Privacy Policy.

Who this policy applies to

This policy covers personal information we collect from:

• Visitors to rebuilt.studio.
• Buyers (and prospective buyers) of Site Files, Install, or Hosting and Edits.
• End users who submit a contact form on a site we’ve delivered and/or host, but only with respect to the narrow pass-through described in Section 6.

This policy does not cover:

• Personal information on third-party services linked from our site (those have their own policies).
• Personal information processed on a site we delivered to a buyer after we’ve handed it off, the buyer is the controller of that data, not us.
• Business information about companies we audit or evaluate as prospects, where that information is publicly available and no individual is identifiable beyond their public role.

Information we collect

We try to collect as little as we need to run the business and deliver what you bought.

2.1 Information you give us

• Checkout information. Name, business name, email address, billing address, and any other details you provide at checkout. Payment card data is entered directly into Stripe, we never see or store your card number, CVV, or full bank details.
• Intake form information. After purchase, we collect details needed to build your site: business information, domain, email addresses for form routing, content materials you upload or link, brand assets, and preferences. Some of this will appear publicly on your delivered site because that’s what you asked for.
• Support and correspondence. If you email us, we receive your email address, the contents of your message, and any attachments you include.
• Opt-outs and rights requests. If you contact us to exercise a privacy right, we receive whatever information you include to verify your request.

2.2 Information we collect automatically

• Website analytics on rebuilt.studio. We use Google Analytics to understand how visitors use our marketing site. Google Analytics collects information such as pages viewed, referring sites, approximate location (derived from IP address, not precise geolocation), device and browser type, session duration, and the timestamps of visits. Google Analytics uses cookies and similar technologies and assigns a pseudonymous identifier to each browser. We’ve configured Google Analytics with IP anonymization where available. Google may use this data for its own purposes as a separate controller; see Google’s Privacy Policy at policies.google.com/privacy. You can opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-on at tools.google.com/dlpage/gaoptout or by using a tracker blocker.
• Security and operational logs. Our hosting and infrastructure providers automatically log technical information (IP address, request paths, error traces) for security, fraud prevention, and debugging.

2.3 Information we do not intentionally collect

• Sensitive personal information (race, religion, health, precise geolocation, biometric data, sexual orientation, etc.).
• Information from anyone under 18.
• Children’s data. rebuilt.studio is not directed to children, and we do not knowingly collect information from anyone under 13 (or under 16 in jurisdictions where that’s the applicable threshold). If you believe a child has provided us information, email us and we’ll delete it.

How we use information

We use the information we collect to:

• Run the business: process payments, deliver Site Files, run Install, provide Hosting and Edits, respond to support requests, issue refunds, and send transactional emails (receipts, delivery notifications, intake links).
• Protect the business: detect and prevent fraud, abuse, security incidents, and violations of our Terms; resolve disputes; enforce our agreements.
• Improve the product: understand which marketing pages convert, debug issues, and improve our service based on aggregated, non-identifying analytics.
• Comply with law: meet tax, accounting, recordkeeping, subpoena, and regulatory obligations.
• Market our own service, narrowly: we may feature the public-facing, non-confidential elements of your delivered site (design, layout, public screenshots, live URL) in our portfolio under Section 4 of the Terms. You may opt out at any time. We do not send unsolicited marketing email. If we ever introduce a newsletter or similar, it will be opt-in.

We do not use your information to build profiles for sale, to target advertising, or to train AI models on your confidential content. See Section 8.

Legal bases for processing (EU/UK visitors)

If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR), to deliver what you purchased.
• Legitimate interests (Art. 6(1)(f)), to run and protect the business, maintain security, and conduct narrow marketing of our own services. We’ve balanced these interests against your rights and believe they are not overridden.
• Legal obligation (Art. 6(1)(c)), for tax, accounting, and lawful requests.
• Consent (Art. 6(1)(a)), where we ask you to opt in (e.g., a future newsletter). You may withdraw consent at any time without affecting prior lawful processing.

See Section 11 for your EU/UK rights.

Who we share information with

We don’t sell personal information. We share it only with the service providers and parties listed below, and only as needed to operate.

5.1 Service providers ("processors")

Each provider is bound by its own terms and a data-processing relationship with us. We try to choose providers with strong security postures; we do not independently audit them.

5.2 Professional advisors

Lawyers, accountants, and similar advisors, under confidentiality obligations, when needed to run the business.

5.3 Legal and safety

We may disclose information when we have a good-faith belief it’s required to: comply with applicable law or a lawful request (subpoena, court order, regulatory demand); enforce our Terms; protect the rights, property, or safety of Rebuilt Studio, our users, or the public; or investigate fraud or security incidents.

5.4 Business transfers

If Rebuilt Studio is acquired, incorporated into a new entity, merged, or sells substantially all of its assets, personal information may be transferred to the successor, subject to the commitments in this policy (or equivalent commitments).

