Privacy Policy

OpenSiteAI LLC (“OpenSiteAI,” “we,” “us,” or “our”) cares about privacy. This Privacy Policy (this “Policy”) explains how we collect, use, disclose, transfer, and protect personal information when you visit our websites (including opensiteai.com and consult.opensiteai.com), engage us for services, communicate with us, or otherwise interact with us (collectively, the “Services”).

This Policy applies to information we process as a controller (or, where applicable, as a “business” under U.S. state privacy laws). When we process personal data on behalf of one of our business clients (for example, end-user data flowing through a hosted website, dashboard, or automation we built for that client), that client is the controller (or “business”) and we act as a processor (or “service provider”). In that role, our processing is governed by our agreement with that client, including any Data Processing Addendum. Please contact the client directly for questions about its data practices.

By using the Services or providing us with personal information, you agree to the terms of this Policy. If you do not agree, please do not use the Services.

Quick Reference

Set out below is a non-binding summary of this Policy. The full Policy controls.

What we collect — Identifiers (name, email, business name), commercial information (project details, payment information processed by our payment processor), device and usage data (IP address, browser, referrers), communications, content you submit, and information from analytics and advertising partners.

Why we collect it — To provide the Services, communicate with you, process payments, secure our systems, comply with law, and (with your consent where required) for marketing.

Who we share it with — Service providers (hosting, payments, email, AI providers, analytics), our advisors, parties to a corporate transaction, and authorities where required by law. We do not sell your personal information for money.

How long we keep it — As long as needed for the purposes set out in this Policy, then we delete or de-identify it, subject to legal hold and backup retention cycles.

Your rights — Access, correction, deletion, portability, objection, restriction, withdrawal of consent (GDPR/UK GDPR); know, delete, correct, opt out of sale/sharing, limit use of sensitive data (CCPA/CPRA and similar U.S. laws).

Contact — consult@opensiteai.com.

1. Information We Collect

We collect personal information from three sources: (a) information you provide directly; (b) information collected automatically from your device and usage; and (c) information from third parties.

1.1 Information You Provide Directly

• Identifiers and contact information. Your name, business name, postal address, email address, phone number, and similar contact details when you submit a contact form, request a quote, sign an SOW, schedule a call, or interact with our consultation tool (consult.opensiteai.com).
• Account credentials. Where the Services include an account or admin dashboard, your username, password (stored using salted one-way hashing), and security questions or multi-factor authentication settings.
• Project information. Information you share about your business, project scope, brand assets, current website or platforms, integrations, content, budget, and timelines, including any files, images, copy, screenshots, or other materials you upload or send.
• Commercial and transactional information. Records of purchases, subscriptions, orders, invoices, and refunds, along with the products and services you purchase.
• Payment information. When you pay us, we use a third-party payment processor (currently Stripe) to handle payment card information. We do not store full card numbers. We receive limited information from our processor, such as the last four digits, brand, expiry, billing ZIP, and a token allowing us to charge the saved method again.
• Communications. The contents of emails, messages, support tickets, chat sessions (including AI-powered chat), call recordings (with consent where required), survey responses, and any other communications you send to us.
• Marketing preferences. Your preferences regarding marketing emails, newsletters, event invitations, and similar communications.
• Sensitive information (avoid sending). Please do not send us special-category data (such as health information, government ID numbers, or biometric data) unless we have agreed in writing that you may. If you do, you consent to our processing of it as described in this Policy.

1.2 Information Collected Automatically

When you visit our websites or use the Services, we and our service providers may automatically collect:

• Device and connection data. IP address, device identifiers, browser type and version, operating system, language preference, network carrier, screen resolution, and time zone.
• Usage data. Pages and screens viewed, time spent, referring/exit URLs, search terms, clicks, scroll depth, links followed, form interactions, and other telemetry.
• Approximate location. Derived from your IP address; we do not collect precise geolocation from your device without your consent.
• Cookies and similar technologies. See Section 5 for our use of cookies, pixels, web beacons, local storage, and SDKs.
• Logs. Server logs, security logs, error reports, and crash data.

1.3 Information from Third Parties

We may receive information about you from third parties, including:

• Analytics and advertising partners (e.g., Google Analytics, Plausible, Meta, LinkedIn) about your interactions with our marketing and website.
• Service providers that help us operate our business, such as email senders, CRM systems, and payment processors.
• Social media platforms when you interact with us there or connect a social account.
• Public sources, business directories, and similar databases (for example, to verify business information).
• Referrals from existing clients or partners.

