Exactly what we check
Here is the full list: every check we run, which regulation it tests against, and whether it's included in the trial or requires a paid plan. No hand-picked examples — this is the same catalog that drives the scan.
How the trial differs from a paid plan
During the trial we run almost every check, but on a sample of the site's pages and with a limited number of examples per finding — enough to show you where you stand, not a complete review.
On a paid plan the site is scanned up to your plan's page count, every finding is shown, and the deeper accessibility tests run. Those require us to interact with each page — keyboard navigation, mobile viewport, form testing — and are therefore not part of unpaid scans. The "Paid plan" column applies to every paid plan: what matters is that the module is included in your plan, not which plan you chose.
About the methods: Deterministic means the check measures a fact in the browser — it cannot be a matter of opinion. AI means our compliance AI reads and assesses text. Vision AI means the AI assesses a screenshot visually. AI assessments are always presented as assessments for you to confirm, never as established violations.
Accessibility (WCAG / EAA)55 criteria
WCAG 2.2 at levels A and AA consists of 55 criteria — the table below accounts for every one of them. Some are machine-testable: those are tested by the automated sweep on every scanned page, using around sixty rules. On a paid plan we go further than automated scanning normally can — we tab through the pages with a keyboard, reload them in a mobile viewport, test forms, and let vision AI judge what otherwise needs a human eye. A number of criteria can't be tested without human judgment in context: those the scan does not cover, and they are openly marked as manual in the table — we never claim otherwise.
Of the 55 criteria, we test 32 fully or partially automatically. The remaining 23 require human judgment — but you're not left alone with them: our AI advisor guides you through what to check, how to do it, and what passes.
| Criterion (WCAG 2.2) | Level | How we test | Trial | Paid plan |
|---|---|---|---|---|
| 1.1.1 Non-text content — everything that isn't text (images, icons, buttons with symbols) must have a text description, so a screen-reader user knows what the image shows. | A | Partially automatic · sweep + interactive + PDF | ✓ | ✓ |
| 1.2.1 Audio-only / video-only — a recording with only audio (e.g. a podcast) must have a text transcript, and a video without sound a text description, so the content works for those who can't hear or see. | A | Manual review | — | — |
| 1.2.2 Captions (prerecorded) — recorded videos with speech must have captions, so people who can't hear can follow what is said. | A | Partially automatic · sweep | ✓ | ✓ |
| 1.2.3 Audio description or media alternative — recorded videos must have a narrator describing what's on screen, or a text version of the whole content, for those who can't see the picture. | A | Manual review | — | — |
| 1.2.4 Captions (live) — live broadcasts must have captions too, not just recorded material. | AA | Manual review | — | — |
| 1.2.5 Audio description (prerecorded) — recorded videos must have audio description: a narrator describing important things that are only visible on screen. | AA | Manual review | — | — |
| 1.3.1 Info and relationships — what looks like a heading, list or table must also be coded as one, so screen readers understand the page's structure instead of reading one long wall of text. | A | Partially automatic · sweep + PDF | ✓ | ✓ |
| 1.3.2 Meaningful sequence — content must sit in a sensible order in the code, so someone hearing the page read aloud gets it in the same logical order as someone seeing it. | A | Manual review | — | — |
| 1.3.3 Sensory characteristics — instructions must not assume sight, like "click the green button on the right". Someone who can't perceive colour or position must still understand what's meant. | A | Manual review | — | — |
| 1.3.4 Orientation — the page must work with the screen held both portrait and landscape; it must not force the user to rotate their phone or tablet. | AA | Partially automatic · sweep | ✓ | ✓ |
| 1.3.5 Identify input purpose — fields for name, email, address and so on must be marked up so the browser can fill them in automatically — a big help for anyone who struggles to type. | AA | Automatic · sweep | ✓ | ✓ |
| 1.4.1 Use of colour — colour must not be the only way something is shown, e.g. only marking invalid fields in red. People who don't perceive colour need a text or symbol too. | A | Partially automatic · sweep | ✓ | ✓ |
