Privacy Policy

Last updated: June 2, 2026

Who we are

website-automation is an AI website builder. This policy explains what data we collect, how we use it, and what choices you have. If you have questions, email us at tahakutays@gmail.com.

What we collect

  • Account info: email address and any name/avatar you supply via Google sign-in.
  • Prompts and site content: text you enter to generate sites, along with the AI-generated copy and image prompts.
  • Billing data: handled by Stripe — we never see your card number. We keep a Stripe customer ID and subscription status.
  • Technical data: IP address (hashed for rate-limit purposes only), user-agent, and standard server logs.
  • Cookies: a session cookie to track anonymous trial generations (7-day TTL), and auth cookies issued by Supabase after sign-in (rotating, ~1-hour access token + ~30-day refresh). No third-party tracking or advertising cookies.

How we use it

  • To generate sites with Anthropic Claude based on your prompt.
  • To fetch reference images via Pollinations and cache them.
  • To enforce per-plan generation quotas and prevent abuse.
  • To process payments through Stripe.
  • To send transactional email (sign-in links, receipts).

We do not sell your data, and we do not use your prompts to train any models.

Third parties

We share only what's necessary with a small set of sub-processors. The full, current list (with regions and DPA links) lives at /legal/sub-processors. At a glance: Supabase (database + auth), Vercel (hosting), Anthropic (AI generation), Stripe (payments), Resend (email), Unsplash + Pollinations (site imagery).

Your rights

  • Access — see all data we have about you on request.
  • Deletion — delete your account at any time (email us).
  • Export — download your sites' content as JSON.
  • Correction — edit your profile in the dashboard.
  • If you're in the EU/EEA, you have rights under GDPR. We respond to requests within 30 days.

Data retention

  • Anonymous trial previews: 24 hours, then automatically deleted.
  • Account data: kept while your account is active, deleted within 30 days of account closure.
  • Billing records: 7 years (legal requirement).

Security

All traffic is served over HTTPS. Passwords are never stored — authentication uses magic links or Google OAuth. Database access is restricted by row-level security so your data is only visible to you.

Changes

If we materially change this policy we'll email account holders. Continued use after such changes constitutes acceptance.