal data we hold about you.
- Right to rectification (Article 16): Correct inaccurate or incomplete personal data via your profile settings or by contacting us.
- Right to erasure (Article 17): Request the permanent deletion of your account and personal data, subject to any legal retention obligations.
- Right to data portability (Article 20): Export your personal data in a structured, commonly used, machine-readable format (JSON).
- Right to restriction of processing (Article 18): Request that we limit the processing of your personal data in certain circumstances.
- Right to object (Article 21): Object to the processing of your personal data where we rely on legitimate interests as the legal basis.
- Right to withdraw consent (Article 7(3)): Withdraw your consent at any time where processing is based on consent (for example, analytics cookies or marketing emails).
You can exercise your rights to data export and account deletion directly from your Account Settings page. For all other data subject requests, please contact us at hello@accessaro.com. We will respond to all requests within 30 days, as required by the GDPR.
16. Data Security
We implement comprehensive security measures to protect your personal data, including:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS with TLS.
- Content Security Policy: We deploy CSP Level 3 with strict-dynamic nonce-based directives to prevent cross-site scripting (XSS) attacks.
- CSRF protection: All state-changing requests are protected by HMAC-based cross-site request forgery tokens.
- Rate limiting: API endpoints are rate-limited to prevent abuse and denial-of-service attacks.
- Input sanitisation: All user inputs are validated and sanitised to prevent injection attacks.
- Field-level encryption: Sensitive vendor data fields are encrypted at rest using AES-256-GCM encryption.
- Multi-factor authentication: Administrative accounts require multi-factor authentication, with re-verification required for high-risk operations.
- Session management: Administrative sessions have idle timeouts, absolute timeouts, and concurrent session limits.
- PCI compliance: Payment card data is processed entirely by Stripe and never touches our servers.
17. International Transfers
Your personal data may be processed in countries outside your jurisdiction, including the United States, where some of our service providers are based. We ensure that appropriate safeguards are in place for all international transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission and adequacy decisions where applicable. Our hosting and infrastructure providers (Vercel, Supabase) maintain compliance with GDPR international transfer requirements.
18. Children's Privacy
Our service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us at hello@accessaro.com and we will take steps to delete the information promptly.
19. Guest Checkout
You may purchase products without creating an account by using our guest checkout option. When you check out as a guest, the following applies:
- Email address: Required so that we can send you order confirmation and status update emails.
- Shipping address: Required for order fulfilment. For guest users, shipping addresses are stored locally on your device using browser localStorage, not on our servers.
- Guest session token: A unique session token is stored as an HttpOnly cookie on your device for 30 days. This token allows us to associate your order with your browser session so you can view your order status.
Guest checkout data is processed on the basis of contract performance. If you later create an account, your guest orders are not automatically linked to your new account.
20. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date at the top. We may also notify you by email for significant changes that affect your rights. Continued use of our service after changes are posted constitutes your acceptance of the updated policy.