Privacy Policy

1. Who we are

The data controller is Your Website Agency, registered in the United Kingdom.

Bolton House, Trafalgar Road, London, SE10 9UT, United Kingdom
Email: info@yourwebsite.agency

2. What we collect

• Account details: your email address; if you sign in with Google, your name and profile picture.
• Subscription details: your Stripe customer ID and subscription status. We do not see or store full card numbers — Stripe handles that.
• Tenant details: the subdomain you chose, your bot's internal agent ID, and the Telegram bot username allocated from our pool.
• Session data: an HTTP-only authentication cookie set when you sign in.
• Operational logs: server logs containing IP address, request path, and timestamps for security and abuse prevention. Retained for 30 days.

3. What we deliberately do not collect

• Your AI provider API key. The key you bring lives only inside your bot's sandbox, never in our database. We cannot read it, log it, or use it.
• Conversations with your bot. Messages between you and your bot are sent directly from the sandbox to your chosen AI provider (OpenAI, Anthropic, etc). We do not see, store, or analyse them.

4. Why we process your data (lawful basis)

• Contract: to provide the service you signed up for — authentication, provisioning, billing.
• Legitimate interests: to keep the platform secure, prevent abuse, and improve reliability.
• Legal obligation: to keep payment and tax records as required by UK law.

5. Who we share data with

We share the minimum data needed with these processors, each under their own privacy policy:

• Stripe (payment processing — your email and Stripe customer ID).
• Google (OAuth sign-in, if you use that option — your Google profile basics).
• Hostinger (transactional email delivery — your email address when we send sign-in links or service notices).
• Telegram (your bot username is registered with Telegram so you can chat with your bot there).

We never sell your personal data, and we do not use it for advertising.

6. International transfers

Some processors (Stripe, Google) are based outside the UK and EEA. Where data is transferred internationally, it is protected by the UK's adequacy decisions or by Standard Contractual Clauses that those processors maintain.

7. Retention

• Active account data: kept while your account is active.
• After cancellation: account data enters a 24-hour grace window during which you can reactivate. After that, your sandbox and bot are torn down. Your subdomain is held for 30 days before it can be re-allocated.
• Billing records: kept for 6 years to meet UK tax-record requirements.
• Server logs and backups: 30 days.

8. Your rights

Under UK GDPR you have the right to:

• access the personal data we hold about you,
• ask us to correct anything that's wrong,
• ask us to delete your account and the personal data attached to it,
• request a portable copy of your data,
• object to or restrict certain processing, and
• complain to the UK Information Commissioner's Office (ico.org.uk) if you think we've mishandled your data.

To exercise any of these rights, email info@yourwebsite.agency and we'll respond within 30 days.

9. Cookies

We use a single HTTP-only authentication cookie to keep you signed in. We do not use third-party advertising or analytics cookies.

10. Security

All traffic is encrypted in transit (HTTPS). Each customer's bot runs in an isolated sandbox on a per-tenant Docker network with inter-container communication disabled — one customer cannot reach another customer's sandbox by any path. We hold the minimum personal data possible (see Section 3).

11. Changes to this policy

If we make material changes, we'll email you at the address on your account. Minor wording changes will be reflected by updating the "last updated" date at the top of this page.

12. Contact

Privacy questions or requests: info@yourwebsite.agency.