Privacy policy
Effective 2026-04-20.
We collect the minimum data needed to run the service. We never sell it. This page tells you what we keep, why we keep it, who else sees it, and how to make us delete it.
What we collect
| Data | Why |
|---|---|
| Name + email | Your account, billing receipts, support replies. |
| Business info (name, services, cities, phone) | To generate your site content and the LocalBusiness schema. |
| Payment info | Handled by Stripe. We see only a token + the last 4 digits. |
| Domain registration contact | Required by ICANN. We use our own contact for WHOIS privacy unless you opt out. |
| Support tickets | Your messages to us, kept for as long as the account exists. |
| Login + session cookies | So you stay logged in. Strictly necessary. |
| Server logs | IP, user agent, URL — kept 30 days for security/debugging. |
What we don't collect
- No third-party advertising or behavioral tracking on the marketing site.
- No analytics that identify you across sessions (we use server logs only).
- No social media trackers, no Facebook pixel, no Google Analytics on the marketing site.
- Your generated customer site can have analytics added on request — but only ones you choose.
Who we share it with
We share data with these processors strictly to run the service:
- Stripe — billing. Their privacy policy: stripe.com/privacy.
- HostGator — hosting your generated site.
- Cloudflare — DNS for your domain.
- Namecheap — domain registration.
- Resend — sending the transactional emails (receipts, password resets, ticket replies).
- Anthropic — AI content generation. We send your business inputs (services, cities, phone) but no PII unrelated to the site.
We don't sell your data, ever. We don't share it with anyone outside this list.
Data your site collects
Your site (e.g., the contact form) collects whatever your visitors submit. We store those submissions and forward them to your inbox. You're the controller of that data — your own privacy practices apply to your visitors, not ours.
Cookies
We use two cookies:
- A session cookie so you stay logged in. Expires when you log out or your browser session ends.
- A CSRF token cookie so form submissions can't be forged. Expires with the session.
No third-party cookies on the marketing site.
How long we keep it
- Account + billing data: as long as your account is active, plus 7 years for tax/accounting.
- Site backups: 30 rolling days off-site.
- Support tickets: 2 years after the ticket is closed.
- Server logs: 30 days.
Your rights
You can ask us to:
- Show you what we have on file.
- Correct inaccurate data.
- Delete your account and data (we'll keep billing records for tax compliance).
- Export your generated site (full code + assets) at any time.
Email hello@kyopsec.com. We respond within 30 days, usually same week.
Security
- All traffic is HTTPS, end to end.
- Passwords are bcrypt-hashed; we can't see them.
- Database access is restricted to the platform service account.
- Daily off-site encrypted backups; 30 days retention.
- If we ever experience a data breach affecting you, we'll notify you within 72 hours per applicable law.
Children
The service is for businesses. We don't knowingly collect data from anyone under 18.
Jurisdiction
We're operated from Central Kentucky. This policy is governed by US law. If you're in the EU/UK, you have additional rights under GDPR/UK GDPR — same email above to exercise them. [Recommend counsel review for your specific jurisdiction.]
Changes
We may update this policy. Material changes get an email at least 14 days before they take effect.
See also: Terms of service.