| 1.4.2 Audio control — if sound starts automatically when the page opens, it must be possible to pause or turn off, otherwise it drowns out the screen reader's voice. | A | Partially automatic · sweep | ✓ | ✓ |
| 1.4.3 Contrast (minimum) — text must have enough contrast against its background to be readable with low vision — light grey text on a white background is the classic failure. | AA | Automatic · sweep + vision AI | ✓ | ✓ |
| 1.4.4 Resize text — it must be possible to enlarge the text to double size without content disappearing or ending up off-screen. | AA | Partially automatic · sweep | ✓ | ✓ |
| 1.4.5 Images of text — text must be real text, not baked into an image. Text in images turns blurry when enlarged and is completely invisible to screen readers. | AA | Partially automatic · vision AI | — | ✓ |
| 1.4.10 Reflow — the page must work on a narrow screen (320 pixels, roughly a small phone) without having to scroll sideways to read. | AA | Automatic · interactive | — | ✓ |
| 1.4.11 Non-text contrast — things that aren't text — icons, input-field borders, parts of charts — must also have enough contrast to be distinguishable. | AA | Manual review | — | — |
| 1.4.12 Text spacing — the page must not break if the user increases line and letter spacing, which people with dyslexia or low vision often do to be able to read. | AA | Automatic · sweep + interactive | ✓ | ✓ |
| 1.4.13 Content on hover or focus — content that appears when pointing at something (tooltips, fold-out menus) must be dismissible and must not vanish when you try to move the pointer to it. | AA | Partially automatic · interactive | — | ✓ |
| 2.1.1 Keyboard — everything on the page must be usable with a keyboard alone, because many people can't use a mouse — e.g. people with motor impairments or low vision. | A | Partially automatic · sweep + interactive | ✓ | ✓ |
| 2.1.2 No keyboard trap — someone navigating by keyboard must never get stuck in a part of the page (e.g. a popup) with no way to move on or back out. | A | Partially automatic · interactive | — | ✓ |
| 2.1.4 Character key shortcuts — if the page has single-key shortcuts (e.g. S opens search), they must be possible to turn off or remap, otherwise voice control and stray keystrokes trigger them by accident. | A | Manual review | — | — |
| 2.2.1 Timing adjustable — if something has a time limit (e.g. being logged out, or a booking expiring), the limit must be extendable or possible to turn off — not everyone is equally fast. | A | Partially automatic · sweep | ✓ | ✓ |
| 2.2.2 Pause, stop, hide — image carousels, autoplaying videos and other moving content must be pausable. Motion breaks concentration, especially for people with ADHD or cognitive impairments. | A | Partially automatic · sweep + interactive | ✓ | ✓ |
| 2.3.1 Three flashes or below threshold — nothing on the page may flash intensely more than three times per second, because rapid flashing can trigger epileptic seizures. | A | Manual review | — | — |
| 2.4.1 Bypass blocks — someone navigating by keyboard must be able to skip past what repeats on every page (the menu, the header) instead of tabbing through all of it every time. | A | Partially automatic · sweep | ✓ | ✓ |
| 2.4.2 Page titled — every page must have a title describing what it's about. It's the first thing a screen reader announces, and what shows in the browser tab. | A | Partially automatic · sweep + PDF | ✓ | ✓ |
| 2.4.3 Focus order — when tabbing through the page, the highlight must move in a sensible order, not jump back and forth across the page. | A | Partially automatic · interactive | — | ✓ |
| 2.4.4 Link purpose — the link text must say where the link leads. "Read more" and "click here" mean nothing to someone hearing all the page's links read out as a list. | A | Partially automatic · sweep + interactive | ✓ | ✓ |
| 2.4.5 Multiple ways — there must be more than one way to find a page, e.g. both a menu and a search function. | AA | Manual review | — | — |
| 2.4.6 Headings and labels — headings and field labels must describe their content, so you understand what a section is about or what to fill in without guessing. | AA | Partially automatic · vision AI | — | ✓ |
| 2.4.7 Focus visible — when tabbing through the page it must be visible where you are, e.g. with a clear outline around the highlighted element. | AA | Partially automatic · interactive | — | ✓ |
