Privacy Policy

Your privacy matters

Last updated: April 17, 2026

1. Information We Collect

We collect information you provide directly:

  • Account data: First name, last name, email address, password, phone number, date of birth, country, state, and zip code when you register or update your profile.
  • Website content: Pages, HTML/CSS/JS code, GrapesJS editor state, media files (images, videos, documents), and site settings you create using our editor.
  • Payment data: When you subscribe to a paid plan, payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription ID but never store credit card numbers, CVVs, or full card details on our servers.
  • AI prompts: When you use the AI Site Builder, your text prompts are sent to Anthropic (Claude API) to generate website content. We do not store prompts after generation is complete.
  • OAuth data: If you sign in via Google or Facebook, we receive your name, email, and profile picture from the provider. We do not access your contacts, posts, or other social data.
  • Contact & feedback: Messages submitted via the Contact Us form or the feedback widget, including name, email, subject, and message content.
  • SMTP configuration: If you configure per-site email sending, we store SMTP credentials (host, port, username, password) encrypted in our database.

Automatically collected: IP address, browser type, device information, pages visited, and timestamps — standard web server logs used for security and performance monitoring.

2. How We Use Your Information

  • Provide, maintain, and improve the Surgepulse Studio platform
  • Process your website publishing and hosting at yoursite.surgepulse.org
  • Process subscription payments and manage billing through Stripe
  • Generate AI-powered websites using the Anthropic Claude API
  • Deliver password reset emails and account notifications via SMTP
  • Respond to your contact form submissions and feedback
  • Enforce plan limits (site count, AI generations per month, component access)
  • Send you product updates and security notifications (opt-out available)
  • Analyze usage patterns to improve features and performance
  • Prevent fraud, abuse, and unauthorized access

3. Data Storage & Security

Your data is stored securely using industry-standard encryption (TLS 1.3 in transit, AES-256 at rest). We use Django's built-in security features including CSRF protection, XSS prevention, and SQL injection guards. Media files are stored in isolated directories per user account.

SMTP credentials stored for per-site email configuration are encrypted at rest. Payment data is processed and stored exclusively by Stripe — we never handle raw card details.

4. Third-Party Services

We integrate with the following third-party services, each with their own privacy policies:

  • Stripe — Payment processing for subscriptions. Stripe's privacy policy governs all payment data.
  • Anthropic (Claude API) — AI website generation. Prompts are processed and not retained by Anthropic per their data policy.
  • Google & Facebook OAuth — Social sign-in. Only basic profile data (name, email) is accessed.
  • Google Analytics — Only if you configure it for your published site. Set by Google, not by Surgepulse.
  • Google Fonts & CDN — Typography delivery (Fraunces, Geist). Standard font serving with no user tracking.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

5. Your Rights

You have the right to:

  • Access your personal data at any time via your profile settings
  • Export your website content in HTML/CSS/ZIP format via the dashboard export feature
  • Update your first name, last name, email, and profile details at any time
  • Delete your account and all associated data permanently
  • Manage billing including viewing invoices, changing plans, or canceling via the Stripe Customer Portal
  • Opt out of non-essential communications at any time

6. Data Retention

We retain your data for different periods depending on its type and your account status:

  • Active accounts: Personal information, website content, media files, and subscription data are retained for as long as your account remains active.
  • Deleted accounts: All associated data is permanently erased within 30 days of account deletion.
  • Billing records: Stripe retains payment history per their data retention policy. We retain Stripe customer/subscription IDs until account deletion.
  • AI usage logs: Monthly generation counts are retained for the duration of your account for plan enforcement purposes.
  • Contact & feedback: Retained until resolved or account deletion, whichever comes first.
  • Server logs: IP addresses, access logs, and error logs are retained for 90 days, then permanently deleted.

7. International Transfers

Your data is stored on servers located in the United States and the European Union. For users in the EEA, UK, and Switzerland, we comply with GDPR and rely on Standard Contractual Clauses (SCCs) for any transfers of personal data outside the EEA.

Third-party processors (Stripe, Anthropic, Google) maintain their own cross-border data transfer mechanisms and certifications.

8. Children's Privacy

Surgepulse Studio is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child has provided personal data, we will delete it immediately. Contact privacy@surgepulse.org if you believe a child has provided us with personal information.

9. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be notified via email at least 30 days before taking effect. We encourage you to review this policy periodically.

10. Contact

For privacy-related inquiries, contact us at privacy@surgepulse.org or use our Contact Us page.

We use cookies

We use essential cookies to keep things running and optional cookies to improve your experience. Read our Cookie Policy for details.

Essential Cookies
Login, security, CSRF protection. Required for the site to work.
Always on
Functional Cookies
Remember your username, dark mode, and preferences.
Analytics Cookies
Help us understand how you use the site. Google Analytics.