Privacy Policy
Last updated: May 31, 2026
1. Data We Collect
- Account data: email address, password (hashed — we never store or see your plain-text password), Stripe customer ID
- Usage data: session data, messages exchanged during the design process
- Technical data: IP address, browser type, device type
- Uploaded assets: images and documents you provide for your website
- Referral data: if you join the referral program or sign up through someone's referral link, we record the referral relationship — your referral code, who referred whom, and the status of each referral (pending / active / lapsed) — to administer the program (see Section 4)
- Consent records: the terms shown to you and the date, time, plan/price displayed, and IP/session at the moment you agree to the free-month terms or opt in to marketing, kept as proof of consent
- Abandoned-signup data: if you start but do not finish a website, we briefly keep the email you provided and your in-progress build details (see Section 5)
2. How We Use Your Data
- Provide and improve the website design service
- Process payments and run the free month and subscription via Stripe
- Administer the referral program (attribute referrals, calculate rewards, prevent abuse)
- Send transactional emails you need in order to use the service — for example, receipts, password resets, your pre-charge reminder before any charge, and referral-status notices. These are part of the service and are sent regardless of marketing preferences.
- Send marketing emails — such as a reminder to finish a website you started, or occasional tips and referral nudges — only if you have separately opted in (see Section 6). You can withdraw this consent at any time.
We do not sell your personal data to third parties. Ever.
3. Data Storage and Processors
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Account data, session records, referral records, consent records, site metadata | EU/US |
| Cloudflare | Built websites, static hosting, edge delivery, and asset storage | Global CDN |
| Stripe | Payment processing and subscription/free-month billing (we never see or store card numbers) | US/EU |
| Fly.io | Application runtime | United States (IAD) |
| Resend | Transactional and (where you opt in) marketing email delivery | US/EU |
| Anthropic | AI model provider (site generation, conversation) | US |
| AI image generation, business research, and security checks | US/global | |
| Pexels | Stock image search where customer-provided imagery is unavailable | Global |
Where transfers to the United States or other third countries occur, we rely on a dual mechanism: (a) the EU-US Data Privacy Framework (and its UK extension) for processors certified under it; and (b) the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914, Module 2) for all other transfers. We have implemented supplementary technical and organisational measures — encryption in transit and at rest, access controls, and processor agreements — consistent with EDPB Recommendations 01/2020 on supplementary measures. A description of the safeguards in place for any specific processor is available on request from support@x4digital.co.
4. Referral Data
If you take part in the referral program — either by sharing your referral link or by signing up through someone else's link — we process data about the referral relationship: your unique referral code, the link between a referrer and the people they refer, the date a referral was made, and whether each referral is pending, active, or lapsed. We also process this data to detect and prevent abuse of the program (for example, self-referrals across accounts that share a payment card, email, device, or IP address).
Legal basis (GDPR): performance of the contract (operating the referral program you chose to join and calculating the rewards it provides) and our legitimate interest in preventing fraud and abuse of the program. We rely on a link-share design: you share your own link and we do not ask you to upload or import other people's email addresses, so we do not process a non-consenting third party's contact details to send them an invitation.
5. Abandoned-Signup Data & Short Retention
If you begin building a website and provide your email but do not complete signup (you do not place a card on file), we keep the email you gave us and the in-progress details of your build for a short period so that we can let you return and finish, and — only if you opted in — send you a reminder to do so.
- This is pre-account data. It exists before you have an account and is treated separately from account data.
- Retention: abandoned-signup data is automatically deleted after 7 days if you do not complete signup, by an automated purge that runs on a schedule and is logged.
- Legal basis (GDPR): our legitimate interest in letting people resume an unfinished website and recover their work, balanced against the short retention window; plus your consent for any marketing reminder.
6. Marketing Email & Consent
We distinguish clearly between two kinds of email:
- Transactional / service email (receipts, password resets, the pre-charge reminder, referral-status notices) is necessary to provide the service and is sent to all users regardless of marketing choices.
- Marketing email (a reminder to finish a website you started, product tips, referral nudges) is sent only if you have given separate, specific consent via an un-pre-ticked opt-in. If you only asked us to send your unfinished site back to you, that is a transactional message — you will not be enrolled in any marketing drip unless you separately opted in.
You can withdraw marketing consent at any time using the unsubscribe link in any marketing email or by emailing support; we honour unsubscribes and suppress further marketing sends. Withdrawing marketing consent does not stop transactional emails you need to use the service.
Legal basis (GDPR): consent for marketing email; performance of the contract / legitimate interest for transactional email.
7. GDPR (European Union)
Legal bases we rely on: contract performance (building the website you requested; running the free month, subscription, and referral program), legitimate interest (service improvement; fraud and abuse prevention; letting you resume an unfinished build), and consent (marketing email; any non-essential processing).
International transfers: we rely on the dual mechanism described in Section 3, with the supplementary measures noted there.
Your rights:
- Right to access your data
- Right to rectify inaccurate data
- Right to erasure ("right to be forgotten") — request through dashboard support or email
- Right to data portability — download your site files anytime
- Right to object to, or restrict, processing based on legitimate interest, including referral-abuse analysis
- Right to withdraw consent (e.g., marketing) at any time, without affecting processing already carried out
- Right to lodge a complaint with your local data-protection supervisory authority
Data deletion requests are processed within 30 days. Account deletion is handled by support so we can verify the request and preserve or remove any published site URLs according to your explicit instructions.
We do not engage in automated decision-making that produces legal or similarly significant effects about you. The website-generation service is automated, and you review and approve your site before it is published.
8. CCPA (California)
If you are a California resident:
- We disclose the categories of personal information we collect (listed above)
- We do not sell personal information
- You have the right to know what data we hold, request deletion, and opt out of any future sale
9. UK GDPR
UK users receive the same protections as EU GDPR. The ICO (Information Commissioner's Office) is the supervisory authority for UK users.
10. Data Retention
We retain your account data for as long as your account is active. Abandoned-signup data is deleted after 7 days (Section 5). Referral records are retained while the referral relationship is relevant to a live reward and for a reasonable period afterward for audit and fraud-prevention. Consent records are retained as long as needed to evidence the consent and to meet our legal obligations. If you delete your account, associated data is removed within 30 days, except where we must retain limited records to comply with law (for example, transaction records held by Stripe).
11. Cookies & Third-Party Content on Our Site
We use only first-party essential cookies plus a first-party referral-attribution cookie. We do not run third-party advertising or analytics cookies. See our Cookie Policy for the full list.
Self-hosted fonts: our pages and the websites we generate serve fonts from our own servers. We do not load fonts from third-party font CDNs, so visiting our pages does not disclose your IP address to a third-party font provider.
Click-to-load embeds: where a generated website includes a map, video, or social embed, we show a privacy-respecting placeholder by default; the third-party content (and any cookies or data sharing it involves) loads only if the visitor chooses to interact with it.
12. Security
We use industry-standard security measures including encrypted connections (HTTPS), hashed passwords (bcrypt), and access controls. Payment data is handled entirely by Stripe — we never store card numbers.
13. Contact
For privacy-related questions or data requests, email support@x4digital.co.