// legal

Privacy Policy

Last updated June 29, 2026

This policy explains what information Sitepost (“Sitepost,” “we,” “us”) collects, why, who we share it with, and the rights you have over it. We try to keep this readable — if anything is unclear, email privacy@sitepost.io.

1. Who this applies to

This policy covers visitors to sitepost.io, operators who create an account to run campaigns, and the local businesses whose publicly available information is processed through the service.

2. Information we collect

  • Account data. Your email address, used for passwordless sign-in and account communications.
  • Payment data. Handled entirely by Stripe. We never see or store full card numbers — only limited details Stripe returns (e.g. subscription status, last four digits, billing email).
  • Business data. Publicly available information about local businesses (name, category, address, phone, ratings, hours) sourced from providers such as Google Maps/Places, used to generate websites and outreach.
  • Generated content. The website copy the AI produces for each business, cached so it isn’t re-generated.
  • Usage & technical data. IP address (for rate limiting and abuse prevention), request logs, and a single essential session cookie. We do not run advertising or third-party analytics trackers.
  • Communications. Messages you send us and leads submitted through generated sites.

3. How and why we use it

We process data to provide and operate the service, generate websites, deliver outreach, take payment, secure the platform, respond to you, and meet legal obligations. Where the GDPR applies, our legal bases are: performance of a contract (running your account and subscription), legitimate interests (securing and improving the service, B2B outreach), consent (where required), and legal obligation.

4. AI processing

Website copy is generated using Anthropic’s Claude models. The inputs are business details (name, category, location). We do not send your payment data to AI providers, and content sent through our API provider is not used to train their models. AI output can contain inaccuracies — review generated content before relying on it.

5. Subprocessors we share data with

We share the minimum data needed with vetted providers who process it on our behalf:

  • Stripe — payments & subscription billing.
  • Resend — transactional email (sign-in links, receipts, notifications).
  • Anthropic — AI generation of website copy.
  • Google — Places data for business discovery.
  • Lob — printing and mailing of postcards.
  • Vercel — hosting and content delivery.
  • Upstash — caching and rate limiting.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

6. Retention

We keep account and billing records for as long as your account is active and as required for tax and legal purposes. Generated site content is retained while a campaign is active. You can request deletion at any time (see your rights below).

7. Security

Data is encrypted in transit (HTTPS). Sessions use signed, httpOnly cookies. Payment card data is isolated within Stripe. No system is perfectly secure, but we take reasonable technical and organizational measures to protect your information.

8. Your rights

Depending on where you live (e.g. the EU/UK under GDPR, California under CCPA/CPRA), you may have the right to access, correct, delete, port, restrict, or object to the processing of your personal data, and to withdraw consent. California residents have the right to know, delete, and correct, and to opt out of “sale”/“sharing” (we do neither) — and we won’t discriminate against you for exercising these rights.

To exercise any right, email privacy@sitepost.io. We’ll respond within the time required by law. EU/UK users may also lodge a complaint with their local data protection authority.

9. Businesses we contact by mail

If your business received a Sitepost postcard, we processed publicly available contact details on the basis of legitimate interest in B2B outreach. You can ask us to stop and to delete your information at any time by emailing privacy@sitepost.io — we will honor opt-out requests promptly.

10. International transfers

Our providers may process data in the United States and other countries. Where required, transfers rely on appropriate safeguards such as Standard Contractual Clauses.

11. Children

Sitepost is a business tool not directed to children, and we do not knowingly collect personal information from anyone under 16.

12. Changes & contact

We may update this policy; material changes will be reflected by the “last updated” date above. Questions or requests: privacy@sitepost.io.