Privacy Policy

When you fill out our intake form, we collect your name, email address, and the business information you provide: things like your business name, industry, services, any details you want reflected on your website, and any images you upload.

Automatically collected data: Our hosting provider (Vercel) records standard server logs for each request: IP address, browser type, referring URL, and timestamp. We use this for security, abuse prevention, and diagnosing errors. It is not tied to a marketing profile.

Authentication data:If you create an account to claim or edit your site, we store your sign-in details through Supabase Auth: your email address (or your Google account info if you choose "Sign in with Google") and a secure session token. This is the minimum needed to keep you logged in and verify that you own your site.

Domain registrant data: If you subscribe to Pro with a custom domain, we collect the contact information domain registration requires: your full name, email address, mailing address, and phone, because you are the legal registrant of the domain. ICANN rules require this; it is passed to the domain registrar and kept on file with them. It is no longer publicly listed in WHOIS by default (as of 2025).

Payment data: Payments are processed entirely by Stripe. Your card number goes directly to Stripe. DebugDad LLC never sees or stores it. We store Stripe customer and subscription IDs so we can manage your plan.

Form submissions: If your published site has a working contact form, we also store the submissions your visitors send, more on that in Section 06.

We use your information for the following purposes:

1. To generate your AI website: the business details you submit are the source material the AI uses to build your site.
2. To deliver and support your site: to send preview-ready notices, receipts, expiry reminders, and to contact you if something needs your attention.
3. To manage your subscription: to process recurring billing and notify you of payment issues, renewals, or plan changes.
4. To fulfill domain registrations: on Pro, to register and manage your custom domain on your behalf.
5. To comply with legal obligations: tax records, DMCA notices, or lawful court orders.

We don't use your information for advertising, to build behavioral profiles about you, or to make automated decisions that materially affect you. We don't sell it to anyone. Ever.

We use a minimal number of cookies and local storage:

Authentication session cookie:If you sign in to claim or edit your site, Supabase sets a session cookie in your browser so you stay logged in. It expires when your session ends or you sign out. No session cookie is set for visitors who don't sign in.

Infrastructure cookies: Vercel, our hosting provider, may set technical cookies for routing and performance purposes. These are not linked to your identity and cannot be used for advertising.

We do not use advertising cookies, third-party tracking pixels, or any analytics service that follows you across other websites. No data is sold to or shared with ad networks.

Your data is stored in Supabase, our database provider, hosted on AWS in the us-east-1 region (Northern Virginia, fittingly, our home state). Supabase encrypts data at rest (AES-256) and all connections are encrypted in transit using TLS 1.2 or higher.

Our platform is hosted on Vercel, which processes incoming requests at US-based data centers. Payments are processed by Stripe on their PCI-compliant infrastructure. We never handle raw card data.

Access to your data is restricted to the systems and personnel that need it to deliver the service. We take reasonable technical and organizational measures to protect your data. That said, no method of transmission over the internet is 100% secure, and we can't promise absolute security. Nobody honestly can. If we become aware of a data breach that affects you, we will notify you promptly.

We only share your data with the service providers the product genuinely can't run without. The honest, complete list:

Stripe: processes payments and manages your subscription. Receives your email address and payment details.
Brevo: delivers our transactional emails (preview links, receipts, renewal notices, and the like). Receives your email address and name.
Supabase / AWS: hosts our database and sign-in accounts; this is where your lead data, site spec, and authentication sessions live (AWS us-east-1).
Anthropic: the business details you submit are sent to Anthropic's Claude AI to generate your site.
Vercel: hosts the platform and the websites we build, and handles custom domain registration, which is why Pro domain registrant info goes there, as ICANN requires.
Upstash: briefly stores IP addresses and email addresses for rate limiting, to prevent abuse.
Pexels: provides stock images for generated sites.
Google: only if you choose to sign in with Google.
Law enforcement / legal process: we disclose information when required by a valid court order, subpoena, or legal process. Where permitted, we will notify you before complying.

That's the complete list. No data brokers, no ad networks, no selling or renting your information to anyone.

If your published site has a working contact form, visitors to your site can send you their name, email address, and a message. We store those submissions in our database on your behalf and deliver them to you, that's their whole purpose.

To be clear about roles: your visitors are your contacts. We process their data only to forward and display it to you, and you're responsible for how you use it. Submissions are kept for as long as the site that collected them exists, and a visitor (or you) can ask us to delete them at admin@debugdad.com anytime.

We keep your information for as long as you have an account or subscription with us, that's what lets us run and support your site. A claimed free site (and the data behind it) sticks around until you ask us to delete it. Form submissions are kept for as long as the site that collected them exists. Beyond that, we retain only what tax and legal compliance require.

You have the following rights over your data, regardless of where you live:

Access: ask us what personal data we hold about you.
Correction: ask us to fix inaccurate information.
Deletion: ask us to delete your personal data. We will delete it unless we're legally required to keep it (e.g., tax records).
Portability: ask for a copy of your data in a common format.
Opt-out of sale: we don't sell your data, so there's nothing to opt out of, but the right is yours.

To exercise any of these rights, email us at admin@debugdad.com with the subject line "Privacy Request". We will respond within 45 days. If a request is complex or numerous, we may extend by another 45 days and will let you know.

Several US states have enacted privacy laws granting residents additional rights. As a Virginia company, we take these seriously for all users, whether or not your state mandates it for a business our size.

Virginia residents (CDPA):You have the rights listed in Section 07, plus the right to opt out of (1) the sale of your personal data, we don't sell it; (2) targeted advertising, we don't do it; and (3) profiling used for decisions with legal or similarly significant effects on you, we don't do this.

California residents (CCPA/CPRA): You have the right to know the categories of personal information we collect and how we use it (this policy covers that), the right to delete, the right to correct, and the right to opt out of the sale or sharing of your personal information. We do not sell or share personal information for cross-context behavioral advertising.

Other states: If your state has enacted a consumer privacy law, we will honor substantially equivalent rights. Contact us at admin@debugdad.comand we'll work with you.

We will not discriminate against you for exercising any privacy right: you won't be denied service, charged a different price, or given a lower quality of service.

Our services are for businesses and are not directed at children under 13. We don't knowingly collect personal information from anyone under 13. If you believe a child has submitted information to us, contact us at admin@debugdad.com and we will delete it promptly.

If we change this policy, we'll post the updated version on this page with a new effective date. For significant changes, like adding a new data processor or changing how we use your data, we'll do our best to notify you by email at least 14 days in advance. We won't bury material changes in fine print.

Questions about this policy, your data, or a privacy request? Email DebugDad LLC at admin@debugdad.comwith the subject line "Privacy Request" and a real person will respond within 45 days, usually the dad.

Mailing address: DebugDad LLC, Virginia, USA (full address available on request).