Privacy Policy

Controller

Glorya GmbH

Oranienburger Straße 17, 10178 Berlin, Germany

Email: joshua@primepage.ai

More legal details: Imprint.

What data we process

• Technical data: IP address, device information, browser type, operating system, referrer URL, log data, and timestamps, collected for security, operations, and troubleshooting.
• Usage data: Page views, interactions, and in-product events. Marketing-related usage data is collected only with your consent.
• Input data: Website URLs, text instructions, images, logos, and other content you provide to generate or edit websites. This includes content scraped from URLs you submit.
• Account data: Email address, name (if provided via Google OAuth), password hash, workspace information, and avatar URL.
• Billing data: Subscription plan details, credit balances, and purchase history. Payment card details are processed directly by Stripe and never stored on our servers.
• Lead data: Information submitted through forms on generated websites (e.g. name, email, phone, files) is stored on behalf of the website owner.
• AI conversation data: Chat messages and instructions you send when generating or editing websites are stored to maintain conversation history and enable follow-up edits.
• Conversion attribution data: Advertising click identifiers (e.g. TikTok click ID, Meta attribution parameters) collected only with consent for advertising measurement purposes.

Purposes and legal bases

• Providing and securing the service (Art. 6(1)(b) GDPR for contract performance; Art. 6(1)(f) GDPR for legitimate interests in security and fraud prevention).
• Customer support and troubleshooting (Art. 6(1)(b) and (f) GDPR).
• Billing, credit management, and contract administration (Art. 6(1)(b) GDPR).
• Analytics and marketing cookies only with consent (Art. 6(1)(a) GDPR and applicable ePrivacy rules).
• In-product analytics for service improvement (Art. 6(1)(f) GDPR, legitimate interest in improving the product).
• Email and phone validation to prevent fraudulent signups (Art. 6(1)(f) GDPR, legitimate interest in platform integrity).
• Legal compliance and tax record-keeping (Art. 6(1)(c) GDPR).

Right to object (Art. 21 GDPR)

Where we process your personal data on the basis of legitimate interest (Art. 6(1)(f) GDPR), you have the right to object to such processing at any time for reasons relating to your particular situation. This applies in particular to in-product analytics, AI observability logging (Langfuse), and email/phone validation (AbstractAPI). To exercise this right, contact us at joshua@primepage.ai. Upon receipt of your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Cookies and tracking technologies

We use essential cookies necessary for basic functionality and security. Analytics and marketing cookies are only set after your explicit consent. You can change your choice at any time via "Cookie settings" in the footer.

Marketing cookies are only set if you accept marketing/advertising cookies via the consent banner. Third-party cookies set by Meta, TikTok, or Google may have their own retention periods as described in their respective privacy policies.

Third-party processors and services

We use the following categories of service providers to operate Primepage. Depending on the configuration and your consent, these providers may process personal data as processors or independent controllers.

Hosting and infrastructure

• Vercel (USA): Application hosting, edge delivery, and serverless compute. Log data is retained for up to 1 day via Vercel Log Drain. Transfer mechanism: EU-U.S. Data Privacy Framework.
• Amazon Web Services (AWS) (EU and US regions): File storage (S3), content delivery (CloudFront), DNS routing (DynamoDB, Lambda@Edge), and SSL certificate management (ACM). Transfer mechanism: Standard Contractual Clauses (SCCs).

Authentication and data storage

• Supabase (USA): User authentication, PostgreSQL database, and session management. Transfer mechanism: EU-U.S. Data Privacy Framework / SCCs.

Payments and billing

• Stripe (USA): Payment processing, subscription management, credit grants, and billing portal. Stripe acts as an independent controller for payment card data. Transfer mechanism: EU-U.S. Data Privacy Framework / SCCs.

AI and content processing

• OpenAI (USA): AI content generation and website transformation.
• Anthropic (USA): AI content generation.
• Google (Gemini) (USA): AI content generation.
• xAI (USA): AI content generation.
• ElevenLabs (USA): AI voice generation for website media.
• HeyGen (USA): AI avatar video generation.
• Fal.ai (USA): AI image generation.
• E2B (USA): Sandboxed code execution for website preview and generation.

All AI providers listed above are based in the USA. Transfer mechanism: SCCs and/or EU-U.S. Data Privacy Framework where certified. Your inputs (URLs, text, instructions) are sent to AI providers solely to generate your requested outputs. We maintain contractual agreements that prohibit these providers from using your data for model training.

Website scraping

• Crawl4AI (self-hosted) and Firecrawl (USA): Used to extract content from URLs you provide for website generation. Transfer mechanism for Firecrawl: SCCs.

