Privacy Policy
Last updated: March 2026
§ 1 Overview
Protecting your data is a core priority. This Privacy Policy explains what data we collect when you use Wondersites, how we process it, and what rights you have.
Wondersites is an API-first static site generation platform for businesses. We process limited personal data (user accounts and authentication) alongside business data (templates, site configurations, and compiled sites). This Privacy Policy covers both categories.
§ 2 Data Controller
The data controller within the meaning of the GDPR is:
SKAJ Ventures GmbH
Sonnenlandstraße 4
14471 Potsdam
Germany
Managing Director: Stefan Köhn
Email: datenschutz@wondersites.com
§ 3 Data We Collect
We collect and process the following categories of data:
| Data category | Examples | Purpose |
|---|---|---|
| Account data | Name, email address, hashed password | Authentication, account management |
| Template data | ZIP archives of Handlebars templates and assets | Site generation |
| Site configurations | JSON payloads (location info, branding, content) | Site generation and hosting |
| Build logs | Build status, error messages, timestamps | Debugging, service quality |
| API usage | API key hash, last used timestamp | Security, rate limiting |
| Login events | User ID, timestamp | Security audit trail |
| Payment data | Subscription status, billing history (via Stripe) | Subscription management |
We do not collect IP addresses in our application logs, do not use tracking cookies, and do not perform behavioral analytics.
§ 4 Legal Basis for Processing
We process your data based on the following legal grounds under the GDPR:
- Art. 6(1)(b) GDPR — Contract performance: Processing account data, templates, and site configurations to provide the Service.
- Art. 6(1)(f) GDPR — Legitimate interest: Login event logging for security and fraud prevention; rate limiting to protect service integrity.
- Art. 6(1)(c) GDPR — Legal obligation: Retention of billing data in accordance with German tax regulations (§ 147 AO).
§ 5 Account Data and Authentication
During registration, we collect your name, email address, and a password. The password is stored exclusively as a bcrypt hash — we never have access to your plaintext password.
Authentication is handled via NextAuth v5 with JWT-based session management. Your email address is used for:
- Login and account recovery
- Email verification
- Notifications about contract changes (e.g., Terms updates, billing events)
We do not send marketing emails. All email communication is transactional.
§ 6 Template and Site Data
Templates (ZIP archives) are stored in Vercel Blob storage, scoped by account. Compiled sites (static HTML) are stored in Vercel Blob storage, scoped by identifier.
Site configurations are JSON payloads that typically contain business data: location addresses, branding, opening hours, and similar information. If your site configurations contain personal data (e.g., staff names, contact details, or photos), you are the data controller for that data and Wondersites acts as the data processor. A Data Processing Agreement (DPA) is available on request.
§ 7 API Usage and Build Logs
API keys are hashed using SHA-256 before storage. Only the key prefix is stored for identification purposes. We track when each API key was last used for security monitoring.
Build logs (status, error messages, timestamps) are retained for 12 months to support debugging and service quality, then automatically purged. Live sites are not affected by log purging.
§ 8 Cookies and Local Storage
Wondersites uses only strictly necessary cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Authentication (JWT) | Session / max. 30 days |
We do not use tracking cookies, third-party analytics cookies, or advertising cookies. No cookie consent banner is required as we only use strictly necessary cookies (ePrivacy Directive exemption).
§ 9 Third Parties and Data Processors
We use the following third-party services:
| Provider | Purpose | Data | Location |
|---|---|---|---|
| Vercel | Hosting, Blob storage | Request data, templates, compiled sites | EU |
| Neon | PostgreSQL database | Account data, configs, build logs | EU |
| Stripe | Payment processing | Email, subscription status, payment method | EU (Ireland) |
| Upstash (QStash) | Background job queue | Build job payloads | EU |
Data processing agreements pursuant to Art. 28 GDPR are in place with all processors. No personal data is transferred to countries outside the EU.
§ 10 Data Storage Location
All data is processed and stored on servers in the European Union. No data is transferred to countries outside the European Economic Area (EEA).
§ 11 Data Retention
We retain your data only as long as necessary for the respective purpose:
| Data type | Retention period |
|---|---|
| Account data | Until account deletion |
| Templates and sites | Until account deletion |
| Site configurations | Until account deletion |
| Build logs | 12 months |
| Login events | 6 months |
| Verification tokens | 24 hours after expiry |
| Billing data (Stripe) | 10 years (§ 147 AO) |
Free-tier accounts inactive for 24 months receive a warning email. If no activity occurs within 30 days of the warning, the account and all associated data are permanently deleted. Accounts with an active paid subscription are exempt from automated inactivity deletion.
Upon account deletion, all data — including templates, site configurations, compiled sites, API keys, and blob storage — is permanently and irreversibly deleted.
§ 12 Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15 GDPR) — You can request information about the data we process about you.
- Right to rectification (Art. 16 GDPR) — You can request correction of inaccurate data. You can update your profile information in the dashboard settings.
- Right to erasure (Art. 17 GDPR) — You can request deletion of your data. You can delete your account via Settings > Data & Privacy.
- Right to restriction (Art. 18 GDPR) — You can request restriction of processing.
- Right to data portability (Art. 20 GDPR) — You can request your data in a machine-readable format.
- Right to object (Art. 21 GDPR) — You can object to processing based on legitimate interests.
- Right to lodge a complaint — You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is the Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg, Stahnsdorfer Damm 77, 14532 Kleinmachnow.
To exercise your rights, contact us at datenschutz@wondersites.com.
§ 13 Minimum Age
Wondersites is intended for persons aged 18 and older acting in a business capacity. We do not knowingly collect personal data from minors. If we become aware that a minor has created an account, we will promptly delete the account and associated data.
§ 14 Changes to This Privacy Policy
We reserve the right to update this Privacy Policy as needed, particularly when the Service or legal requirements change. Material changes will be communicated to you via email.
The current version is always available at wondersites.org/privacy.
§ 15 Contact
For questions about data protection or to exercise your rights, please contact:
SKAJ Ventures GmbH
Sonnenlandstraße 4
14471 Potsdam
Germany
Email: datenschutz@wondersites.com
This Privacy Policy was last updated in March 2026. For questions, please contact datenschutz@wondersites.com.