Privacy Policy

1. Scope

This policy explains how SiteRecs collects, uses, and protects personal data when you use our marketing site, signup/login flows, and the SiteRecs application.

2. Who we are

SiteRecs is the data controller for personal data processed under this policy, except where we act as a processor for customer-owned project data entered into the app.

Contact: hello@siterecs.com

3. Data we collect

• Account and profile data: name, email, password auth data, organisation details, and user role.
• Operational data: project records, RAMS content, form submissions, signatures, photos, attachments, and uploaded files.
• Billing data: plan/tier, subscription status, and billing identifiers from Stripe (we do not store full card details).
• Communications data: support emails, contact form messages, and demo booking information you submit.
• Usage and device data: page path, referrer, user agent, and campaign attribution parameters (such as UTM fields and click IDs).
• Security data: session/auth metadata and CAPTCHA verification tokens.

4. How we use data

• Provide and secure the SiteRecs service, including authentication and access control.
• Store, render, and export RAMS/forms, including PDF generation and job-pack workflows.
• Process subscriptions, billing, invoices, trials, and account lifecycle events.
• Send operational emails (for example account, onboarding, and submission-related emails).
• Improve product performance, reliability, and UX using product analytics and diagnostics.
• Prevent abuse, fraud, and unauthorized access.

Where applicable, we rely on contract performance, legitimate interests, legal obligations, and consent (for specific optional marketing activity).

5. AI-assisted features

SiteRecs includes optional AI assistance for drafting RAMS-related content. When used, relevant prompt data is sent to our AI provider to generate draft output.

You remain responsible for reviewing and approving all generated content before operational use. Do not include unnecessary sensitive personal data in AI prompts.

6. Service providers and sharing

We use vetted providers to deliver the service, including:

• Supabase (authentication, database, and storage)
• Vercel (application hosting and delivery)
• Stripe (subscription billing and customer portal)
• Mailgun (transactional email delivery)
• OpenAI (AI drafting features)
• Cloudflare Turnstile (CAPTCHA/bot protection)
• Calendly (demo booking, when you choose to book)

We may also share data where required by law, regulation, legal process, or to protect rights, safety, and platform integrity.

7. Cookies and similar technologies

• Essential auth/session cookies are used for secure sign-in and account access.
• Referral attribution cookies may be used during signup when referral links are used.
• Marketing attribution data (for example UTM parameters) is captured for campaign performance analysis.

8. Data retention

We retain personal data for as long as needed to provide the service, maintain security, comply with legal/accounting obligations, and resolve disputes. We delete or anonymize data when it is no longer required.

9. International transfers

Because our providers may operate in multiple countries, personal data may be processed outside your country. We use appropriate safeguards where required by applicable data protection law.

10. Security

We implement technical and organizational measures designed to protect data, including access controls, environment-based secrets, and platform-level security controls. No system can guarantee absolute security.

11. Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, object to, or port your personal data, and to withdraw consent where processing is consent-based.

To exercise rights, contact hello@siterecs.com.

12. Children

SiteRecs is intended for business users and is not directed to children.

13. Changes to this policy

We may update this policy from time to time. Material changes will be reflected on this page with an updated effective date.