Privacy Policy

Last updated: 26 April 2026

This Privacy Policy explains how Web42 (“Web42”, “we”, “us”) collects, uses and protects personal information when you use our website builder service. We aim to keep this document short, plain and honest. If anything is unclear, please email us at the address at the bottom of the page.

1. Who we are

Web42 is an AI-powered website builder operated as a B2C SaaS product. We act as the data controller for the personal information described below. (TODO: insert legal entity name, registered address and company number once the operating company is incorporated.)

2. Information we collect

We collect only the information we need to run the service. That includes:

• Account details — your email address, the name you give us at signup, and (optionally) the country you select so we can show prices in the right currency.
• Authentication data — a hashed password and session tokens, managed by our authentication provider (Supabase Auth).
• Payment identifiers — when you subscribe to Web+ or buy a domain, our payment processor (Stripe) creates a customer record and returns a Stripe customer ID, which we store against your account. We do not store your card number, CVC or full bank details ourselves — they are handled by Stripe.
• Project data — the websites you build, the chat history with the agent, the choices you make in the wizard, and any images or files you upload to your project.
• Contact-form submissions — when a visitor to a site you publish fills in your contact form, the submission is stored against your project so you can read it in your dashboard.
• Domain registration data — if you register a domain through us, we pass the WHOIS data required by ICANN (name, address, email, phone) to our registrar partner, Namecheap. We enable free WHOIS privacy where available.
• Technical data — IP address, browser user-agent and basic request metadata, used for rate limiting, abuse prevention and debugging. IPs are not used for advertising or cross-site tracking.

3. Why we use it (legal bases under UK / EU GDPR)

• To provide the service — performing our contract with you (Art. 6(1)(b)). Without this data we cannot run your account or build your site.
• To take payment — performing our contract with you, and complying with tax and accounting law (Art. 6(1)(b) and (c)).
• To keep the service secure — our legitimate interest (Art. 6(1)(f)) in preventing abuse, fraud and excessive usage.
• To send important service emails (e.g. password reset, payment receipts) — performing our contract with you.

We do not sell your personal information, and we do not use it for advertising.

4. Where your data is stored

We use a small number of trusted third-party processors. Each is listed below with a link to their own privacy policy.

• Supabase — primary database (PostgreSQL), authentication, and file storage for site assets. Data residency region: TODO — to be confirmed and disclosed before launch. Supabase privacy policy.
• Cloudflare (R2 / CDN) — object storage for generated site files and a global content-delivery network for published sites. Cloudflare privacy policy.
• Stripe — payment processing for credit top-ups, Web+ subscriptions and domain purchases. Stripe is the data controller for the card data you enter into its checkout form. We retain a record of credit-purchase amounts, expiry dates and balance ledger entries on our own infrastructure for as long as your account exists; see the “Credits, top-ups and credit expiry” section of our Terms for how credit balances and expiry work. Stripe privacy policy.
• Anthropic — provides the AI model (Claude) that powers the agent. When you chat with the agent, the messages you send and the relevant project context are transmitted to Anthropic for processing. Per Anthropic’s commercial terms, customer inputs and outputs submitted to the API are not used to train Anthropic’s models by default. Anthropic privacy policy and commercial terms.
• Resend — sends transactional email (account verification, password reset, payment receipts). Resend privacy policy.
• Namecheap — ICANN-accredited registrar used to register and manage domain names you purchase through us. Namecheap privacy policy.

Some of these processors are based outside the UK / EEA. Where personal data is transferred internationally we rely on the appropriate safeguards published by each processor (Standard Contractual Clauses, the UK International Data Transfer Addendum, and / or adequacy decisions where they exist).

5. AI processing — what the model sees

Web42 works by passing your messages, your project files, and relevant context (such as the wizard answers you have given) to the Claude model operated by Anthropic. The model produces a response, which we stream back to your browser and store as part of your chat history so you can resume the conversation later. We do not enrich your conversation with data from other users.

6. Cookies

At the MVP stage we use only essential cookies: a session cookie to keep you signed in, and CSRF / security cookies set by our authentication provider. We do not use advertising cookies, and we do not run third-party analytics that profile you across the web. If we add privacy-respecting analytics in the future (such as Plausible or PostHog) we will update this page and gate it behind a clear consent control.

7. How long we keep your data

• Account, project files and chat history — kept for as long as your account exists. When you delete your account, this data is removed within 30 days, except where we are required to retain it by law.
• Payment and tax records — invoices, payment receipts and the corresponding identifiers are retained for seven (7) years to comply with UK / EU tax and accounting rules.
• Contact-form submissions on your published site — kept for as long as your project exists, unless you delete them from your dashboard.
• Security logs — kept for up to 90 days for abuse investigation.

8. Your rights

If you are in the UK or EU, GDPR gives you the right to access, rectify, erase, restrict, port and object to processing of your personal data. You can exercise most of these rights from inside your account:

• Export your data — request a copy of your account, project and chat data via /api/profile/export.
• Delete your account — permanently remove your account and project data via /api/profile/delete.
• Rectify your details — update your name, country and other account details from the Settings panel.

You can also email us at the address at the bottom of this page and we will action your request manually. You have the right to lodge a complaint with your local data protection authority (in the UK, the Information Commissioner’s Office at ico.org.uk).

9. Children

Web42 is not intended for children. You must be 18 or older to create an account. We confirm this with a checkbox at signup. If we become aware that we have collected personal data from a child, we will delete it.

10. Security

We use TLS in transit, hashed passwords at rest, row-level security on our database tables, and a small number of trusted, security- audited processors. No system is perfectly secure; if we ever experience a breach that affects your personal data we will notify you and the relevant supervisory authority within the timeframes required by law.

11. Changes to this policy

We will update this page as the product changes. The “Last updated” date at the top tells you when. For material changes we will notify account holders by email.

12. Contact

For privacy questions, data subject requests, or to report a concern, email us at privacy@web42site.com.