Privacy Policy

ZonedWeb is committed to protecting personal data and handling it transparently. This policy explains what we collect, why, how we secure it, and the rights and controls available to you and to business customers.

Effective: April 1, 2026Last updated: June 2026

Data Processing Addendum

GDPR-compliant DPA available to business customers on request.

Sub-processor transparency

Full sub-processor list published below; 30-day notice of changes.

Your data, exportable

Real WordPress output — export and leave anytime, no lock-in.

1Scope & Data Controller

This policy applies to the ZonedWeb website, dashboard, AI builder, and hosted sites (collectively, the "Service"). For personal data processed about you as an account holder, ZonedWeb acts as the data controller. For personal data contained within the sites you build and publish, you are the controller and ZonedWeb acts as your data processor — see Section 12.

2Information We Collect

  • Account information — email, name, and a hashed password, to create and secure your account.
  • Billing information — handled by Stripe; we store only plan status and limited transaction metadata, never full card numbers.
  • Usage data — templates viewed, saved, and deployed; feature usage, to operate and improve the Service.
  • Site content — text, media, and AI-generated content you create; hosted so your visitors can access your site.
  • AI conversations — your prompts to the AI builder, retained on your session so you can resume work.
  • Technical data — IP address, browser, and device information, for security, rate-limiting, and analytics.

3How We Use It & Legal Bases

We process personal data only where we have a lawful basis under the GDPR:

  • Performance of a contract — to provide the Service, your account, and hosting.
  • Legitimate interests — to secure the Service, prevent abuse, analyse usage, and improve features (balanced against your rights).
  • Legal obligation — to retain billing/tax records and respond to lawful requests.
  • Consent — where required (e.g. certain communications); withdrawable at any time.

We do not: sell your personal data; use your site content or AI conversations to train AI models; or access your private content except where you explicitly request support.

4AI Processing

AI generation and editing requests are processed via Anthropic's Claude API. Prompts and the relevant context are transmitted to Anthropic solely to return a response. Per Anthropic's commercial terms, this data is not used to train their models. We retain your AI conversation on your session so you can continue your work and can delete it on request.

5Sharing & Sub-processors

We share personal data only with the service providers necessary to operate ZonedWeb, each bound by contract (including data-protection terms) to protect your data and process it only on our instructions:

Sub-processorPurposeRegion
Anthropic (Claude API)AI generation & editing requestsUnited States
Hetzner OnlineApplication & site hostingEuropean Union (Germany)
CloudflareDNS, CDN, DDoS protection, WAFGlobal edge network
StripePayment processing (paid plans)United States / EU

We may also disclose data where required by law, to enforce our terms, or in connection with a merger or acquisition (with notice). Business customers receive 30 days' notice of new sub-processors under our DPA.

6International Data Transfers

Your data is primarily hosted in the European Union (Hetzner, Germany). Where data is transferred outside the EEA/UK — for example to Anthropic or Stripe in the United States — we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures.

7Data Security

  • Encryption in transit (TLS) across all connections.
  • Passwords stored only as salted hashes; secrets encrypted at rest.
  • Role-based access controls and least-privilege access for staff.
  • Network protection (WAF, DDoS mitigation, rate limiting) at the edge.
  • Regular backups and monitoring; prompt breach notification where legally required.

No method of transmission or storage is 100% secure, but we maintain safeguards appropriate to the sensitivity of the data we hold.

8Data Retention

We retain account data while your account is active. When you delete your account, we delete associated personal data within 30 days, except records we are legally required to keep (e.g. billing/tax records). Backups are purged on a rolling schedule.

9Your Rights (GDPR)

Subject to applicable law, you may exercise the following rights:

  • Access — obtain a copy of your personal data.
  • Rectification — correct inaccurate data.
  • Erasure — delete your account and associated data.
  • Portability — export your content in a standard format (your site is real WordPress and fully exportable).
  • Restriction & objection — limit or object to certain processing.
  • Withdraw consent — where processing is based on consent.

Email [email protected]; we respond within 30 days. You also have the right to lodge a complaint with your supervisory authority.

10California Privacy Rights (CCPA/CPRA)

California residents have the right to know what personal information we collect, to request deletion, to correct it, and to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not discriminate against you for exercising your rights. To make a request, email [email protected].

11Cookies & Tracking

We use a minimal set of cookies and local storage. We do not use third-party advertising cookies.

NameTypePurposeRetention
Session tokenStrictly necessaryKeep you signed inSession / up to 30 days
Preferences (localStorage)FunctionalBookmarks, saved templates, UI settingsUntil cleared
Security / rate-limitStrictly necessaryAbuse prevention, fraud detectionShort-lived

12Business & Enterprise Customers

For personal data contained in the sites you build, ZonedWeb acts as your processor. We make available a Data Processing Addendum (DPA) incorporating GDPR Article 28 terms and the EU SCCs. The DPA covers sub-processor management (with advance notice of changes), confidentiality, security obligations, breach notification, and assistance with data-subject requests. To request the DPA, email [email protected].

13Children

The Service is not directed to children under 13 (or the applicable age in your jurisdiction), and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

14Changes to This Policy

We may update this policy as our practices or the law evolve. We will revise the "Last updated" date and, for material changes, provide notice by email or in-product.

15Contact & Data Protection

For privacy questions, requests, or to reach our data protection contact, email [email protected]. For general support, see our Help Center.

This policy is provided for transparency and does not constitute legal advice. Where this policy conflicts with a signed agreement (such as a DPA or enterprise contract), that agreement governs.