Privacy Policy

This Privacy Policy explains how SiteBlox (“we”, “us”, or “SiteBlox”) collects and uses personal data. We are the data controller for the information you provide when you create a SiteBlox account or use our service.

For privacy questions, requests, or complaints, contact privacy@siteblox.ai.

We collect only what we need to run the service:

• Account data — your email address, optional name, password hash (we never store the plaintext), and the auth methods you have used (email + password, Google sign-in).
• Project data — the brand names, prompts, generated code, uploaded images, and form submissions of the websites you create.
• Billing data — your Stripe customer ID, plan, and payment history. We do not store full card numbers or PromptPay credentials — Stripe handles that on its side.
• Usage data — which features you use, when, the browser and operating system, IP address (for security and rate-limiting), and any errors that surface in the application (sent to Sentry).
• Communications — emails you send to support, and our replies.

• To provide the service — authenticate you, generate sites, deploy them, send transactional emails (welcome, billing receipts, password reset).
• To process payments via Stripe.
• To monitor security, detect abuse, and investigate incidents.
• To improve the product — analyse aggregated usage and error patterns to fix bugs and prioritise features.
• To comply with applicable law (tax records, requests from law enforcement supported by valid legal process).

Under the Thailand Personal Data Protection Act B.E. 2562 (2019), our processing relies on:

• Performance of contract — most processing happens because you signed up and we need to deliver the service you paid for.
• Legitimate interest — security monitoring, fraud prevention, error tracking. We weigh these against your interests and only collect what is necessary.
• Consent — non-essential marketing emails (you can opt out from any email or in your account settings).
• Legal obligation — keeping billing and tax records for the period Thai law requires.

We share data with the following providers, only as needed to run the service:

• Anthropic (US) — runs the AI agent. Receives your prompts and any project context the agent needs to generate code. Does not retain prompts for model training without consent under our enterprise terms.
• Vercel (US) — hosts the SiteBlox app and your generated websites.
• Cloudflare (US) — DNS for your custom subdomain and DDoS protection.
• Stripe (US / Ireland) — payment processing for cards and PromptPay.
• Resend (US) — transactional email delivery.
• Sentry (US) — error monitoring. Stack traces and request metadata; no payment data, no AI prompt content.
• Upstash Redis (Singapore) — operational data store (sessions, project files, queue jobs).
• Pollinations.ai — image generation when you ask the agent to make pictures.

Each provider is bound by their own privacy commitments and, where appropriate, a data processing agreement with SiteBlox.

Some of our subprocessors are located outside Thailand. Where data is transferred internationally, we rely on safeguards permitted by PDPA — typically Standard Contractual Clauses or the provider's equivalent — and only transfer what is necessary to deliver the service.

Under PDPA, you have the right to:

• Access — request a copy of the data we hold about you.
• Correct — ask us to fix data that is inaccurate or out of date.
• Delete — close your account and have your data erased (subject to legal retention obligations).
• Export — receive your data in a portable format.
• Restrict — ask us to pause certain processing in specific circumstances.
• Object — object to processing based on legitimate interest.
• Withdraw consent — for any processing where consent is the legal basis.

To exercise any of these rights, email privacy@siteblox.ai from the email associated with your account. We respond within 30 days. You also have the right to complain to the Personal Data Protection Committee (PDPC) of Thailand.

• Account data — as long as your account is active. After deletion, we keep data for 30 days (in case you change your mind) and then erase it.
• Project data — same 30-day grace period after account closure.
• Billing records — kept for the period Thai tax law requires (currently 7 years).
• Server logs — 90 days, then automatically purged.
• Error reports (Sentry) — 90 days.

SiteBlox uses a minimal set of first-party cookies:

• Session cookie — keeps you signed in. Required.
• Locale cookie — remembers whether you prefer Thai or English. Required for the localised UI.

We do not use third-party tracking or advertising cookies. Sentry error monitoring is tunneled through our own domain, so no cross-site cookie is set on your browser.

We use HTTPS for all traffic, encrypt data at rest with our providers' default mechanisms, store passwords as scrypt hashes (not plaintext), and apply per-IP and per-account rate limiting on the AI agent endpoint to prevent abuse. Errors are monitored in real time so we can respond to incidents quickly.

No system is perfectly secure. If we ever experience a data breach that affects your personal data, we will notify you and the PDPC as required by law.

SiteBlox is not directed at children under 13. We do not knowingly collect personal data from children under 13 without parental consent. If you believe we have collected such data, please contact privacy@siteblox.ai and we will delete it.

We may update this Privacy Policy. For material changes we will notify active users by email at least 30 days before the new version takes effect. The current version is always at siteblox.ai/privacy.