Privacy Policy

• Account info — email, name, phone (if provided), and the URL of the site you want upgraded.
• Payment info — handled entirely by our payment processor. We never see your card number; we receive a token + the last 4 digits.
• Order data — products purchased, status, delivery notes.
• Integration data — credentials needed to deliver an upgrade (payments, CRM, email). Encrypted at rest.
• Site analysis output — for a free plan we fetch the public HTML of your URL and run an automated audit. No passwords/logged-in content.
• Logs — IP, user-agent, request timing (debug + rate-limit).
• Anonymous page views — Vercel Web Analytics (URL path only; no cookies, no cross-site tracking, IPs not stored).

To deliver and support what you bought, send the receipts and updates you asked for, prevent abuse, and answer support. That's the whole list — no ad targeting on your data.

We share the minimum required data with:

• Stripe — payments & payment integration (Stripe Connect). Privacy Policy.
• Resend / Brevo — transactional email (receipts, login links, replies).
• Vercel — hosting, edge logs, privacy-friendly Web Analytics. Analytics privacy.
• Turso (libSQL) — database hosting for orders, sessions, outbox.
• Groq / OpenRouter / HuggingFace / Together / Cerebras / Cloudflare Workers AI — model inference; we don't enable training-on-input where a no-train flag exists.
• Firebase Auth (optional) — Google / Facebook / Apple sign-in if you choose it.

If you activate payment integration, we use Stripe Connect to create a connected Stripe Express account on your behalf, sharing with Stripe:

• Identity — name, email, business details for verification (KYC) and compliance.
• Transaction data — amounts, currency, and customer metadata, used to calculate and collect the platform fee.
• Account status — onboarding status, whether charges/payouts are enabled, and any restrictions.

Stripe acts as both processor (on our instructions) and independent controller (its own AML/sanctions obligations). See the Stripe Privacy Policy and Connected Account Agreement.

Acquirer disclosure: card transactions are acquired by Wells Fargo Bank, N.A. (or another acquirer Stripe designates). Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA. We don't access your Stripe dashboard credentials, bank details, or tax IDs — Stripe collects those directly.

One first-party HTTP-only cookie, pms_sid, keeps you signed in (30-day expiry, never for ads). Paid integrations you enable on your own site (GA, Meta Pixel) add their own cookies — our site itself does not.

Orders: 7 years (tax). Marketing subscribers: until you unsubscribe. Server logs: 90 days. Email outbox: 90 days after delivery. Idempotency keys: 24 hours.

Request a copy, deletion, or correction at plugmysiteaisolutions+privacy@gmail.com — we respond within 30 days. EU/UK/California residents have GDPR / UK GDPR / CCPA rights, including complaining to a supervisory authority.

HTTPS + HSTS everywhere, scoped database tokens, signed webhooks, hashed passwords, per-user rate limiting, and Idempotency-Key replay protection on every state-changing endpoint.

We update this page when practices change and bump the date above; major changes are emailed to active customers. Questions: plugmysiteaisolutions+privacy@gmail.com (postal address on request).