Privacy Policy
Last updated: April 11, 2026
1. Data We Collect
- Account data: email address, password (hashed — we never store or see your plain-text password), Stripe customer ID
- Usage data: session data, messages exchanged during the design process
- Technical data: IP address, browser type, device type
- Uploaded assets: images and documents you provide for your website
2. How We Use Your Data
- Provide and improve the website design service
- Process payments via Stripe
- Send transactional emails (receipts, renewal reminders)
We do not sell your personal data to third parties. Ever.
3. Data Storage and Processors
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Account data, session records, site metadata | EU/US |
| Cloudflare | Built websites, static hosting, edge delivery, and asset storage | Global CDN |
| Stripe | Payment processing (we never see or store card numbers) | US/EU |
| Fly.io | Application runtime | United States (IAD) |
| Resend | Transactional email delivery | US/EU |
| Anthropic | AI model provider (site generation, conversation) | US |
| AI image generation, business research, and security checks | US/global | |
| Pexels | Stock image search where customer-provided imagery is unavailable | Global |
4. GDPR (European Union)
Legal basis: Contract performance (building the website you requested) and legitimate interest (service improvement).
Your rights:
- Right to access your data
- Right to rectify inaccurate data
- Right to erasure ("right to be forgotten") — request through dashboard support or email
- Right to data portability — download your site files anytime
Data deletion requests are processed within 30 days. Account deletion is handled by support so we can verify the request and preserve or remove any published site URLs according to your explicit instructions.
We do not engage in automated decision-making with legal effects.
5. CCPA (California)
If you are a California resident:
- We disclose the categories of personal information we collect (listed above)
- We do not sell personal information
- You have the right to know what data we hold, request deletion, and opt out of any future sale
6. UK GDPR
UK users receive the same protections as EU GDPR. The ICO (Information Commissioner's Office) is the supervisory authority for UK users.
7. Data Retention
We retain your data for as long as your account is active. If you delete your account, all associated data is removed within 30 days.
8. Security
We use industry-standard security measures including encrypted connections (HTTPS), hashed passwords (bcrypt), and access controls. Payment data is handled entirely by Stripe — we never store card numbers.
9. Contact
For privacy-related questions or data requests, email support@x4digital.co.