Privacy Policy

Data We Collect

We collect account information such as email address, account name, OAuth client details, login and consent records, and support messages.

We store the digital cards, contact pages, mini websites, drafts, revisions, media metadata, public URLs, lead-form configuration, and tool-call metadata needed to provide the service. When an MCP client provides it, this may include the user's initial natural-language request for a page.

Anonymous demo pages receive edit tokens and claim links. Treat them as private links: anyone with the edit token can modify the demo page until it expires or is claimed.

We collect operational data such as IP address, user agent, timestamps, requested MCP tool, rate-limit bucket, error metadata, security events, and redacted MCP request/response summaries for debugging, abuse prevention, and product quality review. We do not store provider API keys for normal production MCP usage.

How We Use Data

We use data to authenticate users, create and publish pages, maintain revision history, prevent abuse, debug incidents, respond to support requests, and comply with legal obligations.

The user's AI client is responsible for model inference. Create Web Page receives MCP tool calls and stores the resulting website data; it does not need OpenAI, Anthropic, or other model-provider keys for normal production use.

Sharing And Processors

We use trusted service providers for hosting, database, storage, DNS, security, email delivery, analytics, support, and payments when enabled.

Published pages are public by design. Preview and claim URLs are unguessable but should be treated as shareable links by anyone who receives them.

Retention And Deletion

Anonymous demo pages expire after 48 hours unless claimed into an account. Claimed pages and registered-account data are retained while the account is active and for up to 90 days after account deletion, except where longer retention is required by law.

Operational MCP logs (IP address, tool name, rate-limit events, redacted request/response summaries) are retained for up to 90 days for security, debugging, abuse prevention, and analytics. Security incident records may be retained for up to 3 years. Logs are redacted before operational review and do not include provider API keys or authentication secrets.

To request access, correction, deletion, portability, or objection to processing, contact legal@create-web-page.com.

International Transfers And Rights

Data may be processed in the European Union, the United States, or other regions where our processors operate. We use contractual and technical safeguards appropriate for the service.

Depending on location, users may have rights under GDPR, LOPDGDD, and other privacy laws, including the right to complain to a supervisory authority.