← Back to Webstew

Privacy Policy

Effective 2026-05-13

This Privacy Policy explains how Remodely LLC ("Webstew," "we," "us") collects, uses, shares, and protects personal information when you use the Webstew website at webstew.net, the Webstew mobile applications for iOS and Android (when published), and related services (collectively, the "Service"). This policy applies to information processed in connection with the Service, including all of our web and mobile surfaces.

We are the controller of your personal information for purposes of the EU/UK GDPR and the business under the California Consumer Privacy Act (CCPA/CPRA).

1. Information We Collect

1.1 Information you give us

  • Account information: name, email address, password (hashed with bcrypt — we never store plaintext passwords), and optional profile photo.
  • Authentication identifiers: when you sign in with Google, GitHub, or (in the mobile app) Apple, we receive your name, email, profile photo, and a stable unique identifier from that provider.
  • Payment information: billing name and a Stripe customer identifier. We do not store payment card numbers — Stripe processes all card data directly under PCI-DSS compliance.
  • Content you create: prompts you type, websites/apps generated through the Service, HTML / CSS / JS you save or import, images you upload, templates you choose, CMS items, project names, and configuration choices.
  • Communications: support emails, feedback, survey responses.
  • Form submissions on sites you build: if you publish a site through Webstew that uses our hosted form-submission endpoint, the submissions from visitors to your site (typically: name, email, message, plus the submitting visitor's IP and user agent) are stored in our database so you can retrieve them from your account.
  • Bring-Your-Own credentials: API keys for third-party services you connect (Anthropic, OpenAI, Google, Render, GitHub, Stripe Connect, etc.). These are encrypted at rest using AES-256-GCM with keys we control and are only decrypted in memory at the moment a call is made on your behalf.

1.2 Information collected automatically

  • Usage data: pages visited, features used, prompts entered, generation counts, deploy events, errors. We use this to operate the Service, track usage limits, and improve the product.
  • Device and browser data: browser type, operating system, screen resolution, time zone, language preference, referring URL, IP address.
  • Mobile device data (in our mobile app): device model, OS version, app version, language, time zone, anonymous device identifier (IDFV on iOS, Android Advertising ID with your consent), and crash diagnostic data.
  • Cookies and similar technologies: see Section 6.
  • Microphone audio (mobile app, voice feature only): when you tap the microphone button to use voice-driven building, we capture audio and send it to a speech-to-text provider for transcription and to a large language model for response generation. Microphone access is request-only — we never listen passively. Audio is transmitted over TLS and is not stored after the request completes (see retention below).
  • Push notification tokens (mobile app): if you grant push permission, we store an opaque device token from Apple Push Notification Service (APNs) or Firebase Cloud Messaging (FCM) so we can send service-related notifications (e.g., generation finished, deploy succeeded, form submission received).
  • Camera and photo library (mobile app, on request): if you choose to upload an image, the mobile app may request access to your camera or photo library. We only access images you explicitly select — we do not scan your photo library otherwise.

1.3 Information we do NOT collect

We do not knowingly collect precise device location, contacts, calendar, health data, financial account credentials, or biometric identifiers. We do not engage in cross-app advertising tracking — see Apple App Tracking Transparency below.

2. How We Use Information

We use personal information to:

  • Provide the Service: generate websites from your prompts, route content through AI providers, host previews, deliver form submissions, run the grader and other tools, deploy sites to your hosting providers.
  • Authenticate and secure: verify your identity, prevent abuse, detect fraud, enforce rate limits and usage caps, investigate security incidents.
  • Bill: process subscriptions and pay-as-you-go usage via Stripe, send receipts, send dunning emails on payment failure.
  • Communicate: send transactional notifications (account, billing, deploys, form submissions), respond to support requests, and — with your separate opt-in — send product updates and marketing.
  • Improve: aggregate, anonymized analytics to understand which features are used and where users get stuck. We do not use the content of your prompts or generated sites to train our AI models, and we instruct our AI providers not to train on your content (subject to their terms — see Section 4).
  • Comply with law: respond to lawful requests, enforce our Terms of Service, defend legal claims, prevent harm.

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases:

  • Contract: to provide the Service you signed up for (creating an account, running generations, billing).
  • Legitimate interests: securing the Service, preventing fraud, basic product analytics, customer support.
  • Consent: optional marketing emails, push notifications, microphone access, camera access, non-essential cookies. You can withdraw consent at any time.
  • Legal obligation: tax records, compliance with court orders.

