xsbl is an AI-powered web accessibility scanner that checks your website against WCAG 2.2 AA and AAA criteria. It scans your rendered pages in a real browser, identifies violations like missing alt text, contrast failures, broken ARIA, and keyboard traps, and generates specific code fix suggestions for your actual markup.

How is xsbl different from accessibility overlays?

Unlike overlays that inject JavaScript and only detect about 30% of WCAG issues, xsbl scans your actual rendered DOM in a real Chromium browser. It provides real code fixes instead of cosmetic patches, works with screen readers rather than against them, and produces exportable compliance evidence accepted by courts and auditors.

Does xsbl support WCAG 2.2?

Yes. xsbl covers 90+ rules across WCAG 2.2 AA and AAA criteria, including contrast, alt text, ARIA, keyboard navigation, forms, headings, landmarks, and more. Each issue is mapped to the specific WCAG success criterion it violates.

Can xsbl create GitHub pull requests with accessibility fixes?

Yes. Connect your GitHub repository and xsbl can generate pull requests with AI-suggested code fixes for accessibility issues. You can fix individual issues or use bulk fix to address multiple issues in a single PR.

How much does xsbl cost?

xsbl offers a free tier with 1 site and 3 scans per month. Paid plans start at $19/month for Starter, $69/month for Pro with unlimited sites and 100 scans, and $249/month for Agency with white-label reports, VPAT generation, and dedicated support.

Privacy Policy

The short version: xsbl scans the public-facing HTML of your website. Our Chrome extension applies accessibility features locally in your browser. We don't inject scripts on your visitors, don't collect browsing history, and don't store your source code. We collect what we need to run the service and nothing more.

1. Who we are

xsbl ("we", "us", "our") provides a web accessibility scanning and compliance platform at xsbl.io. This policy explains how we collect, use, and protect information when you use our website and services.

2. Information we collect

Account information

When you create an account, we collect your email address, name (if provided), and authentication credentials. If you sign in via GitHub or Google, we receive your public profile information and email from those providers.

Scan data

When you scan a website, we fetch the publicly rendered HTML of the pages you specify — the same content any browser visitor would see. We analyze this HTML for WCAG 2.2 accessibility violations and store the scan results (issue descriptions, element selectors, fix suggestions, scores). We do not store full page HTML after the scan completes.

Chrome extension data

The xsbl Chrome extension runs locally in your browser. Here is exactly what it does and does not access:

Stored locally only (never sent to our servers):

Your feature toggle settings (contrast, text size, keyboard navigation, dyslexia mode, color blindness filter, ARIA fix)
Per-site preferences (which features are active on which domains)
Your authentication token (if you sign in for Pro features)

All of the above is stored in chrome.storage.local on your device. We cannot access it from our servers.

Sent to our servers (Pro features only):

AI alt text: When you enable AI alt text on a page, the URLs of images that are missing alt attributes are sent to our edge function. We fetch those images server-side, send them to Anthropic's Claude Vision API for description, and return the generated alt text. We do not store the images or the generated descriptions after the response is returned. Image URLs are logged only for rate-limiting purposes and are deleted after 24 hours.
Authentication: When you sign in, we generate a token that the extension stores locally. This token is sent with Pro feature requests to verify your identity and plan. We do not receive or store your password — authentication goes through the same Supabase auth flow as the dashboard.

What the extension does NOT do:

It does not collect or transmit your browsing history
It does not read page content, form inputs, or passwords
It does not inject tracking scripts, analytics, or ads
It does not modify pages in any way that persists after you navigate away or close the tab
It does not communicate with any server other than xsbl.io (our Supabase edge functions)
Free features (contrast, text scaling, keyboard navigation) make zero network requests — they are entirely local CSS/DOM changes

Permissions explained: The extension requests "access to all websites" (<all_urls>) because its purpose is to apply accessibility improvements to any page you visit. The content script only activates features you have toggled on. The storage permission is used to save your settings locally. The activeTab permission allows the popup to communicate with the current tab's content script. The scripting permission is required by Manifest V3 for content script injection.

GitHub integration data

If you connect a GitHub repository, we store an access token scoped to the repositories you authorize and the repo identifier. When creating pull requests or issues, we read relevant source files at that moment only — we do not clone, cache, or persist your repository contents.

Usage data

We collect standard usage information: pages visited within our dashboard, features used, scan frequency, browser type, and approximate location derived from IP address. We use this to improve the product and diagnose issues.

Payment information

Payments are processed by Stripe. We do not store credit card numbers, CVVs, or bank account details. Stripe provides us with a customer identifier, plan status, and billing email.

3. How we use your information

We use the information we collect to:

Provide, maintain, and improve the xsbl service
Run accessibility scans and generate fix suggestions
Create pull requests and GitHub issues on your behalf
Send scan completion notifications and alerts you've opted into
Process payments and manage subscriptions
Diagnose bugs and monitor service reliability
Respond to support requests

4. What we don't do

We do not sell or rent your personal information to anyone
We do not serve advertisements
We do not inject scripts or overlays onto your website
We do not track your website's visitors
We do not store your source code beyond what's needed to generate a specific fix
We do not use your data to train AI models

5. Data storage and security

Your data is stored in Supabase-managed PostgreSQL databases hosted on AWS infrastructure in the United States. All data is encrypted at rest and in transit (TLS 1.2+). Access to production databases is restricted to essential personnel and protected by multi-factor authentication. See our Security page for more detail.

6. Data retention

Scan results and issues are retained for the lifetime of your account. When you delete a site, we remove its scan history, issues, and associated data within 30 days. When you delete your account, we remove all your data within 30 days, except where required by law (e.g., billing records).

7. Third-party services

We use the following third-party services:

Supabase — database, authentication, and edge functions
Netlify — web hosting and CDN
Stripe — payment processing
GitHub API — pull request and issue creation (only when you connect your repo)
Browserless — headless browser for rendering pages during scans
Anthropic (Claude) — AI-powered fix suggestions and alt text generation

Each of these services processes data according to their own privacy policies. We select partners that maintain SOC 2 compliance or equivalent security standards.

8. Cookies

We use essential cookies only: a session token for authentication and a theme preference (light/dark). We do not use analytics cookies, advertising cookies, or third-party tracking cookies.

9. Your rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you
Correct inaccurate data
Delete your data ("right to be forgotten")
Export your data in a portable format
Object to processing of your data
Withdraw consent at any time

To exercise any of these rights, email us at privacy@xsbl.io or use the account deletion option in your dashboard settings. We respond to all requests within 30 days.

10. International transfers

Our servers are located in the United States. If you are accessing xsbl from outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses and applicable legal frameworks for lawful international data transfers.

11. Children's privacy

xsbl is not directed at children under 16. We do not knowingly collect information from children. If we learn we have collected data from a child, we will delete it promptly.

12. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by posting a notice on our website and, where possible, sending an email to your registered address. Your continued use of xsbl after changes take effect constitutes acceptance of the updated policy.

13. Contact

If you have questions about this privacy policy or how we handle your data, contact us at privacy@xsbl.io or through our contact page.