Privacy Policy

1. Information we collect

1.1 What you provide when creating an account

• Name and email address;
• Google OAuth ID (if you sign in with Google);
• Legal contact name and phone number, as required under Thai law;
• Site name, slug, and chosen plan;
• Payment details processed by Stripe or PayPal — we do not store full card numbers;
• IP address, user-agent, and login times for security purposes.

1.2 Content you create

Posts, pages, themes, uploaded media, and any other content you publish through the Service.

1.3 Information from your site visitors

Only the data your sites collect themselves — such as subscriber emails, member sign-ups, order details, comments, and so on. You decide what to collect; we simply store and process it on your behalf.

2. How we use your information

• To operate, maintain, and improve the Service;
• To authenticate you (sign-in);
• To process payments;
• To send transactional email (login codes, billing receipts, security alerts);
• To respond to support requests;
• To detect, prevent, and investigate fraud and abuse;
• To comply with legal obligations;
• To send product news and announcements when you opt in.

3. Cookies and similar technologies

• sw_session — HttpOnly authentication cookie;
• portal_locale — localStorage entry that remembers your language preference;
• We do not use third-party advertising or behavioral-tracking cookies on the Portal;
• Sites you publish may set cookies that you configure — that's under your control.

4. Sub-processors and third-party services

To operate the Service, we rely on the following providers:

• Cloudflare — Workers (hosting & API), Durable Objects (tenant content & members), D1 database (platform records), R2 object storage (media), KV cache, and global CDN (data may be replicated globally);
• Google — Sign-In OAuth (basic profile information only);
• Stripe and PayPal — payment processing;
• Resend — transactional email delivery;
• Google Gemini or other AI providers — only when you supply your own API key for AI features.

We have written agreements (DPAs) in place with our sub-processors where required by law.

5. How we share your data

• We do not sell or rent your personal data;
• We share data with the sub-processors listed above as needed to operate the Service;
• We may disclose data to comply with the law, a court order, a government request, or a fraud investigation;
• In a business transfer (merger or acquisition), data may be transferred along with the business, with reasonable advance notice.

6. Visitors of your sites

For data your sites collect from your visitors, you are the data controller and we are the data processor.

You are responsible for:

• publishing a privacy notice on your site;
• establishing a lawful basis for processing;
• obtaining consent from visitors where required by law;
• responding to data-subject requests from your visitors.

We provide tools (export, delete, search by email) to help you fulfil these obligations.

7. Data retention

• Active accounts — retained for as long as the account is active;
• Cancelled accounts — data is deleted on cancellation; backups expire on a 30-day rolling window;
• Inactive Free accounts — 12+ months idle → email warning → 30 days → archived/deleted;
• Activity logs — retained for security purposes for a reasonable period;
• Accounting and tax records — retained as required by Thai law (typically 5 years for tax records).

8. Your rights under PDPA

As a data subject, you have the following rights:

• Access — request a copy of the personal data we hold about you;
• Rectification — request correction of inaccurate data;
• Erasure — request deletion ("right to be forgotten");
• Restriction — request that we limit how we process your data;
• Portability — request a copy of your data in a portable format (Pro and Business plans include site export; for account-level data, contact us);
• Objection — object to certain types of processing;
• Withdraw consent — for processing that relies on consent;
• Lodge a complaint — with the Personal Data Protection Committee (PDPC) of Thailand.

To exercise any of these rights, email [email protected]. We respond within 30 days.

9. International data transfers

SeedWebs runs on Cloudflare's global edge network, which means your data may be stored or processed in any of Cloudflare's data centers worldwide.

Cloudflare maintains transfer safeguards (Data Processing Agreements, Standard Contractual Clauses) where required. Stripe, PayPal, Resend, and AI providers may also process data in their respective regions.

10. Children

The Service is not directed at children under 18. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with data, contact us and we will delete it.

11. Security

• HTTPS everywhere;
• Encryption at rest (Cloudflare D1, R2, KV);
• Short-lived JWT tokens for API authentication and HttpOnly cookies for admin sessions;
• We do not store passwords — you sign in with Google OAuth or one-time email codes;
• You are responsible for keeping your sign-in method secure.

No security system is perfect. If a breach occurs, we will notify you as required by applicable law.

12. Changes to this Policy

We may update this Policy from time to time. For material changes we will give at least 30 days' notice by email and/or in-product notice. Continued use of the Service after the effective date means you accept the updated Policy.

13. Contact

If you have questions about this Privacy Policy, or wish to exercise your rights under PDPA, email us at [email protected]. Please mark your email "Privacy" so we can prioritize the response.