Privacy Policy

Effective Date: November 11, 2025

This Privacy Policy explains how OnePG ("OnePG", "we", "our" or "us") collects, uses, stores, shares, and protects your information when you use our one‑page website builder platform, related services, APIs, AI-assisted generation features, and any other online properties we operate (collectively, the "Service"). By accessing or using the Service you consent to the practices described here. If you do not agree, please discontinue use.

1. Information We Collect

  • Account Information: Name (optional), email address, hashed password, authentication tokens, subscription status and plan details.
  • Usage & Interaction Data: Pages you create, template selections, form submissions, dashboard interactions, feature usage counts, and timestamps.
  • Generated & Uploaded Content: Site copy you input or AI‑generate, images/assets you upload, and favicon/OG metadata. Assets may be stored in object storage (e.g. MinIO) and cached via CDN.
  • Analytics & Performance Data: We collect pseudonymous request logs, page view events, referrers, UTM tags, timing metrics, and aggregated usage for feature improvement. Analytics is privacy‑respectful and avoids unnecessary tracking.
  • Payment & Billing Data: Handled by Stripe. We do not store full card numbers. We retain subscription identifiers, invoice IDs, status, last four digits, and expiration month/year (as provided by Stripe).
  • Support & Communications: Messages you send us (email or forms), responses, and internal notes to resolve issues.
  • Log Data & Technical Identifiers: IP address, user‑agent, operating system, device type, error traces, and security-related events (login attempts, token refreshes).
  • Cookies & Local Storage: Session cookies for authentication, CSRF protection, and preference tokens. We avoid third‑party ad/marketing cookies.
  • AI Feature Inputs: Prompt text, selected block types, and generated outputs—retained to improve model quality and detect abuse. Sensitive personal data should not be submitted.

2. How We Use Information

  • Provide, secure, and maintain the Service (authentication, hosting, rendering, backups).
  • Process payments and manage subscriptions (via Stripe).
  • Personalize templates, recommend features, and enhance user experience.
  • Improve performance, reliability, and UI through aggregated analytics.
  • Generate AI‑assisted content, evaluate prompt effectiveness, and prevent misuse.
  • Communicate updates, transactional notices, password resets, billing alerts.
  • Detect, investigate, and mitigate fraud, abuse, or security incidents.
  • Comply with legal obligations and enforce our Terms of Service.

3. Legal Bases (EEA/UK)

For users in the European Economic Area or UK we rely on: (a) Contract (to provide the Service); (b) Legitimate Interests (product improvement, security); (c) Consent (where required—e.g. certain cookies); and (d) Legal Obligation (record keeping, fraud prevention).

4. Data Retention

We retain account and site data while your account is active and for a reasonable period (up to 24 months) after cancellation to support potential restoration, audits, or dispute resolution—unless you request earlier deletion where feasible. Anonymized or aggregated data may be retained indefinitely.

5. Sharing & Disclosure

  • Service Providers: Hosting (e.g. cloud infrastructure), object storage (MinIO or equivalent), CDN/security (Cloudflare), email delivery, billing (Stripe), logging/monitoring. They access data only to perform contracted functions.
  • Legal & Compliance: We may disclose information if required by law, subpoena, court order, or to protect rights, property, or safety of OnePG, users, or the public.
  • Business Transfers: In a merger, acquisition, or asset sale, user data may transfer subject to continuity of protections.
  • With Your Direction: Public pages you publish are accessible to anyone with the URL, unless you explicitly restrict access via forthcoming privacy features.
  • No Sale of Personal Data: We do not sell personal information; we do not permit ad-tech tracking layers.

6. Security

We implement technical and organizational measures: encryption in transit (HTTPS), access controls, password hashing (industry standard algorithm such as bcrypt/argon2), role limits for administrative access, dependency vulnerability monitoring, rate limiting for abusive traffic, and periodic backups. No system is 100% secure; users should choose strong passwords and safeguard credentials.

7. International Data Transfers

We may process and store data in the United States and other jurisdictions. Where required, we rely on standard contractual clauses or equivalent safeguards for cross‑border transfers.

8. Your Rights

  • Access / Export: You can request a copy of your account data.
  • Rectification: Update inaccurate profile details.
  • Deletion: Request account deletion; some data may remain in backups for a limited period.
  • Restriction / Objection: Object to certain processing (e.g. analytics) where legally applicable.
  • Portability: Export site content in a portable format (e.g. HTML or JSON) when available.
  • Opt-Out of Marketing: Unsubscribe links in non-essential emails.

Requests: contact [email protected]. We may verify identity before acting.

9. Cookies & Tracking

We use strictly necessary and functional cookies to maintain sessions and preferences. We avoid third‑party advertising cookies. You can clear or block cookies via browser settings; some features may degrade.

10. AI & Generated Content

Prompts and generated outputs may be logged to improve quality and safety. Do not input sensitive personal data (health, financial account numbers, government IDs). You are responsible for reviewing generated content for accuracy and compliance. See Terms for usage restrictions.

11. Children

The Service is not directed to children under 13 (or under the age required for consent in your jurisdiction). We do not knowingly collect data from minors. If you believe a minor has provided data, contact us for removal.

12. Do Not Track

Browsers may send a Do Not Track (DNT) signal; industry standards are not uniform. We currently do not respond to DNT signals.

13. Third-Party Links

Templates or generated pages may link externally. We are not responsible for third‑party privacy practices. Review their policies before providing data.

14. Changes to This Policy

We may update this Policy periodically. Material changes will be indicated by updating the "Effective Date" or providing additional notice (email or dashboard banner). Continued use after changes indicates acceptance.

15. Contact

Email: [email protected] • For security disclosures: [email protected] • For data protection requests: subject "Data Request".

16. Jurisdiction Specific Addenda

GDPR (EEA/UK): You have rights enumerated above; complaints may be filed with your local supervisory authority. CCPA/CPRA (California): We do not sell personal information; you may request disclosure or deletion of personal information subject to statutory exceptions.

If any provision conflicts with local law, that portion is deemed modified to comply while preserving intent.