Stedda

Privacy Policy

Last updated: March 2026

The data controller is TopeySoft LLC, operating as Stedda.

1. What Data We Collect

Account data: When you create an account, we collect your email address and display name via email/password or a third-party OAuth provider (Google, GitHub).

Usage data: We collect anonymized IP addresses, browser information, and page views for analytics and rate limiting.

Content: When you create a site, we store the content generated and any modifications you make, including draft edits.

Uploaded files: Photos, documents, logos, and other media you upload to your site.

Review submissions: When visitors submit reviews on sites built with Stedda, we collect their name, email address, star rating, and review text.

Newsletter subscriber data: When visitors subscribe to a site's newsletter, we collect their email address and optional name. Subscription status (unconfirmed, confirmed, unsubscribed) is tracked to support double opt-in.

Order and booking data: When visitors place orders or book appointments through sites on the platform, we may process their name, email, phone number, and address as needed to fulfill the transaction.

Feedback submissions: When you submit feedback through the platform, we collect the category, message text, the page URL, and basic browser information.

Content sync URLs: When you use the content sync feature, we store the profile URLs you provide (e.g., Spotify artist URL, YouTube channel URL) to fetch and update content on your behalf.

Email engagement: If you receive automated onboarding or engagement emails from us, we track delivery status and whether you have opted out. We do not use open-tracking pixels.

2. AI-Generated Content

We generate website content using publicly available information (social media profiles, public databases, news articles). This content is processed through AI models to create biographical text, descriptions, and other website content.

When you use AI assistant features (content rewriting, section regeneration, SEO suggestions, image alt text, content audit, tone restyling), your site content is sent to our AI provider for processing. When you use AI image generation, text prompts describing your desired image are sent to the AI provider, and the generated images are stored on our platform.

If you are the subject of a generated site, your public information has been used to create that content. You can request removal at any time.

3. How We Store Data

Your data is stored in Supabase (PostgreSQL database hosted on AWS). Files are stored in Supabase Storage. All data is encrypted in transit (TLS) and at rest.

We maintain daily database backups and nightly media backups stored in Cloudflare R2 (object storage). Backup data is encrypted and retained for disaster recovery purposes.

Page view data and anonymized request logs are processed through Cloudflare Analytics Engine with a 90-day retention period.

4. Third-Party Services

We use the following third-party services that may process your data:

Core services:

  • Cloudflare — hosting, CDN, DNS management, and DDoS protection. Processes IP addresses and request data.
  • Supabase — database and authentication. All data is encrypted at rest.
  • OpenAI (or compatible AI provider) — content generation, AI rewriting, SEO suggestions, and image generation (DALL-E). Site content and prompts are sent for processing.
  • Google / GitHub — OAuth sign-in providers. When you sign in via OAuth, the provider shares your email and profile name per their consent flow.
  • Stripe — subscription billing and marketplace payouts (Stripe Connect). Stripe handles all payment data; we never store card numbers.
  • Amazon SES — email delivery for transactional messages, drip campaigns, and newsletters.

Operational services:

  • Error monitoring tools — capture JavaScript exceptions and server errors for debugging. Personally identifiable information is not collected; sensitive URL parameters are stripped before transmission. Data is retained for 90 days.
  • Structured logging services — anonymized request metadata (route, status code, duration) is sent for operational monitoring.
  • Stock media providers — when you browse or search for stock photos or videos for your site, search queries are sent to the provider. Downloaded media is stored on our platform.
  • Domain registrars — if you purchase a domain through the platform, registration is processed by a third-party registrar. WHOIS privacy is enabled by default.

User-initiated integrations (opt-in only):

  • Content sync (Spotify, Apple Music, YouTube, Google Places) — when you paste a profile URL and trigger a sync, we call public APIs using platform credentials to fetch your content. No user OAuth is required.
  • E-commerce integrations (Shopify, Etsy, Square) — available on the Business plan. When you connect via OAuth, we sync product catalogs and inventory.
  • Booking integrations (Calendly, Acuity Scheduling) — available on the Business plan. When you connect via OAuth, we embed the scheduling interface on your site.

5. Cookies

We use essential cookies for authentication (session tokens). We do not use tracking cookies or third-party advertising cookies. Cloudflare may set security cookies for bot protection. For full details, see our Cookie Policy.

6. Data Retention

We retain different types of data for different periods:

  • Account data — retained as long as your account is active.
  • Account deletion — you can delete your account via the self-service option in your dashboard Settings, or by contacting us. Your profile is anonymized, all your sites are scheduled for removal with a 7-day grace period, and active subscriptions are canceled at the end of their billing period. Personal data is removed within 30 days.
  • Audit logs — 60 days.
  • Page view analytics — 90 days.
  • Error monitoring data — 90 days.
  • Removed sites — held for a 7-day grace period during which you can restore them, then permanently deleted.
  • Preview tokens — expire after 72 hours and are revoked when the draft is published or discarded.
  • Email subscriber data — retained until the subscriber unsubscribes or the site owner deletes the record.

7. Your Rights (GDPR & CCPA)

EU/EEA residents (GDPR): You have the right to:

  • Access — request a copy of all data we hold about you
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Portability — receive your data in a machine-readable format
  • Object — object to processing of your data

California residents (CCPA/CPRA): You have the right to:

  • Know — what personal information we collect, use, and disclose
  • Delete — your personal information (subject to certain exceptions)
  • Opt out of sale — we do not sell personal information
  • Non-discrimination — we will not discriminate against you for exercising your rights

To exercise any of these rights, you can use the self-service account deletion option in your dashboard Settings page, or contact us. We respond to all requests within 30 days.

8. IP Address Anonymization

We anonymize IP addresses before long-term storage. For IPv4 addresses, the last octet is replaced with zero (e.g., 192.168.1.x becomes 192.168.1.0). For IPv6 addresses, the last 80 bits are zeroed. This means we cannot identify individual users from stored IP data. Raw IP addresses are used only for real-time rate limiting and abuse prevention and are not persisted.

9. Newsletter & Commercial Email

Site owners on the platform can collect email subscribers and send newsletter campaigns through our platform, powered by Amazon SES.

Subscriber sign-up uses double opt-in: after submitting their email, subscribers receive a confirmation email and must click the confirmation link before receiving further communications.

We also send automated onboarding and engagement emails (drip campaigns) to platform users. All commercial emails include:

  • A clear unsubscribe mechanism (one-click List-Unsubscribe header)
  • A physical mailing address in the email footer (CAN-SPAM compliance)
  • Identification of the sender

You can manage your email preferences or opt out of drip campaign emails from your dashboard Settings page or by clicking the unsubscribe link in any email.

10. Children's Privacy

The Platform is not intended for users under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify registered users of significant changes via email.

12. Contact

Questions about your data? Contact us.