1.4 Information from AI Features

Our Services may include AI-powered features (for example, automated drafting tools on consult.opensiteai.com or chat assistants we build for our clients). When you interact with these features, your inputs and the AI’s outputs may be processed by third-party AI providers (for example, OpenAI or Anthropic) under their respective terms. We make commercially reasonable efforts to use AI providers that do not retain or train on inputs without consent, but you should not enter information into AI features that you are not comfortable sharing under these conditions.

2. How We Use Information

We use personal information for the purposes set out below. Where required by law, we rely on the legal bases identified.

2.1 To Provide and Operate the Services

• Create and administer accounts, process orders, deliver projects, and host websites and dashboards.
• Communicate with you about your project, send transactional emails (invoices, receipts, scope confirmations, status updates, security alerts).
• Provide customer support and respond to inquiries.
• Operate, monitor, secure, and improve the Services, including troubleshooting, debugging, and quality assurance.

2.2 To Run Our Business

• Manage our finances, including billing, accounting, tax, and audit.
• Conduct internal research, analytics, product development, and benchmarking.
• Enforce our Terms of Service, prevent fraud, abuse, and security incidents, and protect our rights, property, and the rights of others.
• Comply with legal obligations and respond to lawful requests from authorities.

2.3 Marketing and Communications

Subject to your preferences and applicable law, we may use personal information to send you marketing communications about our Services, including newsletters, product updates, case studies, and event invitations. You can unsubscribe at any time using the link in any marketing email or by contacting consult@opensiteai.com. We will continue to send you transactional and relationship messages required to provide the Services.

2.4 Aggregation and De-Identification

We may aggregate or de-identify personal information so that it no longer reasonably identifies you, and we may use, disclose, and retain such data for any lawful purpose without further notice, including for analytics, benchmarking, and the improvement of our Services and AI features. We will not attempt to re-identify de-identified data unless required by law.

2.5 Legal Bases (EU / UK / Switzerland)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR/UK GDPR:

• Performance of a contract to provide the Services to you, perform an SOW, and process payments.
• Legitimate interests (balanced against your rights) to operate and secure our business, develop and improve the Services, market to existing clients, prevent fraud, and respond to inquiries.
• Consent for non-essential cookies, marketing communications to prospects, and similar processing where required. You may withdraw consent at any time without affecting prior processing.
• Compliance with legal obligations such as tax, accounting, and responding to lawful requests.
• Vital interests in rare cases to protect life, health, or safety.

3. How We Share Information

We share personal information only as described below. We do not sell your personal information for money.

3.1 Service Providers

We share personal information with vendors and contractors that process it on our behalf under written contracts requiring them to use the information only as we direct and to protect it. Categories of service providers include:

• Cloud hosting and infrastructure providers (e.g., AWS, Cloudflare, Vercel, Render).
• Domain registrars and DNS providers.
• Payment processors (e.g., Stripe).
• Customer support, ticketing, and CRM platforms.
• Email, SMS, and notification senders (e.g., Postmark, Resend, Twilio).
• Analytics and product-analytics providers (e.g., Google Analytics, Plausible, Hotjar, Microsoft Clarity).
• AI model and API providers (e.g., OpenAI, Anthropic, Google) and AI-orchestration vendors.
• Marketing, advertising, and lead-management platforms (e.g., Google Ads, Meta, LinkedIn).
• Security, anti-spam, and fraud-prevention services (e.g., Cloudflare Turnstile).
• Accounting, billing, contract, and e-signature platforms.
• Calendar, scheduling, and meeting platforms (e.g., Calendly, Zoom).

A current list of our material sub-processors is available on request to consult@opensiteai.com.

3.2 Professional Advisors

We may share information with our legal, accounting, tax, audit, insurance, and similar professional advisors as needed.

3.3 Affiliates

We may share information with our Affiliates, who will use it consistent with this Policy.

3.4 Business Transfers

We may transfer personal information in connection with a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider. We will require the recipient to honor this Policy with respect to your information or notify you of any material change.

3.5 Legal and Safety

We may disclose personal information to courts, law enforcement, regulators, and other parties as we, in good faith, believe necessary to: (a) comply with applicable law or legal process (including subpoenas, court orders, search warrants, and similar requests); (b) enforce our Terms or other agreements; (c) protect the rights, property, or safety of OpenSiteAI, our clients, end users, or others; (d) detect, prevent, or address fraud, security, or technical issues; or (e) carry out an investigation of a possible violation of law.

3.6 With Your Consent or Direction

We may share information with third parties when you direct us to do so or otherwise consent to the sharing.

