Privacy Policy

SiteCTRL ("we", "us") provides AI agents that edit and deploy your website on hosts you already own. This policy explains what data we collect, why we need it, where it goes, and how to remove it. We aim for plain language; if anything is unclear, email [email protected] and we'll explain.

1. What we collect

• Account info— your email address and (optionally) display name. If you sign in with Google, we receive your email, name, and profile picture from Google's OAuth consent screen. We don't request any other Google scopes.
• Hosting credentials — when you connect a site (e.g. a SiteGround or Cloudflare Pages account), we store the SSH key or API token you provide. Credentials are encrypted at rest with a key encryption key (KEK) held only on our servers and rotated independently of the database.
• Site content— copies of your website files (HTML/CSS/JS/images) that we pull down so the AI agents can edit them. These live in a per-tenant workspace on our infrastructure and aren't shared across customers.
• Agent conversations— chat messages you send to the Setup, Dev, and Prod agents, plus the agents' responses and tool-call traces. Used for serving the product, debugging issues you report, and improving prompts. Not used to train third-party models.
• Billing data — subscription state, payment status, and purchase history. Card numbers are handled directly by Stripe — we never see or store them.
• Operational metadata — IP address, user-agent, page-view timestamps for error monitoring and abuse prevention. Stored for 90 days then aggregated.

2. Who we share with

We use a small number of subprocessors to run the platform. Each only receives the data needed to do its job:

• Anthropic — runs Claude, the AI model behind the agents. Sees your chat messages, the tool-call payloads, and the relevant code being edited. Anthropic does not train on API inputs (per their commercial terms).
• Stripe — payment processing. Sees billing email, plan choice, charge amounts.
• Supabase — authentication + Postgres database (self-hosted on our servers, not Supabase's cloud).
• Resend — transactional email delivery (invites, password resets, billing receipts).
• Cloudflare — DNS, CDN, and tunnel/edge layer.
• Hetzner — physical hosting for our application servers (Germany).
• Google — only if you sign in with Google. Receives the standard OAuth handshake.

We don't sell your data. We don't share it with advertisers. We don't use it to train third-party models. If law enforcement compels disclosure (subpoena, court order), we'll tell you unless legally prohibited from doing so.

3. Where it lives + how it's protected

• All servers are in EU data centers (Hetzner, Germany).
• Traffic between your browser and us is end-to-end TLS via Cloudflare.
• The Postgres database uses schema-per-tenant isolation — each customer's data sits in its own Postgres schema, and queries are scoped at the database level so cross-tenant reads are physically impossible from the application layer.
• SSH credentials and API tokens are encrypted with a separate KEK before they touch the database. The KEK is held in a non-version-controlled file with restricted permissions.
• Backups are taken daily and retained for 30 days, encrypted at rest.

4. Your rights

• Access — request a copy of all data we hold about you.
• Correction — fix anything that's wrong.
• Deletion — delete your account and all associated tenants, workspaces, credentials, and chat history. Stripe retains payment records for tax and accounting compliance independently of our deletion.
• Portability — export your tenant data (chat history, ontology, captured knowledge) as JSON.
• Objection / withdrawal of consent — stop using the service at any time. Existing data is deleted on account closure.

Email [email protected] from the address on your account to exercise any of these. We respond within 30 days (usually within 3 business days).

5. Cookies

We use a small number of cookies, all required for the product to work:

• Auth session cookies — keep you logged in between visits.
• OAuth flow cookies — short-lived, only present during a Google sign-in.
• CSRF token cookies — prevent cross-site form submissions.

We don't use third-party analytics or advertising cookies. There's no cookie banner because there's nothing to consent to beyond the cookies that make sign-in work.

6. Children

SiteCTRL is for businesses managing their own websites. We don't knowingly collect data from anyone under 16. If you believe we have, email us and we'll delete it.

7. Changes to this policy

We'll update the "Last updated" date at the top whenever we change anything material. If a change reduces your privacy in a meaningful way (e.g. we add a new subprocessor), we'll email account holders before it takes effect.

8. Contact

Questions, requests, complaints — [email protected]. For EU residents, you have the right to complain to your local data-protection authority if you believe we've mishandled your data.