SiteMagic — Privacy Policy
This Privacy Policy explains what personal information SiteMagic collects, why we collect it, how we use it, who we share it with, and the choices you have. It applies to everyone who uses the SiteMagic service through @SiteMagicBot on Telegram, and to the marketing website at sitemagic.co.
If you also build a website with SiteMagic, this policy explains how we handle your information as a SiteMagic customer. Section 8 explains separately what happens with information collected from visitors of the websites we build for you.
1. Plain-language summary
The short version:
- We collect what we need to chat with you, build your website, and bill you — and not much more.
- We do not sell your data, ever.
- AI processing is done by Anthropic (Claude) under their commercial API terms, which means your messages and photos are not used to train AI models.
- Payments go through Stripe — we never see or store your card details.
- We keep your data for as long as you are a customer, and for 90 days after cancellation in case you come back. Tax-related records are kept longer because the law requires it.
- You can ask us at any time to see, correct, export, or delete your information. Email team@sitemagic.co.
The rest of this document explains the same thing in more detail.
2. Information we collect about you
2.1 Information you give us through the bot
When you use @SiteMagicBot on Telegram, we collect the information you (or Telegram) send us:
- Telegram identifiers: your Telegram user ID, your Telegram first name, and your Telegram @username (if you have one set). These come from Telegram automatically when you message the bot.
- Conversation content: the text messages you send to the assistant, the assistant's replies, and any context the assistant builds up about you and your business over time.
- Business information you share: your business name, contact details (phone number, email, physical address — whatever you choose to put on your website), descriptions of your services, hours, and similar facts.
- Files you send: photos, logos, and documents (
.md,.txt,.docx, image files) you upload through the chat. Photos are converted to web-friendly formats and stored.
You decide what to send. If you don't want certain information on your website, don't send it.
2.2 Information collected automatically
When you use the service, we also record:
- Activity events: what was generated, what tasks were created, when they completed or failed, and similar operational events. This is used to operate and improve the service and to recover from errors.
- Rate-limit records: when you sent messages, so we can enforce per-user rate limits.
We do not collect IP addresses, browser fingerprints, device identifiers, location data, or advertising IDs from you.
2.3 Billing information (paid plans)
When you subscribe to a paid plan, payment is processed by Stripe. Stripe collects your payment method details, billing address, and any other information needed to process the payment.
We never see or store your full card number. Stripe gives us back only:
- A Stripe customer ID (so we know which account belongs to which Telegram user)
- Your subscription plan and status
- Whether the most recent payment succeeded or failed
Stripe's own privacy practices apply to the data you give them directly. See: https://stripe.com/privacy.
2.4 Domain registration (Premium plan only)
If you subscribe to the Premium plan, we register a domain on your behalf through Namecheap. Domain registration requires us to submit registrant contact information (name, address, email, phone) on your behalf. We collect this information from you in chat for that purpose only and submit it to Namecheap. Once submitted, Namecheap's privacy practices apply to that data — see https://www.namecheap.com/legal/general/privacy-policy/.
2.5 The marketing site (sitemagic.co)
The sitemagic.co marketing website does not set tracking cookies. We may add privacy-friendly analytics in the future to count anonymous page visits — if and when we do, this Privacy Policy will be updated to describe exactly what is collected.
If you click a Stripe Checkout link from sitemagic.co or from a chat message, Stripe's hosted checkout page sets its own cookies to process your payment securely. Those cookies are operated by Stripe, not by us, and are governed by Stripe's privacy policy.
3. Why we use this information (and the legal basis)
We use the information we collect to:
| Purpose | Why we need it | Legal basis (GDPR) |
|---|---|---|
| Run the chat conversation and reply to you | This is the core of the service | Performance of a contract |
| Generate, edit, and publish your website | This is what you are paying for | Performance of a contract |
| Process payments and manage your subscription | We need to bill you and keep your account active | Performance of a contract |
| Send service notifications through Telegram | So we can tell you when your site is built, when payment fails, etc. | Performance of a contract |
| Enforce rate limits and prevent abuse | Protect the service from misuse | Legitimate interest |
| Detect and fix bugs, errors, and outages | Keep the service working | Legitimate interest |
| Comply with tax, accounting, and other legal obligations | Required by law | Legal obligation |
We do not use your data for advertising, profiling, or any purpose unrelated to running SiteMagic.