Analytics and monitoring

• PostHog (USA): Product analytics. On public pages, PostHog only activates with your consent. Transfer mechanism: SCCs.
• Sentry (USA): Error monitoring and diagnostics. Transfer mechanism: SCCs.
• Langfuse (EU): AI observability and prompt/response tracing for quality assurance. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in service quality). You may object under Art. 21 GDPR.
• Vercel Speed Insights: Anonymous performance monitoring. No personal data is collected.

Marketing and advertising (consent-only)

• Meta Pixel (USA): Conversion tracking and advertising measurement. Includes both client-side pixel and server-side Conversions API. Transfer mechanism: EU-U.S. Data Privacy Framework.
• TikTok Pixel (USA/Singapore): Conversion tracking and advertising measurement. Includes server-side Events API. PII is hashed before transmission. Transfer mechanism: SCCs.
• Google Analytics / Google Ads (USA): Where used for marketing or analytics, we rely on consent. Transfer mechanism: EU-U.S. Data Privacy Framework.

Communications

• Resend (USA): Transactional email delivery (verification, notifications, receipts). Transfer mechanism: SCCs.
• Twilio (USA): SMS and WhatsApp notifications. Transfer mechanism: EU-U.S. Data Privacy Framework / SCCs.

Integrations and utilities

• Nylas (USA): Calendar integrations for booking functionality. Transfer mechanism: SCCs.
• Entri (USA): Custom domain DNS configuration. Transfer mechanism: SCCs.
• AbstractAPI (USA): Email and phone number validation. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in preventing fraudulent signups). Transfer mechanism: SCCs.

Lead data and data processing on your behalf

When visitors submit information through forms on websites you create with Primepage (e.g. contact forms, booking requests), Glorya GmbH processes that data on your behalf as a data processor within the meaning of Art. 28 GDPR. You, as the website owner, remain the data controller for such lead data. By using the lead collection features of Primepage, you accept our Data Processing Agreement (available on request at joshua@primepage.ai), which is incorporated into these terms by reference. We will notify you of any intended changes to sub-processors used for lead data processing, giving you the opportunity to object.

International transfers

Many of our providers process data outside the EU/EEA, primarily in the United States. For each provider listed above, we have specified the applicable transfer mechanism: EU adequacy decisions, the EU-U.S. Data Privacy Framework (where the provider is DPF-certified), or Standard Contractual Clauses (SCCs) with supplementary measures where appropriate. We assess each provider's data protection measures before engagement and review them periodically.

Data security

We implement appropriate technical and organizational measures to protect your data in accordance with Art. 32 GDPR. These include encryption in transit (TLS) and at rest, role-based access controls, regular security assessments, and incident response procedures. We maintain records of processing activities as required by Art. 30 GDPR.

Data retention

We retain personal data only as long as necessary for the purposes described above. Specific retention periods:

• Account data: Duration of the account plus 30 days after deletion request, unless longer retention is required by law. To request account deletion, email joshua@primepage.ai.
• Billing and transaction records: 10 years as required by German commercial and tax law (§ 147 AO, § 257 HGB).
• Server and application logs: Vercel log drain data is retained for up to 1 day.
• AI conversation history: Retained for the duration of the associated website/account.
• AI observability logs (Langfuse): Prompt and response traces are retained for up to 90 days for quality assurance.
• Analytics data: Retained in accordance with our configured retention settings.
• Marketing/conversion data: Retained for up to 12 months, or as required for advertising attribution.
• Generated websites and media: Retained for the duration of the account. Unpublished and deleted upon account termination.

Automated decision-making

While Primepage uses AI to generate website content, this processing does not constitute solely automated decision-making that produces legal effects or similarly significantly affects you within the meaning of Art. 22 GDPR. AI-generated outputs are tools for your review; you retain full control over whether to publish or use them.

Your rights

Subject to applicable law (in particular the GDPR), you have the following rights:

• Access (Art. 15 GDPR): Request a copy of the personal data we hold about you.
• Rectification (Art. 16 GDPR): Correct inaccurate or incomplete data.
• Erasure (Art. 17 GDPR): Request deletion of your data, subject to legal retention obligations.
• Restriction (Art. 18 GDPR): Request restricted processing in certain circumstances.
• Data portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format.
• Objection (Art. 21 GDPR): Object to processing based on legitimate interests. See the standalone "Right to object" section above.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at joshua@primepage.ai. We will respond to your request without undue delay and in any event within one month, as required by Art. 12(3) GDPR. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests. You also have the right to lodge a complaint with a supervisory authority, in particular the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-product notification. The "Last updated" date below reflects the most recent revision.