5.5 What we don’t do

We do not sell personal information in exchange for money. We do not “share” personal information for cross-context behavioral advertising as those terms are defined under the California Privacy Rights Act (CPRA). We do not permit our service providers to use your personal information for their own marketing.

Contact forms on delivered sites, we manage the pipe, we don’t take the data

When we deliver a site with a contact form, submissions from visitors to that site transit our infrastructure in a narrow pass-through: from the site’s form, through a shim at rebuilt.studio/shim/contact-form.js, to our /api/leads endpoint, to Resend, which delivers the submission to the email address the buyer configured.

• We do not read, store, mine, analyze, profile, sell, share, or otherwise use contact-form submissions for our own purposes.
• We do not retain contact-form submissions beyond the brief moment needed to forward them. Transient fraud/abuse logs (IP address, timestamp, size) may be kept short-term for security but are not used to build any profile of the submitter.
• The buyer (site owner) is the data controller of the submitted lead information. They decide why it’s collected and what happens after it reaches their inbox. Their own privacy policy governs that use.
• Rebuilt Studio acts as a processor solely for the pass-through, under the buyer’s instructions.
• If you are a site visitor submitting a form on a site we delivered and you want your information removed or have questions about its use, contact the site owner directly. If we can help you reach the right party, email our support address.

How long we keep information

We keep personal information only as long as we need it for the purposes in Section 3, or as required by law.

• Checkout and order records: retained for at least 7 years to meet U.S. tax and accounting requirements.
• Intake and project files: retained for up to 2 years after Delivery so we can help with follow-up questions or re-deliver if needed, then deleted or anonymized unless you’re on an ongoing Hosting or Edits plan.
• Support correspondence: retained for up to 3 years.
• Website analytics: retained in aggregated form; raw logs kept no longer than 90 days.
• Contact-form pass-throughs: transient, forwarded and then discarded from our systems, except for short-term fraud/abuse logs.
• Marketing opt-outs and rights requests: retained as long as needed to honor your request.

You can ask us to delete earlier (see Section 11); we’ll do so unless law requires retention.

Security

We use reasonable technical and organizational safeguards to protect personal information, including:

• TLS/HTTPS on all public endpoints.
• Access controls, rotated credentials, and principle-of-least-privilege for our own systems.
• Relying on reputable providers (Stripe, Supabase, Cloudflare, Vercel, Resend) that maintain industry-standard security programs.
• Minimizing what we collect and how long we keep it.

No system is perfectly secure. If we become aware of a breach that materially affects your personal information, we’ll notify you without undue delay, consistent with applicable law.

8.1 Your credentials are your responsibility, rotate them after Install

If you purchase Install, we may temporarily hold or create credentials on your behalf to deploy your site: hosting account logins, DNS API tokens, email-sending API keys, domain registrar access, analytics accounts, or similar. We use these credentials only to complete Install and hand off the working setup to you.

This means changing passwords, regenerating API keys and tokens, revoking any OAuth grants we used, and removing any temporary collaborator access we were given on your accounts. We recommend doing this within 7 days of handoff.

We do not retain your account sign-in credentials after Install. We do not keep a copy of your hosting password, your DNS tokens, your domain registrar login, your email API keys, or any other credentials on your third-party accounts. We cannot recover them for you, and we will not be able to access your accounts later even if you ask us to. If you need ongoing help managing your accounts, that’s what optional Hosting and Edits is for, and we’ll agree separately about what access we’ll hold.

This shared-responsibility model is important: it limits your exposure if our systems are ever compromised, and it keeps control of your business firmly in your hands.

International transfers

We operate from the United States, and most of our service providers operate in the United States. If you access our services from outside the U.S., your information will be transferred to, stored in, and processed in the United States.

For personal data subject to EU/UK/Swiss law, we rely on appropriate transfer mechanisms (such as the EU Standard Contractual Clauses) offered by our service providers, or we rely on your informed consent where applicable. If you want details about the mechanism for a specific transfer, email us.

U.S. state privacy rights

This section applies to residents of U.S. states that grant specific privacy rights, including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comparable laws (collectively, “State Privacy Laws”).

10.1 Categories of personal information (California CCPA/CPRA)

In the last 12 months, we have collected the following categories of personal information:

• Identifiers (name, email, business name, IP address).
• Commercial information (purchase history, checkout details).
• Internet or network activity (pages viewed, referring URLs, device/browser info).
• Geolocation (coarse/approximate, derived from IP).
• Customer records (billing information, Stripe-held card tokens).
• Inferences drawn from the above, limited to aggregated analytics about our audience.

Sources: directly from you; automatically from your interactions with rebuilt.studio; from our service providers (e.g., Stripe provides confirmation and fraud signals).

Business purposes for collection: operating the service (Section 3), security, fraud prevention, and legal compliance.

