Privacy Policy

Websies Ltd ("we", "us", "our") is the data controller responsible for your personal data. We are registered in England and Wales.

Registered address: 20 Wenlock Road, London, England, N1 7GU

Contact: melwin@websies.co

This policy explains how we collect, use, and protect your personal data when you use our website creation and hosting service at websies.co, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Account information: Your name, email address, and password (stored securely in hashed form) when you create an account.

Contact details: Your email address and optional phone number provided during the creative session, used to communicate about your website build.

Business information: Your business name, type, goals, target audience, and other details you share during the AI-guided creative session. This information is used to build your website.

Design preferences: Your colour, font, layout, and style choices made during the creative session.

Uploaded content: Files you upload including logos, images, videos, and documents. These are stored securely and used solely for building your website.

Domain name: Your domain name, if provided, so we can configure your website to use it. We do not register or hold domains — you retain full ownership at all times.

Social media links: Links to your Instagram, Facebook, TikTok, and LinkedIn profiles, if provided, to include on your website.

Inspiration URLs: Links to websites you admire, used as design reference.

Chat history: The conversation between you and our AI assistant during the creative session.

Payment information: Your payment details are processed directly by Stripe. We do not store your card number or banking details. We store your Stripe customer ID and subscription status.

Technical data: Your IP address (used for country/currency detection), browser type, and basic usage data.

We use your data for the following purposes:

• To provide our service: Building and hosting your website based on the information and preferences you provide
• To communicate with you: Sending updates about your website build, requesting additional information, and notifying you when your site is ready for review
• To process payments: Managing your subscription and billing through Stripe
• To improve our service: Understanding how our service is used so we can make it better
• To provide support: Responding to your questions and requests

We do not use your data for marketing purposes. We will never sell, rent, or share your personal data with third parties for their marketing purposes.

Under UK GDPR, we process your data on the following legal bases:

• Contractual necessity (Article 6(1)(b)): Processing your account, business, and design data is necessary to deliver the website service you have subscribed to
• Legitimate interest (Article 6(1)(f)): Basic analytics and service improvement, where our interest does not override your rights
• Legal obligation (Article 6(1)(c)): Where we are required to retain data for tax, accounting, or legal purposes

We share your data only with the following third-party service providers, strictly for the purpose of delivering our service:

• OpenAI (USA) — Your chat messages and business information are sent to OpenAI's API to power the AI creative session. OpenAI processes this data to generate responses and does not use it to train their models via the API. Data transferred: chat messages, business details.
• Stripe (USA) — Processes your payments securely. Stripe is PCI DSS Level 1 certified. Data transferred: email, payment details.
• Supabase (EU region) — Hosts our database and file storage. Your account data, session data, and uploaded files are stored here. Data stored: all account and session data.
• Vercel (USA/Global) — Hosts our website and serverless functions. Processes page requests. Data processed: page requests, IP addresses.
• Resend (USA) — Sends transactional emails (account confirmation, build updates). Data transferred: email address.

We do not share your data with anyone else unless required by law.

Some of our service providers are based in the United States. When your data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
• UK International Data Transfer Agreements where applicable
• Providers certified under recognised data protection frameworks

• Active accounts: We retain your data for as long as your subscription is active
• After cancellation: We retain your account and session data for up to 90 days after cancellation, in case you wish to resubscribe. After that, it is deleted
• Uploaded files: Deleted within 90 days of account cancellation
• Payment records: Retained for 6 years as required by UK tax and accounting regulations
• Support correspondence: Retained for 12 months after resolution

You can request earlier deletion at any time (see Your Rights below).

We take the security of your data seriously and implement appropriate measures including:

• Encryption of data in transit (TLS/SSL) and at rest
• Passwords stored using secure one-way hashing
• Access controls and role-based permissions
• Secure payment processing via Stripe (PCI DSS Level 1)
• Private storage buckets for uploaded files
• Regular security reviews

We use only essential cookies that are strictly necessary for our service to function:

• Authentication cookies: To keep you logged in to your account. These are session cookies set by our authentication provider (Supabase) and expire when you log out or after a set period of inactivity

We do not use any tracking cookies, advertising cookies, or analytics cookies. Because our cookies are strictly essential for the service to function, consent is not required under the Privacy and Electronic Communications Regulations (PECR). However, you can block cookies through your browser settings — doing so will prevent you from logging in.

Under UK GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your data (subject to legal retention requirements)
• Right to restriction: Request that we limit how we use your data
• Right to data portability: Request your data in a machine-readable format
• Right to object: Object to processing based on legitimate interest

To exercise any of these rights, contact us at melwin@websies.co. We will respond within 30 days.

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Website: ico.org.uk
Phone: 0303 123 1113

Our service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.

We may update this policy from time to time. If we make significant changes, we will notify you by email. The "last updated" date at the top of this page indicates when this policy was last revised.