Home

Privacy Policy

Last updated: May 31, 2026

1. Data We Collect

2. How We Use Your Data

We do not sell your personal data to third parties. Ever.

3. Data Storage and Processors

ProcessorPurposeLocation
SupabaseAccount data, session records, referral records, consent records, site metadataEU/US
CloudflareBuilt websites, static hosting, edge delivery, and asset storageGlobal CDN
StripePayment processing and subscription/free-month billing (we never see or store card numbers)US/EU
Fly.ioApplication runtimeUnited States (IAD)
ResendTransactional and (where you opt in) marketing email deliveryUS/EU
AnthropicAI model provider (site generation, conversation)US
GoogleAI image generation, business research, and security checksUS/global
PexelsStock image search where customer-provided imagery is unavailableGlobal

Where transfers to the United States or other third countries occur, we rely on a dual mechanism: (a) the EU-US Data Privacy Framework (and its UK extension) for processors certified under it; and (b) the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914, Module 2) for all other transfers. We have implemented supplementary technical and organisational measures — encryption in transit and at rest, access controls, and processor agreements — consistent with EDPB Recommendations 01/2020 on supplementary measures. A description of the safeguards in place for any specific processor is available on request from support@x4digital.co.

4. Referral Data

If you take part in the referral program — either by sharing your referral link or by signing up through someone else's link — we process data about the referral relationship: your unique referral code, the link between a referrer and the people they refer, the date a referral was made, and whether each referral is pending, active, or lapsed. We also process this data to detect and prevent abuse of the program (for example, self-referrals across accounts that share a payment card, email, device, or IP address).

Legal basis (GDPR): performance of the contract (operating the referral program you chose to join and calculating the rewards it provides) and our legitimate interest in preventing fraud and abuse of the program. We rely on a link-share design: you share your own link and we do not ask you to upload or import other people's email addresses, so we do not process a non-consenting third party's contact details to send them an invitation.

5. Abandoned-Signup Data & Short Retention

If you begin building a website and provide your email but do not complete signup (you do not place a card on file), we keep the email you gave us and the in-progress details of your build for a short period so that we can let you return and finish, and — only if you opted in — send you a reminder to do so.

6. Marketing Email & Consent

We distinguish clearly between two kinds of email:

You can withdraw marketing consent at any time using the unsubscribe link in any marketing email or by emailing support; we honour unsubscribes and suppress further marketing sends. Withdrawing marketing consent does not stop transactional emails you need to use the service.

Legal basis (GDPR): consent for marketing email; performance of the contract / legitimate interest for transactional email.

7. GDPR (European Union)

Legal bases we rely on: contract performance (building the website you requested; running the free month, subscription, and referral program), legitimate interest (service improvement; fraud and abuse prevention; letting you resume an unfinished build), and consent (marketing email; any non-essential processing).

International transfers: we rely on the dual mechanism described in Section 3, with the supplementary measures noted there.

Your rights:

Data deletion requests are processed within 30 days. Account deletion is handled by support so we can verify the request and preserve or remove any published site URLs according to your explicit instructions.

We do not engage in automated decision-making that produces legal or similarly significant effects about you. The website-generation service is automated, and you review and approve your site before it is published.

8. CCPA (California)

If you are a California resident:

9. UK GDPR

UK users receive the same protections as EU GDPR. The ICO (Information Commissioner's Office) is the supervisory authority for UK users.

10. Data Retention

We retain your account data for as long as your account is active. Abandoned-signup data is deleted after 7 days (Section 5). Referral records are retained while the referral relationship is relevant to a live reward and for a reasonable period afterward for audit and fraud-prevention. Consent records are retained as long as needed to evidence the consent and to meet our legal obligations. If you delete your account, associated data is removed within 30 days, except where we must retain limited records to comply with law (for example, transaction records held by Stripe).

11. Cookies & Third-Party Content on Our Site

We use only first-party essential cookies plus a first-party referral-attribution cookie. We do not run third-party advertising or analytics cookies. See our Cookie Policy for the full list.

Self-hosted fonts: our pages and the websites we generate serve fonts from our own servers. We do not load fonts from third-party font CDNs, so visiting our pages does not disclose your IP address to a third-party font provider.

Click-to-load embeds: where a generated website includes a map, video, or social embed, we show a privacy-respecting placeholder by default; the third-party content (and any cookies or data sharing it involves) loads only if the visitor chooses to interact with it.

12. Security

We use industry-standard security measures including encrypted connections (HTTPS), hashed passwords (bcrypt), and access controls. Payment data is handled entirely by Stripe — we never store card numbers.

13. Contact

For privacy-related questions or data requests, email support@x4digital.co.