What we keep, what we don't.
Last updated · 2026-07-10
This is a small shop. The data footprint is deliberately small. Below is the full list of what touches a database, what we don't collect, and how to make us delete what we have.
1. What we collect
- →Waitlist email + kit name — when you submit the waitlist form. Stored in our Supabase database. Purpose: one launch-day email per kit you signed up for. No newsletter, no drip sequence.
- →Order data from Polar — after you buy a kit, Polar sends us a webhook with the order ID, your email, your name (if you gave it), the product slug, amount, and currency. Stored so we can issue your download link and honor refunds.
- →Download tokens — per-order opaque strings tied to your order, with a use count and expiry. Purpose: making the download URL single-customer and time-limited.
- →DESIGN.md create activity — when you use the AI create tool, we store the prompt, recent chat history, generated response, model/status/cost metadata, a shortened SHA-256 hash of your IP address, and your user agent. Purpose: operating the feature, investigating abuse and failures, and controlling model spend. Do not submit secrets or sensitive personal information.
2. What we don't collect
- →Credit card numbers, CVVs, or any payment-instrument data — all of that stays with Polar and Polar's processors. We never see it.
- →Third-party advertising cookies or retargeting pixels. No Facebook pixel, no Google Ads tag, no affiliate tracking.
- →Session replays or keystroke tracking.
3. Analytics
We use optional analytics tools. Any combination may be active depending on deployment config:
- →Plausible — cookieless page-view analytics that does not create persistent visitor profiles.
- →Cloudflare Web Analytics — cookieless page-view and Web Vitals measurement.
- →PostHog — funnel analytics in the EU region, configured with
person_profiles: 'identified_only'and session recording disabled.
None is used for advertising. Each can be disabled per deployment by unsetting its env vars — so if you're reading this on a fork or white-label, the operator may have turned them off.
4. Sub-processors
- →Supabase — database. Sensitive tables use row-level security with default deny and server-only access; catalog install counts have an explicit public read policy.
- →Polar — checkout and Merchant-of-Record. Polar has its own privacy policy that governs the purchase transaction.
- →Resend — transactional email delivery (download links, onboarding, and included release notifications).
- →Cloudflare R2 — object storage for the kit ZIPs. Access is via signed URLs tied to your download token.
- →OpenRouter and its selected model provider — receive create-tool prompts and recent chat history to generate a DESIGN.md response.
- →Cloudflare — DNS, proxying, Turnstile abuse checks, optional web analytics, and R2. Standard security logs can include IP, user agent, URL, and challenge results.
- →Our managed VPS — hosts the Astro and Next.js applications behind Cloudflare. nginx and application logs can contain IP, user agent, URL, status, and error details.
5. How long we keep things
- →Waitlist emails — until the kit's launch follow-up is complete, then removed manually; or until you ask us to remove you, whichever comes first.
- →Order records — kept for 7 years for tax and refund-audit purposes (NZ tax law).
- →Download tokens — access expires after 7 days or 10 downloads, whichever comes first; expired or exhausted rows are removed during scheduled or manual operational cleanup.
- →DESIGN.md create transcripts — retained for up to 30 days, then removed through scheduled or manual operational cleanup. Aggregate token, cost, timing, and error metrics may be kept without the prompt or response text.
6. Your rights
You can email hi@webdesignhot.com at any time to:
- →See the data we hold about you.
- →Correct anything that's wrong.
- →Delete your waitlist entry at any time.
- →Request deletion of order records where legally allowed (note: NZ tax law requires some fields kept for 7 years).
We respond within 7 days. If you're in the EU or UK, these rights are in addition to your GDPR / UK GDPR rights, which we honor.
7. Changes to this policy
Material changes bump the "last updated" date at the top of this page. Customers get an email when the change affects how their data is handled.