1Scope & Data Controller
This policy applies to the ZonedWeb website, dashboard, AI builder, and hosted sites (collectively, the "Service"). For personal data processed about you as an account holder, ZonedWeb acts as the data controller. For personal data contained within the sites you build and publish, you are the controller and ZonedWeb acts as your data processor — see Section 12.
2Information We Collect
- Account information — email, name, and a hashed password, to create and secure your account.
- Billing information — handled by Stripe; we store only plan status and limited transaction metadata, never full card numbers.
- Usage data — templates viewed, saved, and deployed; feature usage, to operate and improve the Service.
- Site content — text, media, and AI-generated content you create; hosted so your visitors can access your site.
- AI conversations — your prompts to the AI builder, retained on your session so you can resume work.
- Technical data — IP address, browser, and device information, for security, rate-limiting, and analytics.
3How We Use It & Legal Bases
We process personal data only where we have a lawful basis under the GDPR:
- Performance of a contract — to provide the Service, your account, and hosting.
- Legitimate interests — to secure the Service, prevent abuse, analyse usage, and improve features (balanced against your rights).
- Legal obligation — to retain billing/tax records and respond to lawful requests.
- Consent — where required (e.g. certain communications); withdrawable at any time.
We do not: sell your personal data; use your site content or AI conversations to train AI models; or access your private content except where you explicitly request support.
4AI Processing
AI generation and editing requests are processed via Anthropic's Claude API. Prompts and the relevant context are transmitted to Anthropic solely to return a response. Per Anthropic's commercial terms, this data is not used to train their models. We retain your AI conversation on your session so you can continue your work and can delete it on request.
5Sharing & Sub-processors
We share personal data only with the service providers necessary to operate ZonedWeb, each bound by contract (including data-protection terms) to protect your data and process it only on our instructions:
| Sub-processor | Purpose | Region |
|---|---|---|
| Anthropic (Claude API) | AI generation & editing requests | United States |
| Hetzner Online | Application & site hosting | European Union (Germany) |
| Cloudflare | DNS, CDN, DDoS protection, WAF | Global edge network |
| Stripe | Payment processing (paid plans) | United States / EU |
We may also disclose data where required by law, to enforce our terms, or in connection with a merger or acquisition (with notice). Business customers receive 30 days' notice of new sub-processors under our DPA.
6International Data Transfers
Your data is primarily hosted in the European Union (Hetzner, Germany). Where data is transferred outside the EEA/UK — for example to Anthropic or Stripe in the United States — we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures.
7Data Security
- Encryption in transit (TLS) across all connections.
- Passwords stored only as salted hashes; secrets encrypted at rest.
- Role-based access controls and least-privilege access for staff.
- Network protection (WAF, DDoS mitigation, rate limiting) at the edge.
- Regular backups and monitoring; prompt breach notification where legally required.
No method of transmission or storage is 100% secure, but we maintain safeguards appropriate to the sensitivity of the data we hold.
8Data Retention
We retain account data while your account is active. When you delete your account, we delete associated personal data within 30 days, except records we are legally required to keep (e.g. billing/tax records). Backups are purged on a rolling schedule.
9Your Rights (GDPR)
Subject to applicable law, you may exercise the following rights:
- Access — obtain a copy of your personal data.
- Rectification — correct inaccurate data.
- Erasure — delete your account and associated data.
- Portability — export your content in a standard format (your site is real WordPress and fully exportable).
- Restriction & objection — limit or object to certain processing.
- Withdraw consent — where processing is based on consent.
Email [email protected]; we respond within 30 days. You also have the right to lodge a complaint with your supervisory authority.
10California Privacy Rights (CCPA/CPRA)
California residents have the right to know what personal information we collect, to request deletion, to correct it, and to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not discriminate against you for exercising your rights. To make a request, email [email protected].
11Cookies & Tracking
We use a minimal set of cookies and local storage. We do not use third-party advertising cookies.
| Name | Type | Purpose | Retention |
|---|---|---|---|
| Session token | Strictly necessary | Keep you signed in | Session / up to 30 days |
| Preferences (localStorage) | Functional | Bookmarks, saved templates, UI settings | Until cleared |
| Security / rate-limit | Strictly necessary | Abuse prevention, fraud detection | Short-lived |
12Business & Enterprise Customers
For personal data contained in the sites you build, ZonedWeb acts as your processor. We make available a Data Processing Addendum (DPA) incorporating GDPR Article 28 terms and the EU SCCs. The DPA covers sub-processor management (with advance notice of changes), confidentiality, security obligations, breach notification, and assistance with data-subject requests. To request the DPA, email [email protected].
13Children
The Service is not directed to children under 13 (or the applicable age in your jurisdiction), and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.
14Changes to This Policy
We may update this policy as our practices or the law evolve. We will revise the "Last updated" date and, for material changes, provide notice by email or in-product.
15Contact & Data Protection
For privacy questions, requests, or to reach our data protection contact, email [email protected]. For general support, see our Help Center.
This policy is provided for transparency and does not constitute legal advice. Where this policy conflicts with a signed agreement (such as a DPA or enterprise contract), that agreement governs.