aquaticpool.com
27-year-old e-commerce site based in United States, served through cloudflare, with email running through microsoft.
Privacy50Needs work
Terms of service page presence
No terms of service page found. Without one, you have no contractual basis for the relationship with your visitors.
CCPA "Do Not Sell or Share My Personal Information" link
No CCPA "Do Not Sell or Share My Personal Information" link found. If you have California visitors and sell or share data, this is required.
Your homepage loads a high number of third-party trackers. Each one slows the page, leaks data, and increases your compliance surface.
2 additional standards didn't apply to this category
Accessibility65Excellent
Your heading levels skip — for example, an H1 followed by an H3 with no H2 in between. Screen reader users lose the outline of the page.
No skip-to-content link is published. Keyboard users have to tab through every nav item on every page before reaching the content.
Text on your homepage doesn't meet WCAG AA contrast minimums against its background. Visitors with low vision can't read parts of the page.
Every image on your homepage has alt text — screen readers can describe them.
ARIA labels presence and validity
Interactive elements have proper ARIA labels — screen reader users get a clear description of each control.
2 additional standards didn't apply to this category
Performance68Excellent
Image optimization (WebP/AVIF)
Your images are served as JPEG or PNG when modern formats (WebP, AVIF) would cut their size by 30–60% with no visible loss.
Font loading strategy (FOUT/FOIT/swap)
Your fonts aren't using font-display: swap. Visitors see invisible text for a moment while the font downloads — Google penalises this.
Mobile PageSpeed score + Core Web Vitals (LCP, FCP, CLS)
Your homepage is slow on mobile. The data Google uses to rank pages says real visitors wait too long for it to feel ready.
Your server compresses pages with Brotli or gzip — visitors download a fraction of the raw size.
Lazy loading on below-fold images
Below-fold images use loading="lazy" — they download only when the visitor scrolls toward them.
5 additional standards didn't apply to this category
Security83Excellent
Your server doesn't staple OCSP. Visitors' browsers may have to contact the CA themselves, slowing first connects.
Neither OCSP stapling nor Must-Staple is in play. A revoked cert wouldn't be caught quickly.
Embedded SCT count (Certificate Transparency)
Your certificate carries only one embedded SCT — modern browsers want at least two. Reissue from a CA that includes them.
WordPress REST API user enumeration exposure
Your WordPress site exposes its user list through the REST API. Attackers can enumerate every account by username — the first half of any credential-stuffing attack is already done for them.
SSL certificate validity & expiration window
Your SSL certificate is valid and not close to expiring.
Sensitive path exposure (.git, .env, /admin, xmlrpc.php, wp-login.php)
None of the common admin or developer paths are publicly reachable.
Only modern TLS (1.2 and above) is offered — TLS 1.0 and 1.1 are turned off.
Certificate key strength and signature algorithm
Your certificate uses strong modern math (ECDSA P-256+ or RSA-2048+ with SHA-256+).
Certificate chain completeness
Your server sends the full certificate chain — every device builds the path to a trusted root cleanly.
Certificate validity-period brevity
Your certificate uses a short validity window (≤ 90 days) — auto-renewal keeps revocation fast and frictionless.
Your certificate is issued by a tier-1 publicly trusted CA (Let's Encrypt, DigiCert, Google Trust, Sectigo, etc.).
Your TLS handshake completes quickly — under 300ms on a cold connection.
8 additional standards didn't apply to this category
Brand presence87Excellent
We couldn't find a Trustpilot listing. Many consumers check Trustpilot before buying — a missing listing reads as a missing reputation.
Your domain has been registered for years — long enough to clear fraud-detection signals.
Instagram presence (link from site → IG profile)
Your Instagram profile is linked from your site.
9 additional standards didn't apply to this category
SEO94Excellent
Schema.org type validity (parsed JSON-LD)
We didn't find any structured-data tags on your homepage.
Title, meta description, OG, Twitter cards, canonical
Your homepage has the title, description, OG, Twitter, and canonical tags.
