Privacy Policy
ScaffolderJS ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information.
This Privacy Policy explains how Fleur Lamont Ltd ("we," "us," or "our") collects, uses, stores, and shares your personal data when you use ScaffolderJS at scaffolderjs.com (the "Service"). We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
Fleur Lamont Ltd is a company registered in the United Kingdom. We are the data controller for the personal data processed through the Service, meaning we determine the purposes and means of processing your data.
Contact: [contact email]
If you have any questions or concerns about how we handle your data, or if you wish to exercise any of your rights, please contact us using the details above.
2. What Data We Collect
We collect the following categories of personal data. For each category, we have set out the lawful basis under UK GDPR that we rely upon for processing.
2.1 Account Data
| Data | Details | Lawful Basis |
|---|---|---|
| Name | Your full name, provided at registration | Performance of contract |
| Email address | Used for login, account management, and communications | Performance of contract |
| Password | Stored as a bcrypt hash; we never store your password in plain text | Performance of contract |
| Google account identifier | If you choose to sign in with Google OAuth | Performance of contract (with your consent to use Google sign-in) |
2.2 Business Descriptions and Generated Content
| Data | Details | Lawful Basis |
|---|---|---|
| Business descriptions | Text you provide describing your business, services, and requirements | Performance of contract |
| Generated site content | HTML, CSS, JavaScript, and text content produced by the Service based on your inputs | Performance of contract |
| AI-generated images | Images produced by DALL-E based on prompts derived from your inputs, stored in your private library | Performance of contract |
2.3 Uploaded Media
| Data | Details | Lawful Basis |
|---|---|---|
| Uploaded images and files | Media you upload to the Service for use in your Generated Sites | Performance of contract |
2.4 Payment Data
| Data | Details | Lawful Basis |
|---|---|---|
| Payment status and history | Subscription tier, billing dates, payment success/failure status, invoice references | Performance of contract |
| Stripe customer identifier | A reference linking your account to your Stripe payment profile | Performance of contract |
We do not collect, process, or store your payment card details. All card information is handled entirely by Stripe under their own PCI-DSS compliant systems.
2.5 Usage Data
| Data | Details | Lawful Basis |
|---|---|---|
| Site generation activity | Number of sites generated, templates selected, export actions taken | Legitimate interest (service operation and abuse prevention) |
| Feature usage | Which tools and features you interact with within the Service | Legitimate interest (service improvement) |
2.6 Technical Data
| Data | Details | Lawful Basis |
|---|---|---|
| IP address | Collected automatically when you access the Service | Legitimate interest (security and abuse prevention) |
| Browser type and version | Collected automatically via standard HTTP headers | Legitimate interest (compatibility and troubleshooting) |
| Device information | Operating system and device type | Legitimate interest (compatibility and troubleshooting) |
2.7 Session Cookies
| Data | Details | Lawful Basis |
|---|---|---|
| Session cookie | An essential cookie used to maintain your authenticated session while you use the Service | Legitimate interest (necessary for the Service to function) |
We use essential cookies only. We do not use analytics, advertising, or tracking cookies. See Section 9 for further details.
3. How We Use Your Data
We use your personal data for the following purposes:
3.1 Providing the Service
We process your account data, business descriptions, and uploaded media to generate websites, store your projects, and enable you to edit and export your Generated Sites.
3.2 Managing Your Account
We use your name, email address, and payment data to maintain your account, manage your subscription, process payments, and send transactional communications (such as payment confirmations and subscription renewal notices).
3.3 Communicating With You
We may use your email address to send you important service-related notices, including changes to these terms, security alerts, and responses to support enquiries. We will not send unsolicited marketing emails without your explicit consent.
3.4 Improving the Service
We may use anonymised and aggregated usage data to analyse how the Service is used, identify technical issues, and improve functionality. This aggregated data cannot be used to identify you personally.
3.5 What We Do Not Do
- We do not sell your personal data to any third party, under any circumstances.
- We do not use your Content to train our own AI models. Your business descriptions, Generated Sites, and uploaded media are processed solely to provide the Service to you.
4. AI-Specific Disclosures
4.1 How AI Processing Works
When you use the Service to generate a website, we send prompts derived from your inputs (including your business descriptions and selected preferences) to the following third-party AI providers:
- OpenAI -- for content generation (GPT) and image generation (DALL-E)
- Anthropic -- for content generation (Claude)
These prompts may include information you have provided about your business. The AI providers process these prompts and return generated text and images, which we then incorporate into your Generated Site.
4.2 Third-Party AI Privacy Policies
OpenAI and Anthropic each maintain their own privacy policies governing how they handle data received through their APIs. We encourage you to review these policies:
- OpenAI Privacy Policy: https://openai.com/privacy
- Anthropic Privacy Policy: https://www.anthropic.com/privacy
4.3 Community Library
AI-generated images are stored in your private library by default. If you choose to opt in to sharing an image to the community library, that image becomes visible to and usable by other users of the Service. You may remove your shared images from the community library at any time. Community library sharing is entirely voluntary.
