Privacy Policy

Last updated: March 28, 2026 · Version 2026-03-28-v2

1. Data Controller

The data controller for your personal data is ChatToSite sp. z o.o., Gen. Luciana Żeligowskiego 32/34, 90-643 Łódź, Poland (“ChatToSite,” “we,” “us”).

Contact for data protection inquiries: hello@chattosite.com

2. Data We Collect

2.1 Account Data

  • Email address — provided during registration, used for authentication, notifications, and communication.
  • Password — stored as a cryptographic hash by our authentication provider (Supabase). We never have access to your plaintext password.
  • Account identifiers — unique user ID, session ID, Lemon Squeezy customer ID.

2.2 Project and Content Data

  • Website code, files, pages, assets, and configuration created through the Service.
  • AI chat messages and prompts submitted to generate or modify content.
  • Form submissions received on your published websites.

2.3 Payment Data

  • Transaction records: payment amounts, dates, plan type, billing interval.
  • Lemon Squeezy handles full payment card details — we never store credit card numbers.

2.4 Domain Data

  • Domain names purchased, registration dates, expiry dates, DNS configuration.
  • WHOIS privacy is enabled by default; your personal information is not published in WHOIS records.

2.5 Technical Data

  • IP address, browser type and version, operating system.
  • Error logs, crash reports from the browser-based editor.
  • API request metadata (endpoint, timestamp, user agent).

3. Legal Basis for Processing (GDPR Article 6)

  • Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service: account management, website building, hosting, domain registration.
  • Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, service improvement, error monitoring, usage analytics.
  • Consent (Art. 6(1)(a)) — for optional communications, marketing (if applicable).
  • Legal obligation (Art. 6(1)(c)) — tax and accounting records, law enforcement requests.

4. Third-Party Data Processors

We share your data with the following third-party service providers who process data on our behalf:

ProviderPurposeData Shared
SupabaseAuthentication, databaseEmail, password hash, session tokens, all project data
Lemon SqueezyPayment processing (Merchant of Record)Email, payment details, billing address
DynadotDomain registrationDomain names (WHOIS privacy enabled)
CloudflareWebsite hosting, CDN, DNSWebsite content, domain configuration, visitor IP addresses
Google (Gemini AI)AI content generation, automated build repairAI prompts, project code snippets, build error logs (no personal data is sent)
ResendEmail deliveryEmail address, notification content

5. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our infrastructure providers operate. These transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR.

6. Data Retention

  • Account data: retained while your account is active. When you confirm account deletion, your account data, projects, files, and associated records are permanently deleted immediately in accordance with GDPR Article 17 (“without undue delay”).
  • Project data: retained while your account is active; permanently deleted together with your account.
  • Payment records: retained for 5 years for tax and legal compliance (Polish tax law).
  • Consent logs: retained for 5 years as proof of legal consent, even after account deletion.
  • Technical logs (error logs, API logs): automatically purged after 90 days. Logs associated with a deleted account are removed during the next scheduled cleanup cycle.
  • Deployment logs: automatically purged after 180 days.

7. Your Rights (GDPR Articles 15-22)

As a data subject, you have the following rights:

  • Access (Art. 15) — request a copy of your personal data.
  • Rectification (Art. 16) — correct inaccurate data.
  • Erasure (Art. 17) — request deletion of your data (“right to be forgotten”).
  • Restriction (Art. 18) — restrict processing in certain circumstances.
  • Data Portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Objection (Art. 21) — object to processing based on legitimate interests.
  • Withdraw Consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at hello@chattosite.com. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland.

8. Cookies and Browser Storage

For details on cookies and browser storage used by the Service, please see our Cookie Policy.

9. Children

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 14 days before the changes take effect. The “Last updated” date at the top of this page indicates when the policy was last revised.

11. Contact

ChatToSite sp. z o.o.
Gen. Luciana Żeligowskiego 32/34
90-643 Łódź, Poland
Email: hello@chattosite.com