Schema.org structured data presence
Your homepage publishes Schema.org structured data — search engines and AI tools can read what your site is directly.
Your homepage has a clear H1 heading — search engines and screen readers know what the page is about.
Your pages publish breadcrumb schema — search results show the path back to important sections.
FAQ / HowTo schema (where applicable)
Your pages publish FAQ / HowTo schema — eligible for rich-result panels in search.
Internal link depth (clicks from homepage to deepest content)
Important pages are reachable in just a click or two from your homepage.
4 additional standards didn't apply to this category
Email health94Excellent
Email forwarding service detected (improvmx, forwardemail, etc.)
We didn't detect any mail forwarding — your inbox provider is unclear.
DMARC is enforcing — spoofed mail from your domain gets quarantined or rejected.
SPF is set and lists your sending services as approved senders.
Branded domain email address (vs free Gmail/Yahoo)
You send email from your own domain, not a free Gmail/Yahoo address.
Email provider class (Workspace / 365 / Zoho / self-hosted / shared)
provider=microsoft_365, mx=aquaticpool-com.mail.protection.outlook.com, source=mx_classifier
DMARC aggregate reporting enabled (rua=)
You're set up to receive daily DMARC reports of spoofing attempts.
Free-email exposure on contact page (gmail/yahoo/outlook visible)
Your published contact address is on your own domain, not a free inbox.
SPF lookup count (10-limit deliverability check)
Your SPF record uses fewer than 10 DNS lookups — under the spec limit.
Mailto: direct contact link present
Your site exposes a mailto: link visitors can tap to start a message.
Lead magnet / signup incentive detected (free download, ebook, etc.)
Your homepage offers a lead magnet — visitors who aren't ready to buy can still leave with something useful.
5 additional standards didn't apply to this category
AI-readiness100Excellent
JSON-LD richness score for LLMs
Your homepage exposes organization details AI tools can pull from.
3 additional standards didn't apply to this category
View formal standards verdicts → Composite-spec rollups for press, regulators, and compliance auditors.
18 additional standards planned, scorer not yet implemented.
Does it respect visitor privacy?50Needs work
You have a terms of service page
No terms of service page found. Without one, you have no contractual basis for the relationship with your visitors.
California privacy opt-out link
No CCPA "Do Not Sell or Share My Personal Information" link found. If you have California visitors and sell or share data, this is required.
How many outside companies you let watch your visitors
Your homepage loads a high number of third-party trackers. Each one slows the page, leaks data, and increases your compliance surface.
2 additional standards didn't apply to this site
Can everyone use it?65Excellent
Your headings are in a sensible order
Your heading levels skip — for example, an H1 followed by an H3 with no H2 in between. Screen reader users lose the outline of the page.
No skip-to-content link is published. Keyboard users have to tab through every nav item on every page before reaching the content.
Text on your homepage doesn't meet WCAG AA contrast minimums against its background. Visitors with low vision can't read parts of the page.
Your photos have written descriptions
Every image on your homepage has alt text — screen readers can describe them.
Your buttons and forms are labeled for screen readers
Interactive elements have proper ARIA labels — screen reader users get a clear description of each control.
2 additional standards didn't apply to this site
Is it fast?68Excellent
Your photos are saved in modern formats
Your images are served as JPEG or PNG when modern formats (WebP, AVIF) would cut their size by 30–60% with no visible loss.
Your text shows up while fonts load
Your fonts aren't using font-display: swap. Visitors see invisible text for a moment while the font downloads — Google penalises this.
How fast your site loads on a phone
Your homepage is slow on mobile. The data Google uses to rank pages says real visitors wait too long for it to feel ready.
Pages get squeezed before they're sent
Your server compresses pages with Brotli or gzip — visitors download a fraction of the raw size.
Your site uses a modern web connection
Your server speaks HTTP/2 — page loads multiplex over a single connection.
Photos lower on the page wait their turn
Below-fold images use loading="lazy" — they download only when the visitor scrolls toward them.