4. Sharing and Third-Party Processors

We share personal information only with the categories below and only as needed to operate the Service.

4.1 Service providers (processors)

We use the categories of processors below to operate Webstew. The named examples are illustrative and not exhaustive — we engage additional service providers, sub-processors, and integration partners from time to time as the Service scales and as the AI and cloud ecosystems evolve. Each processor is bound by a Data Processing Agreement when applicable. We will update this section to reflect material additions and, where required by law, notify you.

  • AI generation: includes OpenAI (LLC, US), Anthropic (PBC, US), Google LLC (Gemini), xAI Corp (US — Grok models), and additional large language model, embedding, image, voice, and video providers we may add as we expand model coverage. Your prompts and generated content are sent to these providers under their API terms. We have configured API requests so providers do not retain your data for training purposes, subject to each provider's published terms.
  • Hosting and infrastructure: includes Render Services Inc. (US), MongoDB Atlas (MongoDB Inc., US, hosted on AWS), Cloudflare Inc. (US — DNS, CDN, email routing), Amazon Web Services Inc. (US — Simple Email Service for transactional email, S3 object storage when used), and similar providers we may engage for redundancy, regional coverage, or new features.
  • Payments: Stripe Inc. (US), and equivalent processors we may add for regional coverage or App Store / Play Store in-app purchases. Payment processors are typically independent controllers of payment data under their own privacy policies.
  • Speech and voice (mobile/voice feature): includes OpenAI Whisper (transcription), and additional speech-to-text, text-to-speech, and real-time voice providers we may add. Audio is processed and discarded.
  • Analytics and error monitoring: Sentry (Functional Software Inc., US) for error reporting. We aggregate usage metrics internally and may add a privacy-respecting analytics provider; we do not use cross-site advertising trackers.
  • OAuth identity providers: includes Google, GitHub, Apple (in the mobile app), and additional identity providers we may add.
  • Push notifications: Apple Push Notification Service (Apple Inc., US) and/or Firebase Cloud Messaging (Google LLC, US).
  • App distribution: Apple App Store (Apple Inc.) and Google Play (Google LLC) — they receive your purchase information when you buy through their stores; we receive billing reports.
  • Integration platforms: where you choose to connect a third-party account through Webstew (for example, your Gmail, Stripe, Calendly, Google Calendar, Slack, Shopify, or similar service), we may use an integration broker such as Composio (Composio AI Inc., US) to securely store the OAuth credentials you authorize and to relay your actions to the connected service. The connected service is itself a third party — your information shared with that service is governed by its own privacy terms.

For a current snapshot of named sub-processors and to request a list of additions made since you last reviewed this Policy, email privacy@remodely.ai.

4.2 Business transfers

If Webstew is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred to the successor entity. We'll notify you (by email or in-product) before your information becomes subject to a different privacy policy.

4.3 Legal disclosures

We may disclose personal information in response to a subpoena, court order, or other lawful request, or where we believe disclosure is necessary to (a) comply with law, (b) protect the rights or safety of Webstew, our users, or the public, (c) prevent fraud or abuse, or (d) enforce our Terms.

4.4 What we don't do

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising (within the meaning of California's CCPA/CPRA). We do not allow third parties to track you across other sites or apps via the Service.

5. Data Retention

  • Account information: retained for as long as you have an account and for up to 90 days after deletion (to allow restoration if you change your mind). Billing records are retained as required by tax law (typically 7 years).
  • Your generated content (projects, prompts, sites): retained while your account is active. Deleted projects are removed from production databases within 30 days; backups retain copies for up to 90 days.
  • Form submissions on sites you build: retained for the life of the project unless you delete them. We auto-purge submissions after 18 months of inactivity unless your plan includes longer retention.
  • Preview snapshots (links shared via /preview/[token]): auto-deleted 7 days after creation via a MongoDB TTL index.
  • Voice / microphone audio: processed in-memory and discarded immediately after transcription. We do not persist raw audio.
  • Logs and analytics: aggregated and retained up to 13 months; raw IP logs purged after 90 days.
  • BYO API keys: retained encrypted as long as you keep them connected. Deleted within 30 days of disconnecting.

6. Cookies and Local Storage

We use the following first-party cookies and browser storage:

  • Authentication session (`next-auth.session-token`, required): keeps you logged in. Essential — cannot be disabled.
  • Anti-abuse counters (`wsanon`, etc.): tracks free-generation usage for anonymous users so we can enforce free-trial limits. Essential.
  • Theme preference (`webcraft-theme` in localStorage): remembers light/dark mode choice. Functional, not personal information.
  • Workspace autosave (`webstew-autosave` in localStorage): your in-progress work, saved locally on your device only. Never transmitted to us.

