Legal
Privacy Policy
Last updated: May 26, 2026
This Privacy Policy explains how sitebook ("sitebook", "we", "us") collects, uses, and protects personal data when you use the marketing site at sitebook.app and the dashboard at dashboard.sitebook.app (together, the "Service"). It is written to satisfy Articles 13 and 14 of the EU General Data Protection Regulation (GDPR) and equivalent Dutch implementing rules.
1. Who is the controller
sitebook is operated from the Netherlands. The data controller is the sitebook operator. Until our company details are finalised on the public imprint page, you can reach us at hello@sitebook.app. The imprint page (KvK number, VAT number, registered address) will be linked from the footer.
2. What data we collect
We collect only what we need to run the Service.
Account data
- Email address — to sign you in and send transactional emails.
- Display name — what other project participants see next to your changes in the activity log.
- Authentication metadata — sign-in timestamps, IP address of the request, magic-link usage, password reset events. Used to secure your account.
Project content you create
- Projects, milestones, costs, participants, notes, dates — everything you type into a project.
- Photos and documents you upload — we strip EXIF GPS metadata before storage. Photos may include image content of your home; please don't upload anything you do not want stored.
- Activity / audit log — every date or scope change is recorded with the actor, timestamp, before-value and after-value. This is a core feature of the Service and is intentionally tamper-evident.
Billing data
- Payment data is handled by Lemon Squeezy, our merchant of record. We never see or store full payment-card numbers. We receive only your billing email, order ID, plan, country (for tax purposes), and subscription status from Lemon Squeezy via webhooks.
Technical and usage data
- Server logs — IP address, user-agent, request path, timestamp. Used for abuse prevention and debugging. Logs are rotated automatically.
- Contact form metadata — when you submit the contact form at sitebook.app/contact, we also store the IP address and browser user-agent of the request alongside your name, email, and message. We use these only to enforce rate limits and prevent spam (legitimate interest, Art. 6(1)(f)). The full submission, including IP and user-agent, is deleted automatically 90 days after submission.
- Product analytics — only after you accept analytics cookies (see Section 8). We use PostHog (EU region) for product analytics and do not build cross-site profiles.
3. Why we use it (legal basis)
Under GDPR Article 6(1), each processing activity has a specific legal basis:
| What we do | Legal basis |
|---|---|
| Provide the Service you signed up for (accounts, projects, sharing) | Performance of a contract — Art. 6(1)(b) |
| Send transactional emails (sign-in links, invites, billing receipts) | Performance of a contract — Art. 6(1)(b) |
| Maintain the audit log of project changes | Performance of a contract + legitimate interests (record integrity) — Art. 6(1)(b)/(f) |
| Process payments and meet bookkeeping duties | Legal obligation (Dutch bookkeeping law) — Art. 6(1)(c) |
| Prevent abuse, fraud, and secure the platform | Legitimate interests — Art. 6(1)(f) |
| Optional product analytics and marketing measurement | Consent — Art. 6(1)(a) (cookie banner) |
4. How long we keep it
- Active account data — for as long as your account exists.
- Deleted accounts — when you delete your account, the account enters a 30-day soft-delete grace period during which deletion can be reversed by contacting support. After 30 days, the account and all associated project content are hard-deleted from the primary database. You will receive a confirmation email when hard deletion completes.
- Project content from cancelled projects — retained for the lifetime of the account so you keep your final PDF dossier.
- Photos — kept while the project exists; deleted with the project or the account, whichever comes first.
- Billing records and invoices — kept for seven (7) years to comply with Dutch bookkeeping law (Article 52 of the General Tax Act).
- Server logs — retained for up to 30 days, then deleted.
- Contact form submissions — retained for 90 days after submission, then deleted automatically (including the IP address and user-agent captured for spam prevention). If your message led to ongoing correspondence, that email thread is governed by the retention of your mailbox, not this table.
- Backups — encrypted database backups may persist for up to 30 days after deletion before being overwritten.
5. Sub-processors
We use a small set of vetted sub-processors to deliver the Service. Each is bound by a Data Processing Agreement (DPA) incorporated into their terms.
| Sub-processor | Purpose | Location | Privacy / DPA |
|---|---|---|---|
| Supabase Inc. | Authentication, primary database, file storage, edge functions | EU region | Privacy · DPA |
| Vercel Inc. | Hosting of the marketing site and dashboard | EU region | Privacy · DPA |
| Resend, Inc. | Transactional email delivery (sign-in, invites, receipts) | EU region (DPA covers US transfer if applicable) | Privacy · DPA |
| Lemon Squeezy LLC | Merchant of record — payment processing, invoicing, VAT/sales-tax collection | United States | Privacy · DPA |
| PostHog Inc. | Product analytics (only with your consent) | EU region (eu.posthog.com) | Privacy · DPA |
| Google LLC — Gemini API | AI-Socratic onboarding to help structure your project plan | United States | Privacy · Cloud DPA |
6. International transfers
Two of our sub-processors are based in the United States: Lemon Squeezy (payments) and Google Gemini (AI-Socratic onboarding). Where personal data is transferred outside the European Economic Area (EEA), we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework. The relevant clauses are incorporated into each sub-processor's DPA, linked in the table above.
AI-Socratic onboarding sends the text you type during onboarding (project description, room descriptions) to Google Gemini for completion. Don't paste sensitive personal data into onboarding prompts.
7. Your rights
Under GDPR, you have the following rights:
- Access (Art. 15) — request a copy of the personal data we hold about you.
- Rectification (Art. 16) — correct inaccurate personal data.
- Erasure / "right to be forgotten" (Art. 17) — delete your account from Settings → Account. A 30-day soft-delete grace period applies; after that, data is hard-deleted.
- Restriction (Art. 18) — limit how we process your data while a request is being resolved.
- Portability (Art. 20) — export your data as a ZIP bundle (projects, milestones, costs, participants, audit log, original photos) from Settings → Account.
- Objection (Art. 21) — object to processing based on legitimate interests.
- Withdraw consent (Art. 7) — for processing based on consent (analytics, marketing cookies), withdraw at any time via the "Cookie settings" link in the footer.
To exercise any of these rights, email hello@sitebook.app. We respond within 30 days.
8. Cookies and similar technologies
We use a small number of strictly necessary cookies (sign-in session, CSRF protection, checkout). Non-essential cookies (analytics, marketing) are loaded only after you accept them in the cookie banner. See the Cookie Policy for the full inventory.
9. Automated decision-making
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Art. 22). The AI-Socratic onboarding helps you structure your project plan based on what you type, but every change to your project is made by you — sitebook does not make binding decisions on your behalf.
10. Children
The Service is intended for adults running residential renovations. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Security
We protect your data with industry-standard measures: encrypted connections (HTTPS/TLS), encrypted database storage and backups, row-level security in the database, scoped storage policies, audited access controls, rate limiting on authentication endpoints, and incident monitoring. No system is perfectly secure; if you spot a vulnerability, please email hello@sitebook.app.
12. Changes to this policy
If we change this Privacy Policy in a way that materially affects your rights, we'll notify you by email and update the "Last updated" date at the top of this page. Continued use after the change means you accept the updated policy.
13. Complaints
If you believe we've mishandled your personal data, please contact us first at hello@sitebook.app so we can try to resolve it. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.