5 additional standards didn't apply to this site
Does this look like a real business?74Excellent
We couldn't find a Trustpilot listing. Many consumers check Trustpilot before buying — a missing listing reads as a missing reputation.
Whether anyone's written about you lately
No news mentions of this domain in the last 30 days.
How long your domain has existed
Your domain has been registered for years — long enough to clear fraud-detection signals.
A contact form people can actually find
A visible contact form is reachable from your homepage.
7 additional standards didn't apply to this site
Is it safe to visit?83Excellent
Visitors connect faster on the first click
Your server doesn't staple OCSP. Visitors' browsers may have to contact the CA themselves, slowing first connects.
Strict mode for your padlock check
Neither OCSP stapling nor Must-Staple is in play. A revoked cert wouldn't be caught quickly.
Your certificate is publicly logged
Your certificate carries only one embedded SCT — modern browsers want at least two. Reissue from a CA that includes them.
WordPress isn't leaking your usernames
Your WordPress site exposes its user list through the REST API. Attackers can enumerate every account by username — the first half of any credential-stuffing attack is already done for them.
Your padlock isn't about to expire
Your SSL certificate is valid and not close to expiring.
Private files aren't open to the public
None of the common admin or developer paths are publicly reachable.
Old TLS versions are turned off
Only modern TLS (1.2 and above) is offered — TLS 1.0 and 1.1 are turned off.
Your padlock isn't using outdated keys
Your certificate uses strong modern math (ECDSA P-256+ or RSA-2048+ with SHA-256+).
Your padlock loads cleanly on every device
Your server sends the full certificate chain — every device builds the path to a trusted root cleanly.
Your padlock renews on a healthy schedule
Your certificate uses a short validity window (≤ 90 days) — auto-renewal keeps revocation fast and frictionless.
Your padlock comes from a reputable vendor
Your certificate is issued by a tier-1 publicly trusted CA (Let's Encrypt, DigiCert, Google Trust, Sectigo, etc.).
Your site finishes its handshake quickly
Your TLS handshake completes quickly — under 300ms on a cold connection.
8 additional standards didn't apply to this site
Is email from this domain trustworthy?92Excellent
Your email is being forwarded, not hosted
We didn't detect any mail forwarding — your inbox provider is unclear.
Stops scammers from emailing customers as you
DMARC is enforcing — spoofed mail from your domain gets quarantined or rejected.
Lists who's allowed to email as your business
SPF is set and lists your sending services as approved senders.
You email from your own domain, not Gmail
You send email from your own domain, not a free Gmail/Yahoo address.
What's actually running your email
provider=microsoft_365, mx=aquaticpool-com.mail.protection.outlook.com, source=mx_classifier
You get reports when someone fakes your email
You're set up to receive daily DMARC reports of spoofing attempts.
Your email setup is under a hidden limit
Your SPF record uses fewer than 10 DNS lookups — under the spec limit.
A clickable email link on your site
Your site exposes a mailto: link visitors can tap to start a message.
4 additional standards didn't apply to this site
Can people find this site?94Excellent
Whether your behind-the-scenes labels are valid
We didn't find any structured-data tags on your homepage.
How your site appears when shared or in search results
Your homepage has the title, description, OG, Twitter, and canonical tags.
Hidden labels that explain your business to Google
Your homepage publishes Schema.org structured data — search engines and AI tools can read what your site is directly.
A clear headline on every page
Your homepage has a clear H1 heading — search engines and screen readers know what the page is about.
A trail showing where visitors are on your site
Your pages publish breadcrumb schema — search results show the path back to important sections.
Common questions answered in a Google-friendly way
Your pages publish FAQ / HowTo schema — eligible for rich-result panels in search.
How easy it is to reach your deepest pages
Important pages are reachable in just a click or two from your homepage.
How well your site feeds AI the right facts
Your homepage exposes organization details AI tools can pull from.
7 additional standards didn't apply to this site