Privacy Policy
Last updated June 4, 2026
This policy explains what data Websy collects, why, and what we’ll never do with it. It’s written to be readable, not to bury anything.
What we collect
We try to collect as little as possible. Here’s the full list:
- Account information. Your email address (used to sign in and contact you) and an optional name. Stored with our authentication provider (Supabase).
- Billing information. If you pay for a plan or boost, Stripe collects your card details directly — Websy never sees or stores your full card number. We do store your Stripe customer ID and subscription status so we can serve the right features.
- Content you create. The websites you build, images you upload, enquiries you receive, and chat messages you send while working with our AI. This is stored so you can come back to it.
- Usage data. Basic information about how you use Websy — AI credit usage, plan tier, generation events. We use this to enforce plan limits and improve the product.
- Error reports. When something breaks, we capture a stack trace, the URL where it happened, and (optionally) a session replay so we can fix it. Sent to Sentry. We don’t record form input values.
- Analytics on websy.ai. We use cookieless, server-side analytics to count page views. No third-party tracking, no advertising pixels.
What we don’t collect
- Card numbers (Stripe handles that).
- Browsing activity outside of Websy.
- Personal data about your published-website visitors, beyond what they choose to submit through your forms (see below).
- Anything from cookies for advertising or cross-site tracking.
How we use it
- To run the Service — sign you in, save your work, bill you.
- To send you transactional emails (new-enquiry notifications, billing receipts, important account updates). We don’t send marketing emails without opt-in.
- To answer your support questions.
- To improve Websy. Aggregate, de-identified usage patterns help us understand what to build next.
- To comply with the law if we’re required to (e.g. a valid legal request).
We do not sell your data. We do not share your content with any third party for their marketing or training.
Subprocessors
We rely on the following services to operate Websy. Each one acts as a data processor on our behalf and is bound by their own privacy terms:
- Supabase — authentication, database, file storage.
- Vercel — hosting and serverless functions for websy.ai and your published websites.
- Stripe — payment processing for subscriptions and boosts.
- Anthropic — Claude language models for website generation. Inputs and outputs are processed under Anthropic’s commercial terms; they do not train on your data.
- Google Gemini API — image generation for generated website photography.
- Resend — sending transactional and enquiry-notification emails.
- Sentry — capturing error reports so we can fix bugs.
Form messages on your published websites
When a visitor fills out a form on a website you published with Websy, we collect their message so you can read it in your inbox and we’ll email you a copy. We are acting as your data processor here — you (the website owner) are the data controller. You should disclose your own data practices to your visitors via your website’s privacy notice if your business or jurisdiction requires one.
This data is stored until you delete the message, delete the website, or close your account.
How long we keep your data
- Account, websites, and the messages you receive: as long as your account is active.
- Stripe billing records: kept by Stripe according to their retention policies.
- Page version history: up to 20 versions per page; older versions are dropped automatically.
- After account closure: 30 days of soft-deletion (for recovery), then permanent deletion.
- Error and analytics logs: 90 days, then deleted.
Your rights
You have the right to:
- Access. See what data we hold about you. Email support and we’ll send you a copy.
- Correct. Update any incorrect data. Most of it you can edit from your account.
- Delete. Request that we erase your account and all associated data. You can do this from Settings > General inside the builder, or by emailing support@websy.ai.
- Export. Get a copy of your websites and the messages you receive in a portable format. Email us.
- Object or restrict. Tell us to stop processing your data for any particular purpose where that’s practical.
For EU and UK residents, our legal basis for processing is the performance of our contract with you (running the Service) and legitimate interests (improving the Service, preventing abuse). For California residents, you have specific rights under CCPA which match the above.
International data transfers
Our primary hosting is in the United States. If you’re using Websy from outside the US, your data will be transferred to and processed in the US. Our subprocessors (Supabase, Vercel, Stripe, etc.) may also process data in other regions.
Security
We use industry-standard security practices: encrypted connections (TLS), encrypted storage at rest, scoped API keys, and row-level security on our database. We are not perfect and no system can guarantee against every possible breach. If we discover a security incident affecting your data, we’ll notify you promptly.
Children
Websy is not directed at children under 13. If you believe a child has provided us with personal information, email support@websy.ai and we’ll delete it.
Changes
If we materially change how we handle your data, we’ll notify you by email or via an in-app banner before the change takes effect.
Contact
Privacy questions or rights requests? support@websy.ai. We’ll respond within a few business days.