Legal

Privacy Policy

Last updated: · Questions

This policy describes how First Commit LLC(“we”) collects, uses, and protects information when you use WebsiteMaxxing. We don’t sell your data. We collect the minimum we need to operate the Service. For specifics about how we handle the URLs you submit, see also the Data Policy.

01

Data we collect

We collect three categories of data:

  • Account data. Email address, hashed password, optional display name, password reset state. Authentication is provided by an in-house implementation built on top of standard open-source libraries; we never store passwords in plaintext.
  • Payment data. Stripe is our payment processor. Stripe collects card details and returns to us only the last 4 digits, brand, expiry, country, and a tokenized payment method reference. We never see or store your full card number.
  • Usage data. The URLs you submit, redesigned output, IP address (logged for abuse prevention), browser user-agent, basic device info, and timestamps. See Data Policy for what we do with the URL content specifically.

02

How we use it

  • Provide the Service: read your URL, generate redesigns, deliver the output.
  • Process payments and prevent fraud (via Stripe and Stripe Radar).
  • Send you transactional emails: receipts, refund confirmations, password resets, account notifications. We don't send marketing email without explicit opt-in.
  • Provide support when you contact us.
  • Diagnose bugs, monitor performance, and improve the product.
  • Comply with legal obligations and protect against abuse.

03

Third-party processors

We rely on a small set of vendors to operate. Each is a data processor under our instruction and is bound by their own privacy policies and DPAs:

  • Payment processor. A third-party payment provider handles card details and billing. We never see or store full card numbers. Identity of the payment provider is available on request.
  • Hosting & infrastructure. Application hosting, database, and supporting services run with reputable third-party providers in the United States.
  • Third-party AI / LLM provider. Large-language-model inference used in producing the redesign. We operate under a data-processing agreement that prohibits the provider from training its models on customer content submitted through their API. Provider identity is available on request to team@websitemaxxing.com.
  • Email delivery. A third-party transactional email provider handles account email (receipts, password resets, security alerts).

04

Data retention

  • Source content. Up to 90 days. We use it for the active redesign; after 90 days we purge it.
  • Rendered output. For the lifetime of the generated site. Deletion is immediate — we hard-delete on confirmation, no 30-day soft-delete window.
  • Account data. Until you request deletion or close your account. On deletion we purge immediately, except for the audit-retention residue below.
  • Payment records (audit residue). The one exception to hard-delete. US tax and audit law requires us to keep evidence of transactions after an account is closed: Stripe transaction IDs, charge amounts, and dates, for the period required by applicable law. No card numbers (we never had them), no profile, no usage history.
  • Logs. 30 days for routine logs, longer for incident-related logs.

05

Your rights

You can request access to, correction of, or deletion of your personal data at any time. Email team@websitemaxxing.com from the address on file. We respond within 30 days.

If you’re a California resident under CCPA / CPRA, an EU/UK resident under GDPR, or a Canadian resident under PIPEDA, you have additional rights including objecting to processing and data portability. Contact us via the email above to exercise them; we don’t require additional fees or friction.

06

Cookies

We use a single first-party session cookie (issued by our authentication layer) to keep you signed in. We do not use third-party advertising cookies, marketing pixels, or cross-site trackers. Stripe sets its own anti-fraud cookies on the checkout page; those are governed by Stripe’s privacy policy.

07

Children

The Service is not directed at children under 13 (or under 16 in some jurisdictions). We don’t knowingly collect data from minors. If you believe a child has signed up, email team@websitemaxxing.com and we’ll delete the account.

08

International transfers

Our infrastructure is hosted in the United States (US). If you access the Service from outside the US, you understand that your data is transferred to and stored in the US. Where required, we use Stripe’s and our other processors’ Standard Contractual Clauses for cross-border transfers.

09

Security

We use TLS in transit, encryption at rest, signed-token authentication for administrative surfaces, server-side authorization on every privileged route, and strict Content Security Policy on rendered preview pages. No system is perfectly secure; we encourage you to choose a strong password and keep your account credentials private.

10

Changes

We may update this policy. Material changes get notice by email or banner at least seven (7) days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

11

Contact

Privacy questions, data requests, or concerns: team@websitemaxxing.com

First Commit LLC, 418 Broadway, STE N, Albany, NY 12207, United States