| 2.4.11 Focus not obscured (minimum) — the element you've tabbed to must not sit hidden behind a fixed menu or cookie banner, leaving you navigating blind. | AA | Automatic · interactive | — | ✓ |
| 2.5.1 Pointer gestures — functions that require swipes or multi-finger gestures must also work with simple taps. | A | Manual review | — | — |
| 2.5.2 Pointer cancellation — a click must be possible to abort by moving the finger or pointer away before releasing — important for people with tremors who often hit the wrong thing. | A | Manual review | — | — |
| 2.5.3 Label in name — the text shown on a button must be part of the button's name in the code, otherwise voice control ("click Submit") doesn't work as expected. | A | Automatic · sweep | ✓ | ✓ |
| 2.5.4 Motion actuation — functions controlled by shaking or tilting the device must have an ordinary alternative — not everyone can make those movements, and a wheelchair-mounted device can't be shaken. | A | Manual review | — | — |
| 2.5.7 Dragging movements — functions that require drag-and-drop (e.g. sorting a list) must also be possible with simple clicks. | AA | Manual review | — | — |
| 2.5.8 Target size (minimum) — buttons and links must be large enough to hit, even with trembling hands or large fingers on a small screen. | AA | Automatic · sweep + interactive | ✓ | ✓ |
| 3.1.1 Language of page — the page's language must be declared in the code. Otherwise a screen reader may read Swedish text with English pronunciation — incomprehensible to the listener. | A | Automatic · sweep + PDF | ✓ | ✓ |
| 3.1.2 Language of parts — if parts of the page are in another language, that must be marked up, so the screen reader switches pronunciation for just that passage. | AA | Partially automatic · sweep | ✓ | ✓ |
| 3.2.1 On focus — highlighting an element with the keyboard must not trigger anything unexpected, like a popup opening or being sent to another page. | A | Manual review | — | — |
| 3.2.2 On input — filling in a field or picking from a list must not automatically submit the form or move the user somewhere else without warning. | A | Manual review | — | — |
| 3.2.3 Consistent navigation — menus must sit in the same place and order on every page, so you don't have to relearn the site on each new page. | AA | Partially automatic · interactive | — | ✓ |
| 3.2.4 Consistent identification — the same function must be named and look the same across the site — the search icon can't mean different things on different pages. | AA | Manual review | — | — |
| 3.2.6 Consistent help — contact details, chat and other help features must sit in the same place on every page, so anyone needing help always knows where to find it. | A | Manual review | — | — |
| 3.3.1 Error identification — when something goes wrong in a form, the error must be pointed out and explained in text — not just with a red border, which not everyone perceives. | A | Partially automatic · interactive | — | ✓ |
| 3.3.2 Labels or instructions — form fields must have a visible label or instruction explaining what to fill in, e.g. which date format applies. | A | Partially automatic · sweep | ✓ | ✓ |
| 3.3.3 Error suggestion — error messages should suggest how to fix the error where possible, e.g. "enter the date as YYYY-MM-DD", not just state that something is wrong. | AA | Manual review | — | — |
| 3.3.4 Error prevention — for important commitments (purchases, agreements, deletions) the user must be able to review their input, undo, or confirm before it goes through. | AA | Manual review | — | — |
| 3.3.7 Redundant entry — information the user already provided earlier in the same flow must not have to be entered again, e.g. the same address in two checkout steps. | A | Manual review | — | — |
| 3.3.8 Accessible authentication (minimum) — logging in must not require solving memory tasks or puzzles, and pasting a password from a password manager must not be blocked. | AA | Manual review | — | — |
| 4.1.2 Name, role, value — custom-built components (bespoke menus, sliders, tabs) must tell assistive technology what they are, what they're called and what state they're in — otherwise they're invisible to screen readers. | A | Partially automatic · sweep | ✓ | ✓ |
| 4.1.3 Status messages — confirmations and status updates ("item added to cart") must reach screen readers even when they only appear visually on screen. | AA | Manual review | — | — |
Policies & terms58 checks
We locate the privacy policy, cookie policy and terms, read them as documents, and verify two things: that they contain what the law requires, and that what they claim matches what the scan actually measured on the site.
