Privacy Policy

We collect three categories of data:

• Account data. Email address, hashed password, optional display name, password reset state. Authentication is provided by an in-house implementation built on top of standard open-source libraries; we never store passwords in plaintext.
• Payment data. Stripe is our payment processor. Stripe collects card details and returns to us only the last 4 digits, brand, expiry, country, and a tokenized payment method reference. We never see or store your full card number.
• Usage data. The URLs you submit, redesigned output, IP address (logged for abuse prevention), browser user-agent, basic device info, and timestamps. See Data Policy for what we do with the URL content specifically.

• Provide the Service: read your URL, generate redesigns, deliver the output.
• Process payments and prevent fraud (via Stripe and Stripe Radar).
• Send you transactional emails: receipts, refund confirmations, password resets, account notifications. We don't send marketing email without explicit opt-in.
• Provide support when you contact us.
• Diagnose bugs, monitor performance, and improve the product.
• Comply with legal obligations and protect against abuse.

We rely on a small set of vendors to operate. Each is a data processor under our instruction and is bound by their own privacy policies and DPAs:

• Stripe — payment processing. stripe.com/privacy
• Vercel — application hosting and serverless functions (US regions).
• Neon — managed PostgreSQL database (US, AWS).
• Anthropic — large-language-model inference for the redesign pipeline. Anthropic does not train on data submitted via the Anthropic API by default.
• DigitalOcean — virtual private server that runs our headless-browser scraper (US, NYC region).
• AWS SES — transactional email delivery (us-east-1) when wired.

• Source HTML. Up to 90 days. We use it for the active redesign; after 90 days we purge raw HTML from artifact storage.
• Rendered output. For the lifetime of the corresponding Site row, plus 30 days after deletion. You can delete a Site at any time.
• Account data. Until you request deletion or close your account.
• Payment records. Retained for 7 years for tax and audit reasons even if your account is deleted, as required by US law.
• Logs. 30 days for routine logs, longer for incident-related logs.

You can request access to, correction of, or deletion of your personal data at any time. Email team@websitemaxxing.com from the address on file. We respond within 30 days.

If you’re a California resident under CCPA / CPRA, an EU/UK resident under GDPR, or a Canadian resident under PIPEDA, you have additional rights including objecting to processing and data portability. Contact us via the email above to exercise them; we don’t require additional fees or friction.

We use a single first-party session cookie (issued by our authentication layer) to keep you signed in. We do not use third-party advertising cookies, marketing pixels, or cross-site trackers. Stripe sets its own anti-fraud cookies on the checkout page; those are governed by Stripe’s privacy policy.

The Service is not directed at children under 13 (or under 16 in some jurisdictions). We don’t knowingly collect data from minors. If you believe a child has signed up, email team@websitemaxxing.com and we’ll delete the account.

Our infrastructure is hosted in the United States (US). If you access the Service from outside the US, you understand that your data is transferred to and stored in the US. Where required, we use Stripe’s and our other processors’ Standard Contractual Clauses for cross-border transfers.

We use TLS in transit, encryption at rest at the database and blob layers, signed-token authentication for admin surfaces, server-side authorization on every privileged route, and strict Content Security Policy on rendered preview pages. No system is perfectly secure; we encourage you to choose a strong password and keep your account credentials private.

We may update this policy. Material changes get notice by email or banner at least seven (7) days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Privacy questions, data requests, or concerns: team@websitemaxxing.com

First Commit LLC, 1209 Orange Street, Wilmington, DE 19801, United States