Privacy Policy — publishwith.ai

        This policy explains how publishwith.ai collects, uses, and protects your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Italian Personal Data Protection Code (Legislative Decree 196/2003 as amended by Decree 101/2018).
      

1. Data Controller

The data controller is:

Stefano Straus
Email: privacy@publishwith.ai
Country: Italy

For any privacy-related request, contact us at privacy@publishwith.ai.

2. Data We Collect

2.1 Account data

Email address and display name (provided at registration)
Password hash (bcrypt — we never store plain-text passwords)
Account tier and registration timestamp

2.2 Social login data

If you sign in via GitHub or Google, we receive your email address and public profile name from their OAuth2 flow. We do not store OAuth tokens beyond the session.

2.3 Usage and audit data

App publish events (timestamp, version, actor identity)
App access events (timestamp, IP address, user agent)
Share link access (timestamp, IP address — for leak detection)
Admin actions (tenant changes, user management)

2.4 Technical data

IP address (used for rate limiting and security; not stored beyond log retention)
HTTP access logs (retained for 30 days, then deleted)
Session tokens (stored as signed cookies, expire per session or after 24 hours)

2.5 Payment data

Billing is handled by Stripe, Inc. We store only your Stripe customer ID and subscription status. We never receive or store full card numbers. Stripe's privacy policy applies to payment data: stripe.com/privacy.

2.6 Data you publish

HTML files, databases, and other content you publish via MCP tools are stored on our servers as part of the service. This content is your data — we process it only to provide the service and do not analyse or mine it.

3. Legal Basis for Processing

Processing activity	Legal basis (GDPR Art.)
Account creation and authentication	Art. 6(1)(b) — performance of a contract
Sending transactional emails (verification, warnings)	Art. 6(1)(b) — performance of a contract
Audit logging and security	Art. 6(1)(f) — legitimate interest (security, abuse prevention)
Billing and payment processing	Art. 6(1)(b) — performance of a contract
Inactivity warnings and account deletion (Free tier)	Art. 6(1)(b) — performance of a contract
Responding to legal requests	Art. 6(1)(c) — legal obligation

4. Data Retention

Data type	Retention period
Account data	Duration of account + 30 days after deletion
Free tier inactive accounts	Deleted 33 days after last activity (30-day warning + 3-day grace)
Audit logs	30 days (Team), 1 year (Enterprise), 7 days (Free)
HTTP access logs	30 days
Published app content	Until you delete the app or close your account
Backup snapshots	7 days rolling
Stripe billing records	As required by Italian tax law (10 years)

5. Data Sharing and Sub-processors

We do not sell your data. We share data only with the following sub-processors to operate the service:

Sub-processor	Purpose	Location
Oracle Cloud Infrastructure (OCI)	Server hosting and storage	EU (Frankfurt)
Stripe, Inc.	Payment processing	USA (SCCs applied)
Resend, Inc.	Transactional email delivery	USA (SCCs applied)
GitHub / Google	Optional social login (OAuth2)	USA (SCCs applied)

Transfers to the USA are covered by Standard Contractual Clauses (SCCs) pursuant to GDPR Art. 46(2)(c).

6. Your Rights

Under GDPR, you have the following rights:

Access (Art. 15) — request a copy of your personal data
Rectification (Art. 16) — correct inaccurate data
Erasure (Art. 17) — request deletion of your account and data
Restriction (Art. 18) — request we limit processing of your data
Portability (Art. 20) — receive your data in a machine-readable format
Objection (Art. 21) — object to processing based on legitimate interest
Withdraw consent — where processing is based on consent, you may withdraw at any time

To exercise any of these rights, email privacy@publishwith.ai. We will respond within 30 days.

You also have the right to lodge a complaint with the Italian supervisory authority:
Garante per la protezione dei dati personali — garanteprivacy.it

7. Security

We implement appropriate technical and organisational measures to protect your data, including:

TLS encryption in transit (enforced via HSTS)
Data at rest on encrypted volumes
Per-tenant and per-app data isolation
bcrypt password hashing
HMAC-signed session tokens and share links
Audit logging of all sensitive actions
Rate limiting on all public endpoints

8. Cookies

We use only strictly necessary cookies. See our Cookie Policy for details.

9. Children

The service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has registered, contact us at privacy@publishwith.ai and we will delete the account promptly.

10. Changes to this Policy

We may update this policy as the service evolves. If changes are material, we will notify registered users by email at least 30 days before the new policy takes effect. The current version is always available at publishwith.ai/privacy.html.