Policies & Terms — Privacy Policy

Official Policy privacy

Privacy Policy

How we collect, use, share, and protect your personal data — and the rights you have over it. This policy is designed to meet GDPR (EU/EEA/UK), CCPA/CPRA (California), and LGPD (Brazil) requirements.

In plain English

We collect only the data needed to operate the Services and run your account.
We never sell your personal data.
You have the right to access, correct, export, restrict, object to, and delete your data — at any time.
Payments are handled by Paddle; we never store full card numbers.
If we suffer a data breach affecting you, we notify you and the relevant authority within 72 hours where required.

Section 1 — Scope

1. Scope of this Policy

This Privacy Policy applies to personal data we process about visitors and registered users of LabelWebs (the "Services"). It does not apply to third-party websites or services linked from the Services, which have their own privacy policies.

Section 2 — Controller & Contact

2. Data Controller & Contact

Controller: LabelWebs
Privacy & Data Requests: [email protected]
EU/UK representative: Available on request to [email protected]

Section 3 — What We Collect

3. Categories of Personal Data We Process

Category	Examples	Source
Account data	Name, email, phone, password (hashed), display name	You (sign-up)
Billing data	Billing name, country, postal code, last 4 of card, transaction IDs	Paddle (we never see full card numbers)
Usage data	Pages visited, features used, request timestamps	Automatic (server logs)
Device data	IP address, browser, OS, device type, language	Automatic (server logs)
Content data	Sites you build, AI prompts, uploaded media, lead-form submissions	You
Domain WHOIS	Registrant name, address, email (per ICANN policy)	You (domain registration)
Communication	Support tickets, feedback, survey responses	You

We do not intentionally collect special-category data (health, religion, ethnicity, biometric, sexual orientation). Do not enter such data into the Services.

Section 4 — How We Use Your Data

4. Purposes of Processing

1
Provide and operate the Services — account creation, authentication, hosting your sites, processing AI requests, sending transactional emails.
2
Process payments and prevent fraud — through our merchant of record Paddle, including tax calculation and chargeback handling.
3
Improve and develop the Services — debugging and quality assurance using aggregated, non-identifying server-log data.
4
Communicate with you — service updates, security alerts, product announcements (you can opt out of marketing emails any time).
5
Comply with legal obligations — tax records, domain WHOIS, response to lawful requests.
6
Protect our rights and users — detecting abuse, enforcing the AUP, preventing security incidents.

Section 5 — Legal Basis

5. Legal Basis for Processing

For users in the EU/EEA/UK, we rely on the following legal bases under Article 6 GDPR:

Legal Basis (Art. 6 GDPR)	When We Rely on It
Contract performance — Art. 6(1)(b)	To provide the Services you signed up for, process payments, and operate your account.
Legitimate interests — Art. 6(1)(f)	To improve the Services, prevent fraud and abuse, and conduct limited direct marketing to existing customers (you may object).
Legal obligation — Art. 6(1)(c)	To retain financial records, respond to lawful requests, and comply with tax and ICANN rules.
Consent — Art. 6(1)(a)	For non-essential cookies, analytics where required by local law, and optional marketing communications. You can withdraw consent at any time.

Section 6 — Sub-processors

6. Sub-processors & Sharing

We share personal data with carefully vetted sub-processors that help us deliver the Services. We require each sub-processor to provide an adequate level of protection through binding contracts that include GDPR-compliant data-processing terms.

Sub-processor	Purpose	Region
Paddle.com Market Limited	Payment processing, tax, invoicing (merchant of record)	UK / Global
Cloudflare, Inc.	Subdomain hosting (*.labelwebs.com), DNS management, CDN, DDoS protection	Global
Google LLC (Gemini API)	AI generation for the website builder and CaroSpark Instagram carousel creator	Global
Dynadot LLC	Domain name registration on your behalf (registrar). WHOIS data submitted as required by ICANN.	US / Global

An updated list of sub-processors is available on request to [email protected].

Section 7 — International Transfers

7. International Data Transfers

Personal data may be transferred outside your country of residence, including to the Republic of Korea, the United States, and other jurisdictions where our infrastructure or sub-processors operate. For transfers from the EEA, UK, or Switzerland to a country not deemed adequate, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and supplementary measures such as encryption in transit and at rest. Copies of the SCCs in place can be requested from [email protected].

Section 8 — Retention

8. Data Retention

1
Account data is retained for as long as your Account is active and for up to 12 months after deletion (to handle reactivation, fraud prevention, and dispute resolution), unless deletion is requested earlier.
2
Billing and tax records are retained for the period required by Applicable Law (typically 5–10 years).
3
Server logs and security logs are retained for up to 6 months.
4
Backups are retained for up to 30 days and rotate out of storage automatically.
5
When retention expires, data is deleted or irreversibly anonymized.

Section 9 — Your Rights

9. Your Rights

EU US Global

Subject to Applicable Law, you have the following rights regarding your personal data. To exercise any of them, email [email protected] from the address on file or use the in-app data tools.

Access

Get a copy of the personal data we hold about you, plus information about how it's processed.

Rectification

Correct inaccurate or incomplete data we hold about you.

Erasure

Ask us to delete your data when it's no longer needed (the "right to be forgotten").

Portability

Receive your data in a structured, machine-readable format and transmit it to another controller.

Restriction

Request that we limit how we process your data while a request is being verified.

Objection

Object to processing based on legitimate interests, including direct marketing.

Right to lodge a complaint

EU/UK residents may also lodge a complaint with their local data-protection authority. A list is available at edpb.europa.eu.

We respond to verifiable requests within 30 days (extendable by 60 days for complex requests) and do not charge a fee unless requests are manifestly unfounded or excessive. We will not discriminate against you for exercising your rights.

Section 10 — California

10. California Privacy Rights (CCPA/CPRA)

1
Right to know what categories and specific pieces of personal information we have collected, used, disclosed, or sold.
2
Right to delete personal information collected, subject to legal exceptions.
3
Right to correct inaccurate personal information.
4
Right to opt out of "sale" or "sharing" of personal information. We do not sell personal information for monetary consideration.
5
Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes other than those permitted by CPRA.
6
Right to non-discrimination — we will not deny services, charge different prices, or provide different quality for exercising your rights.

Section 11 — Cookies

11. Cookies & Similar Technologies

We use cookies and similar technologies to operate the Services, remember your preferences, and analyze usage. Detailed information is in the Cookie Policy (link).

Section 12 — Children

12. Children's Privacy

The Services are not directed to children under 16 (EU) or 13 (US) and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact [email protected] and we will delete it promptly.

Section 13 — Security

13. Security Measures

1
Encryption — TLS 1.2+ in transit; AES-256 at rest for sensitive fields.
2
Access control — least-privilege role-based access, mandatory two-factor authentication for staff with access to production.
3
Auditing — access logs are retained and reviewed; production changes go through code review and CI checks.
4
Backups — encrypted at rest and tested periodically.
5
Vendor management — sub-processors undergo security review before onboarding and are reviewed periodically.

Section 14 — Breach Notification

14. Breach Notification

In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware (per Article 33 GDPR) and notify affected users without undue delay where required (Article 34 GDPR).

Section 15 — Changes

15. Changes to this Policy

We may update this Policy from time to time. The effective date at the top of this page indicates when the most recent version took effect. Material changes will be communicated by email or in-product banner at least 30 days before they take effect.

Contact our DPO

Privacy questions, requests, or complaints can be sent to [email protected].