Categories disclosed to service providers for business purposes: all of the above are disclosed to service providers listed in Section 5.1, solely for the purposes listed there.

10.2 Your rights

Subject to verification of your identity and to applicable exceptions under the relevant State Privacy Law, you may have the right to:

• Know / access the personal information we hold about you, the categories we collect, and how we use it.
• Correct inaccurate personal information.
• Delete personal information we hold about you.
• Port your personal information in a machine-readable format.
• Opt out of the sale or sharing of personal information (even though we do not sell or share).
• Opt out of “targeted advertising” and “profiling” with legal or similarly significant effects (we do not conduct either).
• Limit the use of sensitive personal information (we do not collect sensitive personal information as defined by the CPRA).
• Appeal a denied request, in states that provide an appeal right.

We will not discriminate against you for exercising these rights.

10.3 How to exercise your rights

Email the support address on rebuilt.studio with the subject line “Privacy Rights Request” and include:

• Your full name and the email address associated with any account or purchase.
• The specific right you want to exercise.
• Enough detail for us to verify your identity (we may ask follow-up questions).

Authorized agents. You may designate an agent to make a request on your behalf. We’ll require written proof of the agent’s authority and may still verify your identity directly.

Timing. We’ll confirm receipt within 10 business days and respond substantively within 45 days (extendable once by 45 days if reasonably necessary, with notice to you).

10.4 "Do Not Sell or Share My Personal Information"

We do not sell or share personal information for cross-context behavioral advertising. To formally submit a Do-Not-Sell/Share request anyway, email the support address on rebuilt.studio with the subject line “Do Not Sell or Share” and include the email address associated with your purchase or visit. We’ll confirm your election in writing and apply it going forward.

We honor Global Privacy Control (GPC) signals where technically feasible; sending a GPC signal from your browser will be treated as a Do-Not-Sell/Share request for that browser.

10.5 "Shine the Light" (California Civil Code § 1798.83)

California residents may request a list of third parties to which we have disclosed personal information for the third parties’ direct-marketing purposes in the preceding calendar year. We don’t disclose personal information for third-party direct marketing, but if you want a written confirmation, email the support address with the subject line “Shine the Light Request.”

EU/UK/Swiss privacy rights

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR and UK GDPR, subject to conditions and exceptions:

• Access your personal data and receive a copy.
• Rectification of inaccurate or incomplete data.
• Erasure ("right to be forgotten") in certain circumstances.
• Restriction of processing in certain circumstances.
• Portability of data you provided to us, in a structured, machine-readable format.
• Object to processing based on our legitimate interests.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your local data protection authority.

To exercise these rights, email the support address on rebuilt.studio with the subject line “GDPR Rights Request” and include the email address associated with your account or purchase. We’ll respond within one month, extendable by two additional months for complex requests.

Controller identity. For EU/UK/Swiss purposes, Rebuilt Studio, the DBA identified above, is the controller of your personal data. We do not currently have an EU or UK representative; if you want to contact us, please email us directly.

Your choices

• Email. We don’t send unsolicited marketing email. Transactional email (receipts, delivery, support) is essential to the service and can’t be opted out while your engagement is active.
• Analytics and cookies. Our marketing site uses Google Analytics. You can opt out by installing the Google Analytics Opt-Out Browser Add-on (tools.google.com/dlpage/gaoptout), using a tracker blocker, disabling cookies in your browser, or sending a Global Privacy Control signal (which we honor where technically feasible). Blocking analytics won’t affect your ability to purchase.
• Portfolio opt-out. Per Section 4 of the Terms, email us at any time to be removed from our portfolio.
• Account/data removal. Email us to request deletion of your account data, subject to the retention requirements in Section 7.

Third-party links and services

Our site and delivered products may link to or rely on third-party sites and services. We’re not responsible for the privacy practices of those third parties. Review their privacy policies before using them.

Accessibility

We aim to make this policy accessible. If you have difficulty reading it, email us and we’ll provide it in an alternative format.

Changes to this Privacy Policy

We may update this policy from time to time. The “Last updated” date at the top will reflect the latest revision. If we make material changes, we’ll notify you by email (for active customers) or a prominent notice on rebuilt.studio, and, where required by law, obtain your consent.

Contact

Questions, rights requests, or concerns about this Privacy Policy:

• Email: the support address listed on rebuilt.studio.

Subject-line shortcuts:

• General privacy questions → "Privacy Question"
• State-law rights request → "Privacy Rights Request"
• Do Not Sell or Share → "Do Not Sell or Share"
• GDPR/UK GDPR request → "GDPR Rights Request"
• Shine the Light (California) → "Shine the Light Request"
• Portfolio opt-out → "Portfolio Opt-Out"

We’ll confirm receipt within 10 business days and respond substantively within the timeframe required by the applicable law (typically 45 days for U.S. state laws and 30 days for GDPR/UK GDPR).