Privacy Policy
How SitegenOS collects, uses, and protects your data.
Last updated: April 30, 2026
This Privacy Policy describes how SitegenOS (a product of ApeTec Ltd) collects, uses, and protects your personal data. SitegenOS is registered in England and Wales (company number 17065917) and operates under UK GDPR plus applicable US state privacy laws including the California Consumer Privacy Act (CCPA).
Important: This is a first-pass draft. ApeTec Ltd will publish a UK-solicitor-reviewed version before SitegenOS accepts payment. If you spot anything unclear, email
hello@sitegenos.com.
Data controller
ApeTec Ltd is the data controller for personal data collected by SitegenOS. Contact: hello@sitegenos.com.
What we collect
Account data: email address, password (hashed), display name, role (Builder or Owner), notification preferences, timezone.
Billing data: processed by Stripe — we never see your card number. We store the Stripe customer ID, subscription state, billing country (for currency selection), and invoice history.
Generation data: business details you paste into the input (Google Maps listings, addresses, service descriptions), uploaded logos, generated site content, your edit history.
Site analytics: aggregated view counts and contact-form submission counts on published sites. We do NOT track individual visitors on Builder-published sites.
Operational data: rate-limit counters (hashed IP addresses, never raw), Turnstile challenge results, abuse-event records, error logs (Sentry), email-delivery records (Postmark message IDs).
Cookies and local storage: session cookies for authentication, theme preference, cookie-consent state, "Remember this device" preference. See our Cookie Policy for the full list.
Lawful bases (UK GDPR Article 6)
- Contract performance: account, billing, and service-delivery data.
- Legitimate interest: anti-abuse measures, security logs, product improvement.
- Consent: non-essential cookies, marketing communications (we don't send marketing currently).
- Legal obligation: financial records (UK tax retention), DMCA takedown records.
Subprocessors
We share specific data with the following service providers, each bound by data processing agreements:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Authentication, database, storage | Account, generation, site data |
| Anthropic | AI generation (Claude Sonnet) | Generation prompts, business details |
| Stripe | Payment processing | Billing data, Stripe customer ID |
| Postmark | Transactional email | Email addresses, message content |
| Cloudflare | Bot prevention (Turnstile), CDN | IP address, browser fingerprint |
| Vercel | Hosting infrastructure | All site traffic |
| Upstash | Rate-limit storage | Hashed IPs, counters |
| Sentry | Error tracking | Stack traces, user ID |
| Plausible | Marketing-page analytics | Aggregated, no personal data |
| Unsplash | Stock photography (attribution only) | None — we attribute image creators publicly |
We do not sell your data, and we do not share it with third parties beyond these subprocessors and as required by law.
Retention
- Account data: retained until you delete your account, plus a 14-day grace window for recovery.
- Form submissions on generated sites: 12 months, then automatic deletion.
- Billing records: 7 years (UK tax law requirement), with personal identifiers removed beyond Stripe customer ID.
- Abuse-event records: 1 year (anonymized), for security purposes.
- Error logs (Sentry): 90 days.
Your rights (UK GDPR + CCPA)
You have the right to:
- Access: request a copy of personal data we hold about you.
- Rectification: correct inaccurate or incomplete data.
- Deletion: request deletion of your data ("right to be forgotten"). Self-service in account settings.
- Portability: receive your data in a structured, machine-readable format.
- Object: object to processing based on legitimate interest.
- Restrict processing: request we limit how we use your data.
- Withdraw consent: for data we process on consent basis.
- Opt out of "sale": under CCPA — note that we do not sell personal data.
To exercise any of these, email hello@sitegenos.com. We respond within 30 days.
Data export and deletion
Account settings provide self-service:
- Data export: download a JSON file of your account, sites, and generated content. Available immediately.
- Account deletion: triggers a 14-day soft-delete. After 14 days, hard deletion runs nightly. Owner-billed published sites are preserved (the Owner is the active customer); Builder-only artifacts are removed.
International transfers
ApeTec Ltd is UK-based. Most subprocessors operate in the United States or globally. Where personal data is transferred outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) for legal basis.
Children
SitegenOS is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has provided us data, email hello@sitegenos.com.
Changes to this Policy
We will notify you of material changes via email and an in-app banner at least 30 days before they take effect.
Contact
Privacy questions or requests: hello@sitegenos.com.
SitegenOS is a product of ApeTec Ltd, registered in England and Wales, company number 17065917.