BETAPublic launch coming soon. Request a site below to join the first cohort.
FASITE
Legal

Privacy Policy

Effective: May 17, 2026  ·  Last updated: May 17, 2026

Draft v0. This policy is a good-faith draft based on how Fasite actually handles data today. It will be reviewed by counsel before public launch. If anything here is unclear, email support@fasite.org and we'll answer directly.

1. Summary

Fasite is a website-as-a-service for trades and home-services businesses. We help small business owners launch a site, collect leads from that site, and manage paying customers. This policy explains what we collect, why, who we share it with, and the rights you have over your data.

  • If you are a Fasite customer (a business that signed up for our service), we collect your account info, billing details (through Stripe), and the business intake you provide so we can build and run your site.
  • If you submitted a contact form on a Fasite-built site (e.g. you asked a landscaper for a quote), we collect your contact info and request on behalf of that business so they can reply to you. We act as a processor for them — the business itself is the controller of that data.
  • We do not sell or share personal information for cross-context behavioral advertising.
  • We do not run analytics, session recording, or third-party tracking cookies on our marketing site or customer dashboards today.
  • We do not use customer business data or end-user lead data to train AI models. Our AI generation pipeline only sees the business intake you provide for the purpose of building your site.

2. Scope and Our Role

This policy covers personal information processed through:

  • Our marketing site at fasite.org, the customer dashboard at fasite.org/dashboard, and the admin console (operated internally by Fasite).
  • Customer-facing websites we host on customer subdomains (*.fasite.org) and custom domains pointed at our infrastructure.

For account, billing, and business-owner data, Fasite is the data controller. For data submitted through a contact form on a customer's Fasite-built site (a "lead"), Fasite is the processor acting on behalf of the customer business. Each customer business is the controller of the leads collected through their site.

3. Information We Collect

3a. Information you provide directly (Fasite customers)

  • Account identifiers: name, email, password (hashed; we never see the plaintext), profile photo (optional).
  • Business intake: business name, phone, email, street address, service area, years in business, services offered, certifications, tagline, target audience, brand voice preferences, niche, and color palette. We use this to generate and host your site.
  • Billing information: payment method, billing email, subscription status. Card numbers are handled by Stripe — Fasite never stores them. We retain a Stripe customer ID and subscription metadata locally.
  • Support communications: any email, chat, or form messages you send us.

3b. Information collected from end users (visitors to a customer's site)

When someone fills out a contact form on a Fasite-hosted site, we collect what the visitor enters on behalf of the business that owns the site:

  • Contact name, email, phone
  • Property or job-site address (free-form text)
  • Service type requested
  • Free-form message
  • Submission metadata: timestamp, the source page, the business ID it was submitted to

We do not retain visitor IP address or user-agent in our lead database. Our hosting providers (Vercel, Render) keep short-term request logs that may include this information for fraud prevention and infrastructure security.

3c. Information collected automatically

  • Authentication cookies: Supabase session cookies (sb-<ref>-auth-token, set as HTTP-only). These are strictly necessary for sign-in.
  • Server logs: Vercel and Render keep request metadata for operational and security purposes. Retention is governed by their respective policies.
  • No analytics, tracking pixels, or session recording: Fasite does not currently load Google Analytics, Meta Pixel, LinkedIn Insight, Hotjar, FullStory, PostHog, Plausible, Mixpanel, Segment, or any equivalent. If we add any in the future, this policy will be updated and we will notify existing customers in advance.

3d. Information from third parties

  • Google Business Profile (optional): if you connect your Google Business Profile via OAuth, we receive an OAuth access token and refresh token scoped to your business profile and review data. We use these to sync your business hours, posts, and reviews and (with your action) reply to reviews. You can revoke access at any time from your Google account settings.

Other third-party integrations exist in our codebase but are not active in production today (Google Places API, Facebook / Meta integration). If we activate them in the future, this policy will be updated and active customers will be notified before any of your data is sent to them.

4. How We Use Information

For each purpose below, we identify the GDPR lawful basis.

  • Provide the Service (build, host, and bill your site; deliver leads to you). Lawful basis: contract (GDPR Art. 6(1)(b)).
  • Generate site content via AI. We pass your business intake to large language model providers (currently OpenAI) and image generation providers (currently fal.ai) for the purpose of producing your site. We do not pass lead data, customer messages, or visitor information to these providers. Lawful basis: contract.
  • Email notifications for new leads. When a lead is submitted, we email the business owner via Resend. The email contains the lead's contact information and message. Lawful basis: contract (for the customer); legitimate interest of the business (for the end user, which the customer business is responsible for).
  • Account security and fraud prevention (rate limits, spam filtering on lead forms, audit logs of admin actions). Lawful basis: legitimate interest (GDPR Art. 6(1)(f)).
  • Billing and tax compliance. We retain subscription records as required by accounting law. Lawful basis: legal obligation (GDPR Art. 6(1)(c)).
  • Service improvement. We may use aggregate, de-identified metrics (number of leads received, sites published, generation latency) to improve the platform. We do not use identifiable customer or end-user data to train AI models. Lawful basis: legitimate interest.
  • Support and communication. Lawful basis: legitimate interest.

5. How We Share Information

We share personal information with the following categories of third parties for the purposes described. We do not sell personal information.

