Privacy Policy

1. Information we collect

Account info

• Sign in with Google: we receive your name, email address, and Google profile photo from Google OAuth. We don't see your Google password.
• Sign in with email (magic link): we receive only your email address. No password, no profile photo.

Business data you generate sites from

• The Google Maps URL or business name you enter, used to look up publicly available business info via Google Places API: business name, address, hours, photos, ratings, reviews, category, geocoordinates.
• Reviews: we read your public Google reviews and display a selection of them on your site — the reviewer's name, star rating, review text, and how long ago it was posted (not reviewer profile photos). We store the reviews shown on your site and your aggregate star rating, together with the timestamp of the Places API fetch that produced them. Every review links back to Google. See styka.ai/compliance for technical details.
• Photos: photos from your Google Business profile are downloaded once at generation and stored in our Amazon S3 bucket (us-east-2 region) so we can serve them quickly without proxying every pageview through Google. Photos sourced from Google appear with Google Maps attribution, and you can replace them with your own uploads in the editor before you publish (see /compliance).

Site content you edit

• Custom text you type into the editor, photos you upload, and theme/color choices.

Technical info

• IP address, user agent, timestamps of requests (in server logs)
• Approximate country derived from your IP — used to bias the business search to your region (not stored long-term)
• A session cookie (HttpOnly, host-scoped to the domain you signed in on) that keeps you logged in

2. How we use your info

• To generate, host, and serve your business website
• To send you transactional email (magic-link sign-in, cancellation grace-period reminders)
• To diagnose issues, prevent abuse, and keep the service running
• To improve the product (e.g., looking at aggregate generation outcomes — never to read your edits or share your data)

We do not sell your information. We do not use your data to train third-party AI models. We do not run ads against your account.

3. Legal basis for processing

Where applicable under data-protection law (including the GDPR and UK GDPR), we process your personal data on one or more of the following legal bases:

• Performance of a contract — necessary to provide the Services, maintain your account, process payments, deliver generated websites, host them, connect custom domains, and support exports.
• Legitimate interests — necessary to secure, maintain, improve, troubleshoot, and administer the Services, prevent abuse, detect fraud, enforce our Terms, and communicate with you about service-related matters.
• Compliance with legal obligations — necessary to comply with applicable laws, regulations, legal processes, or governmental requests.
• Consent — where required by law, including for certain cookies and any optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing already carried out.

4. Who we share with

Your data is processed by Styka and by a small set of trusted third-party sub-processors, each operating under industry-standard data-processing terms (SOC 2 / ISO 27001 certified where applicable). The current sub-processor list:

• Google — OAuth sign-in and Google Maps Platform / Places API. Google is the source of the public business listing data your site is built from. (policy)
• Anthropic — large language model API processes generation requests (site copy, theme extraction, review insights). Anthropic operates under their commercial API terms, which exclude customer API content from being used to train shared models. (policy)
• Amazon Web Services (AWS) — S3 object storage for migrated photos (us-east-2 region). (policy)
• Railway — application hosting and managed MySQL database. (policy)
• Resend — transactional email delivery (magic-link sign-in, cancellation reminders, "your site is ready" notifications). (policy)
• SerpAPI — extended Google review data (Pro / Business tiers only). Operates on business-public records only; we send a placeId and receive review text we paraphrase into themes — we don't share user-personal data. (policy)
• Stripe — payment processing for paid plans (when billing is enabled). Card data goes directly to Stripe; we never see or store full card numbers. (policy)

We may add or replace sub-processors over time; this list is current as of the "Last updated" date at the top of this page and is the authoritative source. If you need a stable point-in-time snapshot for procurement or compliance review, email [email protected].

We may also disclose information when required by law (subpoena, court order) or to protect rights, property, or safety. We'll push back on overbroad requests when appropriate.

5. Cookies

Essential cookies (always on). An HttpOnly, host-scoped session cookie keeps you signed in, plus a short-lived security cookie during Google sign-in. These are strictly necessary, so they don't require consent.

Analytics (only with your consent). We use Google Analytics to understand site traffic; it sets analytics cookies (such as the “_ga” cookie) and loads only after you click Accept on our cookie banner. You can decline, or change your choice anytime via “Cookie settings” in the footer — declining turns Google Analytics off and removes its cookie. We also use Umami, a privacy-friendly analytics tool that sets no cookies.

Sites you create. Generated customer sites are static HTML — they don't set cookies on your visitors unless you add them yourself.

6. How long we keep data

• Active accounts: we keep your data as long as your account is active.
• Cancelled accounts: sites remain in read-only mode for 30 days. After that, your account, sites, and uploaded photos are permanently deleted.
• Server logs: kept for ~30 days for debugging and security, then rotated out.
• Backups: our managed database keeps automated backups for up to 7 days of recovery snapshots.

7. Your rights

You can:

• Access the data you've provided (most of it is visible in your dashboard)
• Correct it by editing your site or account profile
• Delete a site any time from your dashboard
• Delete your entire account by emailing [email protected] — we'll process within 30 days
• Request an export of your data — email us and we'll respond within 30 days
• Opt out of non-essential email (transactional sign-in / billing email is required for the service)

If you're in the EU/UK, you also have rights under GDPR (lawful basis: contract performance for service emails, legitimate interests for security/diagnostics). If you're in California, you have rights under CCPA. Contact us to exercise either.

8. Security

We use HTTPS for all traffic, host-only session cookies, server-side HTML sanitization for any user-supplied content, and least-privilege IAM for our cloud resources. We have a public security contact at /.well-known/security.txt following RFC 9116. No system is perfectly secure — if you discover a vulnerability, please report it to [email protected].

9. International transfers

Styka's infrastructure runs primarily in the United States. Some of our sub-processors operate globally. By using Styka, you consent to your data being processed outside your country of residence. Where required, we rely on standard contractual clauses or equivalent mechanisms with our sub-processors.

10. Children

Styka isn't intended for users under 18. We don't knowingly collect data from children. If you believe a child has signed up, contact us and we'll delete the account.

11. Changes to this policy

We may update this policy occasionally. For material changes, we'll email active users at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Data Protection Officer

If you have questions or concerns regarding this Policy, your personal information, or how we may use it, please write to our Data Protection Officer at [email protected].

If you're in the EU or UK and you believe our processing of your personal data infringes applicable data-protection law, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the United Kingdom, the CNIL in France, the Garante in Italy, the Data Protection Commission in Ireland).

13. Contact

Questions about this policy or your data? [email protected]