Privacy Policy

We collect the following categories of data:

• Account data — your email address, username, display name, and password (stored only as a secure hash, never in plaintext).
• Content you create — your profile, links, images, media, products, and any other content you add to your page.
• Payment data — if you subscribe to a paid plan, payments are processed by Stripe. We do not receive or store your full card number; we store only non-sensitive references (e.g., a Stripe customer ID and subscription status).
• Analytics & visitor data — when visitors view a public page, we collect aggregate analytics such as page views, click counts, referrer URLs, approximate country (derived from IP address), and device/browser type. We use IP addresses transiently to derive approximate location and to protect against abuse; we do not build advertising profiles.
• Sign-in via Google (optional) — if you use Google to sign in, we receive your basic Google profile (name, email) to create or access your account.

We do not sell your personal data.

We use personal data to:

• provide and operate the Service (host your page, authenticate you, show your analytics);
• process subscriptions and payments (via Stripe);
• send transactional emails (e.g., sign-in links, account and billing notices);
• maintain security, prevent fraud and abuse, and enforce our Terms;
• comply with legal obligations and respond to lawful requests.

Where the GDPR or UK GDPR applies, we process personal data on these bases: performance of a contract (to provide the Service you request); legitimate interests (to secure, maintain, and improve the Service and understand aggregate usage); consent (where required, which you can withdraw); and legal obligation.

We share data only with service providers who process it on our behalf, under contract, to run the Service:

• Stripe — payment processing and subscriptions.
• Vercel — application hosting and content delivery.
• Turso / libSQL — database hosting.
• Resend — transactional email delivery.
• Google — optional sign-in (OAuth).

We may also disclose data if required by law, to enforce our Terms, or in connection with a merger, acquisition, or sale of assets. If you enable third-party analytics or tracking pixels (e.g., Google Analytics, Meta, or TikTok) on your own page, those providers process your visitors’ data under their own policies, and you are responsible for any disclosures required of you.

We use a single, essential, httpOnly authentication cookie to keep you signed in, and a local theme preference. We do not use third-party advertising or tracking cookies. If you add tracking pixels to your own page, those services may set cookies on your visitors’ devices.

We keep your account data and content for as long as your account is active. When you delete your account, we delete or anonymize your personal data within a reasonable period, except where we must retain certain records to comply with legal, tax, accounting, or fraud-prevention obligations (for example, payment records retained by Stripe and by us as required by law). Aggregate, de-identified analytics may be retained.

Depending on where you live (including under the GDPR/UK GDPR and the CCPA/CPRA in California), you may have the right to: access the personal data we hold about you; correct inaccurate data; delete your data; export a copy of your data; restrict or object to certain processing; and withdraw consent. California residents have the right to know what we collect and to opt out of any “sale” or “sharing” of personal information — note that we do not sell or share personal information as those terms are defined.

You can edit your profile and delete your account from your settings, or contact us at the address below to exercise any of these rights. We will not discriminate against you for exercising them.

We use industry-standard safeguards: passwords are hashed with bcrypt (cost factor 12); session tokens are signed and stored in httpOnly, secure cookies; all traffic is encrypted in transit with HTTPS/TLS; database access is restricted; and full card data never touches our servers (it is handled by Stripe). No method of transmission or storage is 100% secure, but we work to protect your data and to notify you of material breaches where required by law.

We and our sub-processors may process data in the United States and other countries. Where we transfer personal data from the EEA, UK, or other regions, we rely on appropriate safeguards (such as Standard Contractual Clauses) where required.

The Service is not directed to children under 13 (or the minimum digital-consent age in your country), and we do not knowingly collect their personal data. If you believe a child has provided us personal data, contact us and we will delete it.

We may update this Policy from time to time. We will revise the “Last updated” date and, for material changes, provide additional notice where appropriate. Continued use of the Service after changes take effect means you accept the updated Policy.

For privacy questions or to exercise your rights, contact noumenon.aii@gmail.com (GL FIX LLC). You can also reach us via our report page.