4. AI processing
SiteMagic uses Claude, an AI model made by Anthropic, to read your messages, understand your business, and generate the text and design of your website. To do this, we send the content of your conversation, the photos you upload, and the data on your website to Anthropic's API.
Anthropic processes this data on our behalf to return a response, then deletes it according to their commercial API data policy. Anthropic does not use data submitted to its API to train its models. See Anthropic's privacy policy: https://www.anthropic.com/legal/privacy and their commercial terms for how API data is handled.
If you do not want your information processed by an AI provider, SiteMagic is not the right service for you, because the AI is the entire engine of how the service works.
5. Who we share your information with
We share your information with the following service providers ("sub-processors"), and only to the extent each one needs to do its job:
| Sub-processor | What we share | What it's used for | Location |
|---|---|---|---|
| Supabase | Conversation history, business information, photos, account records | Database and file storage | United States |
| Netlify | Your published website files (HTML, images, etc.) | Website hosting and content delivery | United States |
| Anthropic | Messages, photos, and site content sent for AI generation | AI text and image generation | United States |
| Stripe | Payment details (collected directly by Stripe), Stripe customer ID | Payment processing and subscription billing | United States |
| Telegram | Everything you send through @SiteMagicBot | Messaging transport (your own chat with the bot) | International |
| Namecheap (Premium only) | Domain registrant contact info | Domain registration on your behalf | United States |
| DigitalOcean | Infrastructure logs, error reports | Server hosting for the bot | United States |
| Google (Places API, only when you share a Google Maps link) | The Maps link or Place ID you share with the assistant | Fetching the business's public Google Maps listing (address, hours, photos, reviews) to help draft your site | United States |
We do not share your information with advertisers, data brokers, or marketing companies. We do not sell your information to anyone, and we have never done so.
Internal access by SiteMagic team members. Most customer interactions are handled entirely by the AI assistant without any human reading the messages. However, authorized SiteMagic team members may access your conversation history, business information, and account data when:
- You request human support and the assistant escalates the conversation to a human operator who takes over the chat. When this happens, the messages you send are forwarded to the operator until the human ends the session and the assistant resumes.
- We are investigating a bug, error, or technical issue that affects your account.
- We are reviewing the quality of AI-generated responses to improve the service.
We minimize this access and only authorized team members of Odyssean LLC have it.
We may also disclose information if we are legally required to (for example, a valid court order or subpoena), if it is necessary to protect the rights, safety, or property of SiteMagic or others, or as part of a business transfer (for example, if Odyssean LLC is acquired). In a business transfer, the new owner would be bound by the same privacy commitments.
6. International data transfers
Odyssean LLC is based in the United States. Most of our sub-processors store and process data in the United States. If you are located outside the United States — including in the European Economic Area, the United Kingdom, or elsewhere — your information will be transferred to and processed in the United States and other countries where our service providers operate.
These countries may have different data protection laws than your own. Where required by law, we rely on appropriate transfer mechanisms — such as Standard Contractual Clauses approved by the European Commission — through our agreements with sub-processors.
7. How long we keep your data
| Type of data | Retention |
|---|---|
| Active customer data (conversations, sites, business info, photos) | For as long as your account is active |
| After cancellation | 90 days, then deleted, unless you ask us to delete sooner or to keep it longer |
| Financial transaction records (invoices, payment records) | As long as required by US tax and accounting law (typically 7 years) |
| Server logs and operational events | Up to 90 days |
| Marketing site data | Not currently collected |
If you ask us to delete your data sooner, we will do so within 30 days, except for records we are legally required to retain.
8. Information collected by websites we build for you
This section is important if you build a website with SiteMagic, because it describes data that flows through your website, not just data about you as a SiteMagic customer.