| What we check | Regulation | Method | Trial | Paid plan |
|---|---|---|---|---|
| That a privacy policy exists and is reachable. | GDPR art. 13–14 | Deterministic | ✓ | ✓ |
| That the site's policy links aren't broken (404/500). | GDPR art. 12.1 | Deterministic | ✓ | ✓ |
| That the policy can be read without first being forced to accept cookies. | GDPR art. 12.1 | Deterministic | ✓ | ✓ |
| That the policy names who the data controller is. | GDPR art. 13.1 a | Deterministic | ✓ | ✓ |
| That the policy doesn't name the wrong company as controller — a common trace of copied templates. | GDPR art. 13.1 a | Deterministic | ✓ | ✓ |
| That there is a contact channel to the data controller. | GDPR art. 13.1 a | Deterministic | ✓ | ✓ |
| That the purposes of the personal-data processing are stated. | GDPR art. 13.1 c | Deterministic | ✓ | ✓ |
| That a legal basis for the processing is stated. | GDPR art. 6.1 · 13.1 c | Deterministic | ✓ | ✓ |
| That the categories of personal data processed are described. | GDPR art. 14.1 d | Deterministic | ✓ | ✓ |
| That recipients or categories of recipients of the data are stated. | GDPR art. 13.1 e | Deterministic | ✓ | ✓ |
| That the retention period — or the criteria for it — is stated. | GDPR art. 13.2 a | Deterministic | ✓ | ✓ |
| That the data subjects' rights are enumerated (access, rectification, erasure and more). | GDPR art. 15–22 | Deterministic | ✓ | ✓ |
| That there is a concrete channel for exercising one's rights. | GDPR art. 12.2 | Deterministic | ✓ | ✓ |
| That the right to complain to the supervisory authority (IMY) is stated. | GDPR art. 13.2 d | Deterministic | ✓ | ✓ |
| That the right to withdraw consent is stated, when consent is invoked as the basis. | GDPR art. 7.3 · 13.2 c | Deterministic | ✓ | ✓ |
| That safeguards are named when data is transferred outside the EU/EEA (standard contractual clauses, adequacy decisions and more). | GDPR art. 46 | Deterministic | ✓ | ✓ |
| That the data protection officer's contact details are present. Applies to public-sector bodies. | GDPR art. 37 | Deterministic | ✓ | ✓ |
| That the policy carries a last-updated date. | GDPR art. 5.2 · 12 | Deterministic | ✓ | ✓ |
| That the policy contains no unfilled template placeholders ([Company name], Lorem ipsum …). | — | Deterministic | ✓ | ✓ |
| That the policy doesn't reference Datainspektionen — the authority was renamed IMY in 2021, so such a reference is a strong sign the policy hasn't been maintained. | SE | Deterministic | ✓ | ✓ |
| That the policy doesn't rely on repealed law (the Swedish Personal Data Act, replaced by the GDPR in 2018). | SE · GDPR | Deterministic | ✓ | ✓ |
| That a site addressing a Swedish audience has its policy in Swedish. | SE · språklagen 10 § | Deterministic | ✓ | ✓ |
| That cookie information exists — as its own document or a clear section. | ePrivacy art. 5.3 | Deterministic | ✓ | ✓ |
| That the cookie policy states category and purpose per cookie. | ePrivacy · LEK 9 kap. | Deterministic | ✓ | ✓ |
| That the cookie policy states each cookie's lifespan. | EDPB-praxis | Deterministic | ✓ | ✓ |
| That every tracker we actually measured on the site is also declared in the cookie policy — measured is compared against declared. | GDPR art. 13.1 e | Deterministic | ✓ | ✓ |
| That the cookie banner's categories match what the cookie policy declares. | ePrivacy · GDPR art. 12 | Deterministic | ✓ | ✓ |
| That a policy claiming data isn't shared with third parties isn't contradicted by measured data sharing. | GDPR art. 5.1 a | Deterministic | ✓ | ✓ |
| That a policy claiming no tracking cookies are used isn't contradicted by what the scan measured. | GDPR art. 5.1 a | Deterministic | ✓ | ✓ |
| That measured data flows to recipients outside the EU/EEA (for example US ad platforms) are matched by the policy's information on third-country transfers. | GDPR art. 13.1 f · 44 | Deterministic | ✓ | ✓ |
| That organisations covered by the Swedish web-accessibility act have an accessibility statement. | DOS-lagen (SE) | Deterministic | ✓ | ✓ |
| That an accessibility statement claiming full WCAG compliance isn't contradicted by what the accessibility scan actually found. | DOS-lagen (SE) | Deterministic | ✓ | ✓ |
| That selling sites have findable purchase or user terms. | SE · konsumentlagstiftning | Deterministic | ✓ | ✓ |