We do not use third-party advertising cookies. You can clear cookies and local storage in your browser settings at any time; doing so will sign you out and clear local drafts.

7. Your Rights (GDPR / UK GDPR)

If you are in the EEA, UK, or Switzerland, you have the right to:

  • Access the personal information we hold about you;
  • Rectify inaccurate or incomplete information;
  • Erase your personal information ("right to be forgotten"), subject to our legal obligations;
  • Restrict processing in certain circumstances;
  • Object to processing based on legitimate interests, including for direct marketing;
  • Portability — receive a machine-readable copy of information you've given us;
  • Withdraw consent where we rely on consent (you can change your mind anytime);
  • Lodge a complaint with your local data protection authority.

To exercise these rights, email privacy@remodely.ai. We respond within 30 days. We may need to verify your identity before fulfilling a request.

8. Your Rights (California CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose;
  • Access a copy of your personal information;
  • Delete your personal information, subject to exceptions;
  • Correct inaccurate information;
  • Opt out of sale or sharing — we don't sell or share your personal information for cross-context behavioral advertising, so there's nothing to opt out of, but we honor browser-based Global Privacy Control signals where technically possible;
  • Non-discrimination for exercising your rights — we won't charge you more or give you less service.

To exercise these rights, email privacy@remodely.ai. You may use an authorized agent; we'll verify the agent's authority.

Categories of personal information collected in the past 12 months: identifiers (name, email, IP), commercial information (purchases), internet activity (usage), audio (microphone, in voice feature), inferences (usage patterns), professional info (if you self-identify), and the content you create through the Service. We disclose the categories described in Section 4 to the processors listed there for the business purposes described in Section 2. We do not sell or share personal information.

9. Apple App Tracking Transparency (ATT) and Mobile Privacy

Our iOS app does not request permission to track you across other apps and websites. We do not use IDFA for cross-app advertising. If Apple's ATT prompt appears, it is because of a third-party SDK and your choice will be honored.

We declare the following data types collected in our Apple App Store privacy label (and the equivalent Google Play Data Safety section):

  • Contact info: name, email — linked to identity, used for app functionality and account.
  • Identifiers: user ID, device ID (IDFV on iOS) — linked to identity, used for app functionality and analytics.
  • Purchases: purchase history — linked to identity, used for app functionality.
  • User content: prompts, generated sites, photos you upload, audio (during voice use only) — linked to identity, used for app functionality.
  • Usage data: product interaction, crash data — linked to identity, used for app functionality and analytics.
  • Diagnostics: crash logs — not linked to identity, used for analytics.

None of the above is used for advertising or third-party advertising tracking.

10. Security

We protect personal information with industry-standard safeguards: TLS 1.2+ in transit, AES-256 encryption at rest for BYO API keys, bcrypt password hashing, role-based access control for our staff, secret rotation, infrastructure separation by environment, and monitoring for suspicious activity. No system is perfectly secure — if a breach affects your personal information, we will notify you and applicable regulators as required by law.

11. International Transfers

Webstew is based in the United States, and our processors are primarily located in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States and other countries that may have data-protection laws different from your country.

For transfers from the EEA, UK, or Switzerland to the United States, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Addendum, or equivalent mechanisms.

12. Children's Privacy

Webstew is not directed to children under 13 (or 16 in jurisdictions where that is the digital age of consent). We do not knowingly collect personal information from children under those ages. If you believe a child has provided us with personal information, contact us at privacy@remodely.ai and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we'll notify you by email or in-product before the changes take effect, and we'll update the Effective Date at the top of this page. Continued use of the Service after the effective date constitutes acceptance.

14. Contact

For privacy questions or to exercise your rights, email privacy@remodely.ai or write to:

Remodely LLC
Attn: Privacy — Webstew
Arizona, United States

EU/UK representative: if you are in the EU/UK and would like to contact a representative under Article 27 GDPR, email us and we will provide current representative details on request.

This Privacy Policy is a first-draft template intended to cover the major required disclosures under GDPR, CCPA/CPRA, and the Apple App Store / Google Play data-safety frameworks. It does not constitute legal advice. We recommend you have it reviewed by licensed counsel familiar with privacy law in the jurisdictions where you operate before launching commercially or submitting an app for review. © 2026 Remodely LLC. All rights reserved.