Privacy Policy
Last updated: April 2026
1. Information We Collect
We collect information in the following categories:
Information You Provide
- Name, email address, and business name via intake and onboarding forms
- Project details, brand assets, and content provided during the build process
- Messages and feedback submitted through the client portal
Behavioral Data (Automatically Collected)
- Page views, click events, and session duration
- Intake form progress (steps completed, selections made)
- Browser type, device type, and approximate location (country/region)
- Referral source and UTM campaign parameters
Performance Data (Client Sites)
- Site uptime and load speed metrics
- Conversion rates and form submission counts (aggregated)
2. How We Use Your Information
- To provide, deliver, and improve our website building and maintenance services
- To communicate project updates, billing information, and service announcements
- To generate performance reports and analytics for your client dashboard
- To personalize AI-generated recommendations during the intake process
- To detect and prevent fraud or unauthorized access
- To comply with legal obligations
3. Payment Processing
All payment processing is handled by Stripe, Inc. We never store credit card numbers, CVVs, or full card details on our servers. Payment information is transmitted directly from your browser to Stripe's PCI-compliant infrastructure.
Stripe's privacy policy governs the processing of your payment information. We store only a reference to your Stripe customer ID and payment intent IDs for record-keeping and support purposes.
4. Data Storage & Security
Your data is stored securely on Supabase-hosted PostgreSQL databases with encryption at rest (AES-256) and in transit (TLS 1.3). File uploads are stored in Supabase Storage with signed URL access controls.
We use industry-standard security measures including role-based access control, audit logging, and automated backups. Access to production data is limited to authorized personnel on a need-to-know basis.
5. Third-Party Services
We use the following third-party services to deliver our product. Each has its own privacy policy.
6. Cookies & Tracking
We use session-based identifiers (stored in sessionStorage) to track page views and user interactions during a single browser session. These identifiers are not persistent across sessions and are not shared with third parties.
We do not use third-party advertising cookies. Stripe may set cookies necessary for payment processing. Your browser settings allow you to manage cookie preferences at any time.
7. Data Retention
We retain your personal and project data for the duration of your active service plus 60 days after cancellation. After the 60-day window, personal data is deleted. Anonymized performance and analytics data may be retained indefinitely for trend analysis.
Intake form data for leads that do not convert to clients is retained for 12 months, then automatically purged.
8. Your Rights
You have the right to:
- Access all personal data we hold about you
- Correct inaccurate or incomplete data
- Request deletion of your personal data
- Request a portable copy of your data in a standard format
- Opt out of case study usage of your project
To exercise any of these rights, contact hello@custom21.io. We will respond within 30 days.
9. Children's Privacy
Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it immediately.
10. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via email to active clients and posted on this page with an updated revision date.
Contact
For privacy questions or data requests, contact us at hello@custom21.io.