Privacy Policy
Effective date: 2026-06-17 · Last reviewed: 2026-06-17
1. Data we collect
Account data
When you sign in with Google, we receive the name, email address, and profile picture associated with your Google account, and confirmation that Google has verified your email. We do not receive your Google password.
Content you create
The websites, pages, text, and images you generate, upload, or edit. This includes business descriptions you type for AI generation, uploaded media, and the conversation history used to edit pages. This data is stored to provide and host your site.
Usage & technical data
Plan, billing state, feature usage (message/media counts used to enforce your plan), approximate IP address (derived for rate-limiting and abuse prevention), browser type, and service logs.
Billing data
We store a reference to your Stripe/PayPal customer and subscription. Card numbers are handled entirely by Stripe/PayPal — we never receive or store full card details.
2. How and why we use it
| Data | Purpose |
|---|---|
| Account data | Identify you, secure your account, prevent fraud/abuse |
| Content | Build, host, and publish your websites; enable AI-assisted editing |
| Usage | Enforce plan limits, bill correctly, improve the Service |
| Billing references | Process subscriptions, taxes, refunds, and disputes |
| Technical/logs | Operate, monitor, secure, and troubleshoot the Service |
3. Legal bases (EEA / UK / Switzerland — GDPR)
- Performance of a contract — hosting your site and providing features you requested.
- Legitimate interests — security, fraud/abuse prevention, and service improvement, balanced against your rights.
- Legal obligation — tax and record-keeping duties.
- Consent — for non-essential cookies or optional analytics, where applicable.
4. Third parties & sub-processors
We rely on the following providers, each under their own terms and data practices:
| Provider | Used for | Data shared |
|---|---|---|
| Sign-in (OAuth) | Name, email, profile picture | |
| Stripe / PayPal | Payments | Billing references (not card numbers) |
| MiniMax | AI content generation | Text prompts you submit for generation/editing |
| Cloudflare | Media storage (R2), CDN, Pages hosting | Your site content & media |
| Cloud infrastructure | Hosting the Service | All Service data |
We do not sell your personal data.
5. AI content generation
To generate and edit website content, the text you provide (such as a business description or an edit instruction) is sent to our AI provider. Generated content is validated by our sandbox before it is stored or shown. Avoid submitting personal data about other people (e.g. customer lists) in prompts. AI output may be inaccurate; review before publishing.
6. Cookies
We use a strictly necessary authentication cookie (HttpOnly, Secure over HTTPS, SameSite=Strict) to keep you signed in, and a short-lived cookie during Google sign-in to prevent CSRF. We do not use advertising cookies. See our Cookie Policy for detail.
7. Retention
We keep your data for as long as your account is active. When you delete your account, we cancel any subscription, delete your sites and their content, remove uploaded media (including from object storage), and clear your session. Limited records (e.g. billing references, tax records) are kept as required by law. Published sites remain online only while the account/site exists.
8. Your rights
Depending on where you live, you may have the right to:
- Access the data we hold about you;
- Correct inaccurate data;
- Delete your data (you can do this instantly via Delete account in the dashboard);
- Export a copy of your site content (backup);
- Object to or restrict certain processing;
- Withdraw consent where we rely on it;
- Lodge a complaint with your local data protection authority.
California residents: see the CCPA note below. To exercise any right, email [email protected].
California (CCPA / CPRA)
We do not sell personal information. California residents may request disclosure, deletion, and correction of their personal information and may designate an authorised agent.
9. International transfers
Your data is processed in the region where our infrastructure and providers operate (including Singapore, the United States, and the EU, depending on the provider). Where data leaves the EEA/UK/Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses.
10. Children
The Service is not directed to children under 16 (or the minimum age in your country). We do not knowingly collect their data. If you believe a child has provided data, contact us and we will delete it.
11. Security
Access is authenticated, data is isolated per site, traffic is encrypted (HTTPS), inputs are validated, and secrets are kept out of the application. No method of transmission or storage is fully secure; we aim for strong, defence-in-depth controls appropriate to the data.
12. Changes to this policy
We may update this policy. For material changes we will notify you (e.g. in-app or by email) and update the "Effective date" above. Continued use after a change constitutes acceptance.
13. Contact
Questions or requests: [email protected].
EU/UK representative (where required): BizTransit Sdn Bhd, Level 28, Lingkaran Syed Putra, Mid Valley City, 59200, Kuala Lumpur, Malaysia. Email: [email protected].