3.7 No Sale of Personal Information

We do not sell personal information for monetary consideration. Some of our use of analytics and advertising cookies may constitute “sharing” or “selling” under U.S. state laws (such as CCPA/CPRA). You may opt out — see Section 9.

4. AI Features and Automated Processing

4.1 Use of AI

We use artificial intelligence and machine learning in connection with the Services, including to: (a) draft and refine outbound communications on our consultation tool (consult.opensiteai.com); (b) power chat assistants and automation features we build for our clients; and (c) improve and operate the Services. AI features rely on third-party AI providers, who are bound by their own terms and privacy practices.

4.2 What We Send to AI Providers

When you interact with an AI feature, we may transmit the relevant inputs (such as the text you type into a chat or form) to an AI provider for processing. We make commercially reasonable efforts to: (a) configure providers to not retain or train on your inputs; (b) avoid sending special-category or sensitive data; and (c) limit transmissions to what is necessary for the feature to function. You should not enter information into AI features that you are not willing to disclose under these terms.

4.3 Automated Decisions

We do not use AI or automated processing to make decisions that produce legal or similarly significant effects on you without meaningful human review. Where automated decision-making is used (for example, to detect spam, fraud, or abuse), you have the right under GDPR/UK GDPR to request human review and to contest the outcome, subject to applicable exceptions.

5. Cookies and Tracking Technologies

5.1 What We Use

We use cookies and similar technologies (collectively, “cookies”) such as web beacons, pixels, local storage, and SDKs to operate, secure, and improve the Services and (subject to your consent where required) to deliver advertising. Cookies may be set by us (first-party) or by third parties (third-party).

5.2 Categories

• Strictly necessary — Required for the Services to function (e.g., authentication, security, load balancing, cookie consent state). These cannot be disabled.
• Functional — Remember your preferences (e.g., language, region, layout).
• Analytics / performance — Help us understand how the Services are used (e.g., Google Analytics, Plausible, Hotjar, Microsoft Clarity).
• Marketing / advertising — Help us deliver and measure ads (e.g., Google Ads, Meta Pixel, LinkedIn Insight Tag).

5.3 Your Choices

Where required (including in the EU, UK, and certain U.S. states), we present a consent banner the first time you visit allowing you to accept, reject, or customize non-essential cookies. You may change your preferences at any time using the “Cookie Preferences” link in the website footer. You may also control cookies through your browser settings, and you may opt out of certain advertising through industry tools such as the Digital Advertising Alliance (https://optout.aboutads.info), the Network Advertising Initiative (https://optout.networkadvertising.org), or Your Online Choices (https://youronlinechoices.eu). Disabling cookies may affect functionality.

5.4 Global Privacy Control

We honor Global Privacy Control (GPC) signals as an opt-out of “sale” or “sharing” of personal information under CCPA/CPRA and similar U.S. state laws, where applicable. Because there is no consistent industry standard for browser “Do Not Track” signals, we do not currently respond to DNT signals.

6. Security

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. Examples include:

• TLS encryption in transit and encryption at rest for production databases and backups.
• Role-based access controls, unique credentials, principle of least privilege, and multi-factor authentication for administrative access.
• Network firewalls, intrusion detection, regular vulnerability scanning, and patch management.
• Audit logging of access and administrative actions, retained for a reasonable period.
• Background checks (where lawful), confidentiality agreements, and security training for personnel.
• Incident response procedures and regular testing of backups and recovery.
• Vendor security reviews for new sub-processors and integrations.

No system is perfectly secure. You are responsible for keeping your account credentials confidential and notifying us immediately of any suspected unauthorized access. If we learn of a data breach affecting your personal information, we will notify you and any required authorities as required by applicable law.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes set out in this Policy, including to provide the Services, comply with legal, accounting, and reporting obligations, resolve disputes, and enforce our agreements. When personal information is no longer needed, we delete or de-identify it, subject to:

• Backup retention cycles (typically up to 90 days).
• Legal holds and requirements to retain records (e.g., tax, contract, audit obligations).
• Aggregated or de-identified information, which we may keep indefinitely.

Specific retention periods depend on the nature of the data: contact and account information is kept for the duration of the relationship plus up to seven (7) years thereafter for accounting and statute-of-limitations purposes; transactional records are kept as required by applicable tax and accounting law; and marketing-list data is kept until you unsubscribe plus a short suppression period.

8. International Data Transfers

OpenSiteAI is based in the United States. If you are located outside the United States, your personal information will be transferred to and processed in the United States and in other countries where our service providers operate. These countries may have data-protection laws different from those of your country.

