Privacy Policy
Last updated: April 11, 2026
1. Data We Collect
- Account data: email address, password (hashed — we never store or see your plain-text password), Stripe customer ID
- Usage data: session data, messages exchanged during the design process
- Technical data: IP address, browser type, device type
- Uploaded assets: images and documents you provide for your website
2. How We Use Your Data
- Provide and improve the website design service
- Process payments via Stripe
- Send transactional emails (receipts, renewal reminders)
We do not sell your personal data to third parties. Ever.
3. Data Storage and Processors
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Account data, session records, site metadata | EU/US |
| Cloudflare Pages | Built websites, static hosting | Global CDN |
| Stripe | Payment processing (we never see or store card numbers) | US/EU |
| Fly.io | Application servers (proxy + engine) | Paris, France (CDG) |
| Anthropic | AI model provider (site generation, conversation) | US |
| Google (Gemini) | AI image generation | US |
4. GDPR (European Union)
Legal basis: Contract performance (building the website you requested) and legitimate interest (service improvement).
Your rights:
- Right to access your data
- Right to rectify inaccurate data
- Right to erasure ("right to be forgotten") — request via dashboard or email
- Right to data portability — download your site files anytime
Data deletion requests are processed within 30 days. You can delete your account directly from the dashboard.
We do not engage in automated decision-making with legal effects.
5. CCPA (California)
If you are a California resident:
- We disclose the categories of personal information we collect (listed above)
- We do not sell personal information
- You have the right to know what data we hold, request deletion, and opt out of any future sale
6. UK GDPR
UK users receive the same protections as EU GDPR. The ICO (Information Commissioner's Office) is the supervisory authority for UK users.
7. Data Retention
We retain your data for as long as your account is active. If you delete your account, all associated data is removed within 30 days.
8. Security
We use industry-standard security measures including encrypted connections (HTTPS), hashed passwords (bcrypt), and access controls. Payment data is handled entirely by Stripe — we never store card numbers.
9. Contact
For privacy-related questions or data requests, email support@x4digital.co.