Privacy Policy

Effective Date: March 20, 2026 | Last Updated: March 20, 2026

Crafty SaaS ("Company", "we", "us", "our") respects your privacy. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information when you use our website builder platform ("Service").

1. Information We Collect

We collect the following categories of information:

Information you provide directly:

  • Email address (at registration)
  • Display name (at profile creation)
  • Subdomain selection
  • Website content (text, settings, SEO configuration)
  • Template selection and customization preferences

Information collected automatically:

  • IP address (via CDN access logs)
  • Browser type and operating system (standard HTTP headers)
  • Timestamps (account creation, last login, content updates)
  • Feature usage data (which tools and features you use)

2. Information We Do Not Collect

We practice data minimization. We do not collect, store, or process:

  • Passwords (managed entirely by Amazon Cognito)
  • Payment card numbers or financial data (managed entirely by Stripe)
  • Phone numbers
  • Physical addresses
  • Date of birth
  • Social media profiles
  • GPS or precise location data
  • Contacts or address books
  • Biometric data

We do not use cookies for tracking or advertising. We do not integrate any third-party analytics services such as Google Analytics, Facebook Pixel, or similar tracking tools.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Create and manage your account
  • Host and deliver your published websites
  • Process transactions and send billing-related communications
  • Send service-related notifications (security alerts, updates, support)
  • Improve and optimize the Service
  • Respond to your requests and support inquiries

We do not sell, rent, or trade your personal information to third parties. We do not use your data for advertising, profiling, or behavioral targeting. We do not use your data or content for AI training or machine learning purposes.

4. Legal Basis for Processing

We process your personal information based on:

  • Consent: You provide consent when you create an account and agree to our Terms of Service
  • Contract Performance: Processing is necessary to provide the Service you have subscribed to
  • Legitimate Interest: We have a legitimate interest in improving the Service and ensuring its security
  • Legal Obligation: We may process data to comply with applicable laws and regulations

5. Data Storage and Security

Your data is stored on Amazon Web Services (AWS) infrastructure in the US East (N. Virginia) region. We implement the following security measures:

  • AES-256 encryption at rest for all stored data (DynamoDB, S3)
  • TLS 1.2+ encryption in transit for all data transfers
  • AWS IAM least-privilege access controls, validated by automated security scanning (CDK-NAG)
  • AWS Shield Standard DDoS protection
  • CloudFront security headers (Content Security Policy, HSTS, X-Frame-Options)

Our infrastructure runs on AWS, which maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS Level 1 certifications.

6. Authentication

Account authentication is managed by Amazon Cognito. We never store, access, or process your password. Password security is handled entirely by AWS Cognito using industry-standard encryption (bcrypt with salt). We do not have the ability to view or retrieve your password.

7. Payment Processing

All payment processing is handled by Stripe, Inc. When you subscribe to a paid plan, your payment information is collected and processed directly by Stripe. We do not store, process, or have access to your payment card information at any time.

Stripe is certified as a PCI DSS Level 1 Service Provider, the highest level of certification in the payment card industry. For more information, see Stripe's Privacy Policy.

8. User Content

Content you create using the Service (website text, settings, configurations) is stored in our database. When you publish a website, your content becomes publicly accessible on the internet via your chosen subdomain. Draft content remains private and is only accessible to you.

You retain full ownership of your content. We do not use your content for any purpose other than providing the Service. See our Terms of Service for details on content ownership and licensing.

9. Third-Party Services

We use the following third-party services to operate the platform. Each processes data only as necessary to provide their respective functions:

We do not share your personal information with any other third parties. Data processing by AWS is governed by the AWS Data Processing Addendum, which includes Standard Contractual Clauses (SCCs) for international data transfers in compliance with GDPR.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate personal information
  • Deletion: Request deletion of your personal information and account
  • Export: Export your data in JSON format at any time through the Service
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing of your personal information
  • Withdraw Consent: Withdraw your consent at any time by deleting your account

To exercise any of these rights, contact us at ceo@craftysaas.com. We will respond to your request within 30 days.

California residents may have additional rights under the California Consumer Privacy Act (CCPA). As we do not sell, share, or trade personal information to third parties, the CCPA opt-out right does not apply to our Service.

11. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Upon account deletion:

  • Published sites are taken offline immediately
  • Your data is retained for 30 days to allow recovery
  • After 30 days, all personal data is permanently deleted
  • Anonymized usage statistics may be retained for analytics

We may retain certain information as required by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution).

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at ceo@craftysaas.com.

13. International Data Transfers

Your data is stored and processed in the United States (AWS US East region). If you are accessing the Service from outside the United States, please be aware that your information will be transferred to and processed in the United States.

For users in the European Economic Area (EEA) and United Kingdom: data transfers are governed by the AWS Data Processing Addendum with Standard Contractual Clauses (SCCs), ensuring an adequate level of data protection as required by GDPR. You retain all rights granted under GDPR regardless of where your data is processed.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days before they take effect by email or through a notice on the Service. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at ceo@craftysaas.com.

Related documents:

Terms of ServiceCrafty Covenant
Back to Home