Where required by applicable law (including the GDPR and UK GDPR), we rely on appropriate safeguards for cross-border transfers, such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and supplementary measures where necessary. You may request a copy of the safeguards in place by contacting consult@opensiteai.com.

9. Your Privacy Rights

9.1 Rights Under GDPR / UK GDPR / Switzerland

If you are in the EEA, UK, or Switzerland, you have the right to:

• Access obtain confirmation of whether we process your personal data and request a copy.
• Rectification have inaccurate or incomplete data corrected.
• Erasure request deletion (the “right to be forgotten”) in certain circumstances.
• Restriction request that we limit our processing.
• Portability receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller.
• Objection object to processing based on our legitimate interests, including direct marketing.
• Withdraw consent where processing is based on consent (without affecting prior processing).
• Lodge a complaint with your local supervisory authority.

9.2 Rights Under CCPA/CPRA (California Residents)

California residents have the right to:

• Right to Know the categories and specific pieces of personal information we have collected about you, the sources, business or commercial purposes, and categories of third parties with whom we have disclosed personal information.
• Right to Delete request deletion of personal information we have collected from you, subject to legal exceptions.
• Right to Correct request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing opt out of any sale or sharing of personal information, including cross-context behavioral advertising. We honor Global Privacy Control signals.
• Right to Limit Use of Sensitive Personal Information to the extent we use such data for purposes beyond those expressly permitted by law.
• Right to Non-Discrimination we will not discriminate against you for exercising any right under CCPA/CPRA.

You may designate an authorized agent to make a request on your behalf, subject to applicable verification requirements.

9.3 Other U.S. State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, and other U.S. states with comprehensive privacy laws may have similar rights (such as access, deletion, correction, portability, and opt-out of targeted advertising, profiling, and certain processing). We will honor those rights to the extent required by applicable law.

9.4 Australia, Brazil, and Other Jurisdictions

Residents of other jurisdictions (including Australia, Brazil, Canada, Japan, Korea, Singapore, and others) may have rights under applicable local law. Please contact consult@opensiteai.com to exercise them.

9.5 How to Exercise Your Rights

Submit a request by email to consult@opensiteai.com or through any rights-request form we may post on our website. To protect your information, we may need to verify your identity (typically by confirming details from your account or a recent communication). We will respond within the time required by applicable law (generally 30 days under GDPR; 45 days under CCPA/CPRA, extendable as permitted). If we deny a request, we will explain why and how to appeal.

9.6 Where We Are a Processor

If your data was provided to us by one of our business clients (for example, you submitted a form on, registered with, or otherwise interacted with a site or app we built and host for that client), the client is the controller and you should direct your privacy rights request to that client. We will assist them in responding as required by our contract with them.

10. Children

The Services are not directed to children under 16 (or under 13 in the United States, as defined by COPPA), and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without verifiable parental consent, we will delete it. Parents or guardians who believe their child has provided us with personal information may contact consult@opensiteai.com.

11. Third-Party Websites and Services

The Services may contain links to, or integrations with, third-party websites and services that are not operated by us. We are not responsible for the privacy practices of those third parties. Please review their privacy policies before providing them with information.

12. When We Act as Processor / Service Provider

When we process personal data of a client’s end users on the client’s behalf — for example, where we host a client’s website, operate an admin dashboard for them, run a chatbot, or operate an automation that touches end-user data — the client is the controller (or, under CCPA/CPRA, the “business”) and OpenSiteAI is the processor (or “service provider”).

In that role, our processing is governed by our agreement with the client, including, where applicable, a Data Processing Addendum. We will not sell or share such personal information, will not use it for our own purposes outside the direct business relationship with the client, and will not combine it with personal information from other sources except as permitted by law. If you are an end user of one of our clients and have privacy questions or requests, please contact that client directly.

13. Changes to This Policy

We may update this Policy from time to time. The “Effective Date” at the top reflects the latest update. If we make material changes, we will provide notice through the Services or by email at least thirty (30) days before the changes take effect, except for changes required by law, which may take effect immediately. Your continued use of the Services after the effective date constitutes acceptance.

14. Contact Us

If you have questions, comments, or complaints about this Policy or our privacy practices, please contact:

Attn: Privacy Officer

Email: consult@opensiteai.com

Legal: consult@opensiteai.com

Website: https://opensiteai.com

We will work in good faith to resolve any complaint. If you are in the EEA, UK, or Switzerland, you also have the right to lodge a complaint with your local supervisory authority. If you are in California, you may also contact the California Attorney General’s Office.

© 2026 OpenSiteAI LLC. All rights reserved.