  • Hosting and infrastructure: Vercel (customer site hosting, admin and customer dashboards), Render (API backend), Supabase (authentication and PostgreSQL database, US East), Upstash (Redis for job queues), Cloudflare R2 (image and asset storage).
  • Payments: Stripe handles card processing, subscription billing, and tax collection. Stripe receives your name, email, billing address, and card data directly. Their privacy policy governs payment data.
  • Email delivery: Resend delivers transactional email (lead notifications, password resets, billing receipts).
  • AI generation: OpenAI (LLM inference for site copy and SEO content) and fal.ai (image generation). They receive only the business intake you provide. They do not receive lead data, visitor data, or payment information.
  • Google Business Profile (optional): if you connect your Google Business Profile, we use Google's Business Profile APIs via OAuth to sync your profile, posts, and reviews. Only the data needed to operate this sync is exchanged. Google's privacy practices govern data on their side.
  • Custom-domain provisioning: when you connect a custom domain, we call the Vercel API to provision and serve it. Domain name, your business ID, and DNS metadata are sent to Vercel for this purpose.
  • Legal and safety: we may disclose information if required by law, subpoena, court order, or to prevent fraud or abuse.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred subject to the same protections described here.

6. Cookies and Tracking Technologies

Fasite uses only strictly necessary cookies for authentication. We do not use advertising, analytics, or social-media tracking cookies. Because we do not engage in cross-context behavioral advertising and do not load tracking pixels, browser Do Not Track and Global Privacy Control signals do not currently affect what we do — there is nothing for them to opt out of.

If we add analytics or marketing cookies in the future, we will update this policy and present a cookie consent prompt to visitors in jurisdictions that require one (e.g. EU ePrivacy).

7. Data Retention

  • Account and profile data: retained while your account is active. Deleted within 30 days after final account termination, subject to legal-hold exceptions.
  • Business intake and generated site content: retained while your subscription is active. Soft-deleted on cancellation and fully purged by our weekly cleanup job once retention expiry is reached.
  • Leads (visitor submissions): retained until the customer business deletes them or terminates their account, then purged with the business.
  • Billing records: retained as long as required by tax and accounting law (typically 7 years in the US).
  • Audit logs: retained indefinitely for security and compliance purposes; access is limited to operations personnel.
  • Server access logs: retained by Vercel and Render per their policies (typically 30–90 days).

8. Security

We use industry-standard safeguards including TLS encryption in transit, encrypted-at-rest databases through Supabase, scoped service-role credentials, row-level security policies on customer-data tables, password hashing via Supabase Auth, and limited admin access logged via an audit trail. No system is perfectly secure; we will notify affected users without undue delay (and within statutory windows where applicable) in the event of a personal-data breach.

9. International Data Transfers

Fasite is based in the United States. Our infrastructure runs primarily in US data centers (Supabase US East, Vercel and Render US regions). If you access Fasite from outside the US, your data will be transferred to and processed in the US. Where required for EU/UK/Swiss data, we rely on Standard Contractual Clauses with our subprocessors and intend to certify under the EU–US Data Privacy Framework. Contact us at privacy@fasite.org for the current list of subprocessor transfer mechanisms.

10. Your Privacy Rights

10a. Everyone

Regardless of location, you can email privacy@fasite.org to request a copy of the personal information we hold about you, to correct inaccurate information, or to request deletion. We will verify your identity before acting on requests that involve personal data.

10b. European Economic Area, UK, and Switzerland (GDPR / UK GDPR)

You have the right to:

  • Access your personal data
  • Rectify inaccurate or incomplete data
  • Erase your data (the "right to be forgotten")
  • Restrict processing
  • Object to processing based on legitimate interest
  • Data portability (receive your data in a portable format)
  • Withdraw consent at any time, where consent was the basis
  • Lodge a complaint with your national data protection authority

Fasite does not currently appoint an EU representative because we do not specifically target the EU market. We will appoint one if we cross the GDPR Article 27 threshold or expand to EU-focused operations.

10c. California (CCPA / CPRA)

California residents have the right to know what personal information we collect, the right to delete it, the right to correct it, the right to opt out of sale or sharing (we do not sell or share, so this right is honored by default), the right to limit use of sensitive personal information, the right to non-discrimination for exercising these rights, and the right to data portability.

Categories of personal information collected in the past 12 months: identifiers (name, email, phone, address), commercial information (subscription details), internet activity information (authentication session, request metadata), geolocation (business address only), and professional information (business attributes you provide). We do not collect biometric, health, or precise geolocation data.

To exercise California rights, email privacy@fasite.org with the subject "California Privacy Request".

10d. Other US states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, and Maryland have similar rights under their respective state privacy laws. Send requests to the same email with your state and the action you want taken.

11. Do Not Sell or Share My Personal Information

Fasite does not sell personal information and does not share it for cross-context behavioral advertising. No opt-out is necessary. We do not require a "Do Not Sell or Share My Personal Information" link because there is nothing to opt out of. If this changes, we will update this policy and provide the link before any such sharing begins.

12. Children's Privacy

Fasite is intended for business owners and is not directed to children. We do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided us with personal information, email privacy@fasite.org and we will delete it.

13. Third-Party Links

Fasite-built sites and our marketing pages may link to third-party websites. We are not responsible for the privacy practices of those sites; check their respective policies.

14. Automated Decision-Making

Fasite uses AI models (LLMs and image generators) to create website content based on the business intake you provide. This is not used to make decisions about you with legal or similarly significant effects (it does not determine eligibility for services, pricing, credit, or employment). You can request that we manually review or override any AI-generated content on your site by contacting support.

15. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes, we will provide reasonable advance notice by email to active customers and a banner on the marketing site. Continued use after the effective date of an update constitutes acceptance.

16. Contact Us

See our Terms of Service for the contract terms governing use of Fasite.