| That the terms on a consumer-facing selling site inform about out-of-court dispute resolution (ARN). | SE · lag 2015:671 (ARN) | Deterministic | ✓ | ✓ |
| That references to the EU's decommissioned ODR platform (shut down July 2025) have been removed. | EU ODR (nedlagd 2025) | Deterministic | ✓ | ✓ |
| That company name, geographic address and email are easily accessible on commercial sites. | SE · e-handelslagen 8 § | Deterministic | ✓ | ✓ |
| That selling sites have a public online withdrawal function — a legal requirement from 19 June 2026; we flag it in advance so you have time to prepare. | SE · distansavtalslagen 2 kap. 10 a § | Deterministic | ✓ | ✓ |
| That consent checkboxes in forms (newsletter, marketing) aren't pre-ticked — pre-ticked consent is invalid. | GDPR art. 4.11 · 7.1 (Planet49) | Deterministic | ✓ | ✓ |
| That forms collecting personal data have a link to the privacy policy nearby. | GDPR art. 12.1 · 13.1 | Deterministic | ✓ | ✓ |
| That forms collecting personal data or logins aren't submitted over an unencrypted connection (http). | GDPR art. 32 | Deterministic | ✓ | ✓ |
| That the site's TLS certificate is valid and trusted — not expired, self-signed or issued for the wrong domain. | GDPR art. 32 | Deterministic | ✓ | ✓ |
| The AI judges whether the policy is comprehensible to an ordinary reader — the GDPR requires clear and plain language. | GDPR art. 12.1 | AI | ✓ | ✓ |
| The AI verifies that every form collecting personal data is covered by a declared purpose in the policy. | GDPR art. 13.1 c | AI | ✓ | ✓ |
| The AI judges whether the purpose is clear at the point of collection — at the form, not just deep inside the policy. | GDPR art. 13 | AI | ✓ | ✓ |
| The AI reviews that consent in forms isn't bundled with other terms. | GDPR art. 7.4 | AI | ✓ | ✓ |
| The AI reviews form text claiming that submitting also constitutes consent to something else — "by submitting you also agree to mailings" is not valid consent. | GDPR art. 4.11 · 7.4 (Planet49) | AI | ✓ | ✓ |
| When the policy invokes legitimate interest: is the concrete interest named — or just the phrase? | GDPR art. 6.1 f | AI | ✓ | ✓ |
| The AI judges whether the recipient descriptions are too vague ("trusted partners") to meet the information duty. | GDPR art. 13.1 e | AI | ✓ | ✓ |
| That further processing of data for new purposes is described correctly. | GDPR art. 13.3 | AI | ✓ | ✓ |
| That the policy doesn't describe an invalid consent flow — "by continuing to browse you accept cookies" is not valid consent. | GDPR art. 4.11 · 7 (Planet49) | AI | ✓ | ✓ |
| That automated decision-making and profiling are disclosed where they occur. | GDPR art. 13.2 f · 22 | AI | ✓ | ✓ |
| That the source of the data is stated when it wasn't collected directly from the data subject. | GDPR art. 14.2 f | AI | ✓ | ✓ |
| That the right to object to direct marketing is stated. | GDPR art. 21.2 | AI | ✓ | ✓ |
| That sensitive data (health, religion, political opinions and more) has a stated legal basis under Article 9. | GDPR art. 9 | AI | ✓ | ✓ |
| Healthcare-specific review: legal basis for health data, the Swedish Patient Data Act, and the separation between medical-record systems and the web. Applies to care providers. | GDPR art. 9.2 h · PDL (SE) | AI | ✓ | ✓ |
| Municipality-specific review of legal basis — public authorities can rarely rely on consent towards citizens. Applies to municipalities and public-sector bodies. | GDPR art. 6.1 e (SE) | AI | ✓ | ✓ |
| The AI reviews that the terms inform correctly about the right of withdrawal. Applies to selling sites. | SE · distansavtalslagen | AI | ✓ | ✓ |
| The AI reviews that the price information in the terms is correct and complete. Applies to selling sites. | SE · prisinformationslagen | AI | ✓ | ✓ |
AI Act1 check
Identifies chat and assistant widgets and flags the transparency duty in Article 50 of the AI Act: visitors must know when they are interacting with an AI.
| What we check | Regulation | Method | Trial | Paid plan |
|---|---|---|---|---|
| Chat and assistant widgets are identified (Intercom, Drift, Humany and more) and the transparency duty is flagged: visitors must be informed when they interact with an AI. Binding from August 2026. | AI-förordningen art. 50.1 | Deterministic | ✓ | ✓ |
Want to see what we find on your site?
Run a free scan — all four modules included for 30 days, no card required.