8.1 What is collected
Every website we publish for you includes a small piece of code that records each page view to our database. The information recorded is:
- Which of your pages was viewed
- The site identifier (so we know which customer's site it belongs to)
- The referring URL (where the visitor came from, if their browser sent it)
- The screen width of the visitor's device
We do not collect IP addresses, browser cookies, user agents, geolocation, fingerprints, or any information that directly identifies the visitor. There are no tracking cookies and no third-party advertising trackers in the sites we generate.
Our visitor analytics are first-party only — the data is collected by a small script we wrote and stored in our own database. We do not use Google Analytics, Plausible, Facebook Pixel, or any other third-party analytics service to track visitors of the websites we build.
8.2 Who is responsible for this data
When someone visits your website, you (the SiteMagic customer) are the data controller for that visitor information under data protection laws such as the GDPR. SiteMagic acts as a data processor on your behalf — we collect and store the information so that you can see how your site is being used.
This means: if your website serves visitors from the European Union, the United Kingdom, California, or other jurisdictions with privacy laws, you are responsible for having your own privacy policy on your site that discloses what is collected. We will help you add a simple privacy notice to your site if you ask.
8.3 Visitor rights
If you are a visitor to a website built by SiteMagic and you have questions about the data collected, please contact the website owner directly — they are the controller of that data. If you cannot reach them, you may contact us at team@sitemagic.co and we will pass your request on or assist as a processor.
9. Your rights
Depending on where you live, you may have the following rights regarding your personal information:
- Access — ask us what personal information we have about you
- Correction — ask us to correct information that is wrong
- Deletion — ask us to delete your information ("right to be forgotten" under the GDPR)
- Portability — ask us for a copy of your data in a machine-readable format
- Restriction — ask us to stop processing your information in certain ways
- Objection — object to processing based on legitimate interest
- Withdraw consent — where we rely on your consent, you can withdraw it at any time
- Complain — lodge a complaint with a data protection authority in your country (in the EU, this is your national supervisory authority)
To exercise any of these rights, email team@sitemagic.co or message @SiteMagicBot directly. We will respond within 30 days. We will not charge you for exercising your rights, and we will not retaliate against you for doing so.
California residents: under the California Consumer Privacy Act (CCPA/CPRA), you also have the right to know what categories of personal information we collect, the right to delete it, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information for advertising purposes, so there is nothing for you to opt out of, but the right exists.
"Do Not Track" signals: because we do not track you across websites or use advertising cookies, our service does not respond to Do Not Track browser signals — there is no behavior to change.
10. Security
We take reasonable steps to protect your information:
- All data in transit is encrypted using HTTPS/TLS.
- Database access is restricted to the SiteMagic application using credentials stored in a server-side secrets file readable only by the service account.
- API keys and other secrets are not stored in code, logs, or version control.
- Customer data is scoped per account, so the AI assistant cannot access another customer's data.
- Payment information is handled entirely by Stripe under PCI DSS Level 1 compliance — card data never touches our servers.
No system is perfectly secure, and we cannot promise that information transmitted through the internet will always be safe. If we become aware of a security incident that affects your personal information, we will notify you and the relevant authorities as required by law.
11. Children's privacy
SiteMagic is intended for business owners and is not directed at children under the age of 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe a child has used SiteMagic and submitted personal information, contact us at team@sitemagic.co and we will delete it.
12. Third-party links
The websites we build for you, and our marketing site at sitemagic.co, may contain links to third-party services (for example, Google Maps, social media profiles, or external resources). We are not responsible for the privacy practices of those services. When you follow a link to a third-party site, that site's own privacy policy applies.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time, for example when we add new features, change sub-processors, or in response to changes in the law. When we make material changes, we will:
- Update the "Effective date" at the top of this document
- Notify you through Telegram and/or by email if we have one for you
If you do not agree with the changes, you may cancel your subscription. Continued use of SiteMagic after a change means you accept the updated Policy.
14. Contact us
For any privacy question, request, or complaint:
- Email: team@sitemagic.co
- Telegram: @SiteMagicBot
- Mail: Odyssean LLC, 4730 University Way NE, Ste 104-5528, Seattle, WA 98105, United States
We will respond within 30 days.