5. Data Sharing
We share personal data only with the third parties listed below, and only to the extent necessary for the stated purpose.
| Third Party | Data Shared | Purpose |
|---|---|---|
| Stripe | Payment information, email address, Stripe customer ID | Payment processing and subscription management |
| OpenAI | AI prompts derived from your business descriptions and preferences | Content and image generation |
| Anthropic | AI prompts derived from your business descriptions and preferences | Content generation |
| OAuth token, email address (if you use Google sign-in) | Account authentication | |
| Form providers (e.g., Formspree, Getform) | None from us directly | You may configure these on your exported sites; any form submissions go directly to the provider, not through us |
We do not share your personal data with any other third parties except where required by law (for example, in response to a court order or regulatory request).
6. Data Storage and Security
6.1 Where Your Data Is Stored
Your data is stored on servers located in the United Kingdom. All data is encrypted in transit using HTTPS/TLS.
6.2 Security Measures
We implement the following security measures to protect your data:
- Password hashing: All passwords are hashed using bcrypt before storage. We never store passwords in plain text.
- Encryption in transit: All communications between your browser and our servers are encrypted using HTTPS/TLS.
- Payment security: Payment card details are handled entirely by Stripe, which is PCI-DSS Level 1 certified. Card data never passes through or is stored on our servers.
- Regular backups: We perform regular backups of our systems to protect against data loss.
- Access controls: Access to personal data within our systems is restricted to authorised personnel on a need-to-know basis.
6.3 Security Limitations
While we take reasonable precautions to protect your data, no system is completely secure. We cannot guarantee absolute security and are not liable for breaches resulting from circumstances beyond our reasonable control.
7. Data Retention
We retain your data for the following periods:
| Data Category | Retention Period |
|---|---|
| Active account data | Retained for as long as your account remains active |
| Data after account cancellation | Retained for 90 days following cancellation, then permanently deleted |
| Community library images | Retained until you remove them or we remove them at our discretion |
| Payment and transaction records | Retained for 6 years after the transaction, in accordance with UK tax and accounting obligations (HMRC requirements) |
| Anonymised and aggregated data | May be retained indefinitely, as it cannot be used to identify you |
After the applicable retention period, your personal data is permanently deleted from our systems and backups.
8. Your Rights Under UK GDPR
Under the UK General Data Protection Regulation, you have the following rights in relation to your personal data. To exercise any of these rights, please contact us at [contact email].
8.1 Right of Access
You have the right to request a copy of the personal data we hold about you. We will respond to your request within one month.
8.2 Right to Rectification
You have the right to request that we correct any personal data that is inaccurate or incomplete. You can update most account information directly through your account settings.
8.3 Right to Erasure
You have the right to request that we delete your personal data. We will comply with your request unless we have a lawful reason to retain it (for example, to comply with tax record-keeping obligations).
8.4 Right to Restrict Processing
You have the right to request that we restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of your data following a dispute.
8.5 Right to Data Portability
You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
8.6 Right to Object
You have the right to object to processing of your personal data where we rely on legitimate interest as our lawful basis. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
8.7 Right to Withdraw Consent
Where we process your data based on consent (for example, optional Google OAuth sign-in), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
8.8 Right to Complain
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Telephone: 0303 123 1113
We encourage you to contact us first so that we can try to resolve your concern directly.
9. Cookies
9.1 Essential Cookies Only
We use a single essential session cookie to keep you logged in while you use the Service. This cookie is strictly necessary for the Service to function and does not track your activity across other websites.
9.2 No Analytics or Tracking Cookies
We do not use analytics cookies, advertising cookies, or any form of cross-site tracking.
9.3 Stripe.js
On pages where you enter payment information, Stripe's JavaScript library (Stripe.js) may set its own cookies as part of its fraud detection and payment processing functionality. These cookies are governed by Stripe's privacy policy and cookie policy.
10. Children
The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected data from a child under 18, we will take steps to delete that data promptly. If you believe a child under 18 has provided us with personal data, please contact us at [contact email].
11. International Transfers
11.1 Transfers Outside the UK
Your data is primarily stored on servers in the United Kingdom. However, certain third-party services we use are based in the United States:
- OpenAI (United States) -- receives AI prompts for content and image generation
- Anthropic (United States) -- receives AI prompts for content generation
- Stripe (United States) -- processes payment data
11.2 Safeguards
Where personal data is transferred outside the United Kingdom to countries that do not benefit from a UK adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office, or other appropriate safeguards as required by UK GDPR, to ensure that your data receives an adequate level of protection.
12. Changes to This Privacy Policy
12.1 Notification of Changes
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. If we make material changes, we will notify you by email at the address associated with your account before the changes take effect.
12.2 Last Updated Date
The "Last updated" date at the top of this policy indicates when it was most recently revised. We encourage you to review this policy periodically.
Contact
If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a concern about how we handle your data, please contact us at [info@scaffolderjs.com].
Last updated: 2026-03-11
For privacy inquiries, please contact us at info@scaffolderjs.com