At Tilkly we take your privacy seriously. This policy explains what personal information we collect, how we use it, and what rights you have when you use our website builder at tilkly.com.
Data Controller: Tilkly is operated by EI Jyoti SINGH, Toulouse, France. Questions? Email privacy@tilkly.com.
Information We Collect
| Category | What it is | Where it comes from |
|---|---|---|
| Account data | Your name and email address | You, when you register |
| Site content | HTML, CSS, images, and files you upload or generate | You, during site creation |
| Configuration | Subdomain, custom domain, site settings, theme preferences | You, in Settings |
| Domain purchases | Registrant contact details, selected domain, purchase status, Stripe checkout IDs, and Name.com order IDs | You, when buying a domain |
| Technical logs | IP address, HTTP method, response code, request duration | Server logs (automatic) |
| Abuse reports | Reported URL, category, description, optional reporter email, reporter IP (hashed) for moderation | Visitors who submit the report form |
| Contact form submissions | Data submitted through forms on your published site (visitor name, email, message), privacy acknowledgement metadata, optional marketing opt-in, and a hashed IP for abuse prevention | Visitors to your site |
| Security & audit logs | IP address, action performed, timestamp — logged on every authenticated action | Auto-generated per request |
| Analytics (optional) | A GA4 Measurement ID you provide; nothing collected if you leave it blank | You, in Settings |
| AI-generated content |
Text prompts you submit are sent to Google Vertex AI (Gemini). We don’t store raw prompts in the shared cache. Recent account-scoped history is kept briefly to support your workflow. Google Gemini Paid API: Your prompts are not used to train Google’s models. We still recommend keeping prompts free of personal data. |
You, when using AI generation |
| Payment data (AI credits) | Stripe handles card details directly. We only receive a Stripe customer reference, the amount, and a session ID. We never see full card numbers. | You, at checkout (processed by Stripe) |
| Stripe Connect account | If you connect Stripe to accept visitor payments, we store your Stripe account ID to route transfers and apply our 1.5% platform fee. We don’t access your balance or payouts. | You, via “Connect with Stripe” in Settings |
Payments and Stripe
We use Stripe as our sole payment processor for two distinct flows:
- AI credit purchases. Tilkly is the merchant of record. We receive the session ID, amount, currency, and your user ID — no card data.
- Visitor payments via Stripe Connect. If you enable payments on your site, you become the merchant of record for your visitors. Tilkly facilitates the checkout, deducts a 1.5% platform fee, and routes the rest to your Stripe account. You are the data controller for your visitors’ payment data.
Stripe processes data in the US and other jurisdictions, relying on Standard Contractual Clauses for cross-border transfers.
We retain payment records (session ID, amount, status, timestamps) for at least seven years for tax and anti-fraud compliance. Card numbers are never stored by Tilkly.
How We Use Your Information
- To run the service: host your site, authenticate you, and serve your published pages to visitors.
- To communicate with you: send transactional emails like one-time login codes. No marketing emails without your explicit consent.
- To improve things: analyse aggregated, anonymised usage patterns to spot bugs and improve performance.
- To comply with the law: retain logs as required and respond to valid legal requests.
Legal Basis for Processing (GDPR)
- Contract performance (Art. 6(1)(b)): account creation, site hosting, and publishing your pages.
- Legitimate interest (Art. 6(1)(f)): security logging, rate-limiting, and abuse prevention.
- Consent (Art. 6(1)(a)): first-party analytics (revocable via cookie banner) and AI template generation.
- Legal obligation (Art. 6(1)(c)): responding to lawful data requests.
When You Are the Data Controller
When visitors submit a contact form on a site you built with Tilkly, you are the data controller and Tilkly acts as your data processor. We store those submissions so you can view them in your dashboard. We don’t use that data for any other purpose.
As the controller, it’s your responsibility to have a valid legal basis and a privacy notice for your own visitors.
Servers & International Transfers
Your published site files are stored on Cloudflare R2 (globally distributed). Your account data is stored in a database hosted on:
- Paris, France (Hostinger VPS): serving all global traffic. As this server is in the European Economic Area, no cross-border transfer is required for this processing.
All data is encrypted in transit. We do not sell, rent, or share your personal data with advertising networks or data brokers.
How Long We Keep Your Data
- Account data: kept for the life of your account and permanently deleted within 24 hours of account deletion (database records instantly; published files on R2 within 30 days).
- Security & audit logs: IP addresses and action logs are auto-purged after 24 hours.
- Form submissions: stored until you delete them from your dashboard, or until account deletion — with an automatic 180-day maximum.
- Abuse reports: raw reporter email and IP are redacted after 30 days. Hashed IPs and report data are kept up to 365 days for moderation and legal safety.
- Published files & uploads: deleted from active storage when you remove a page, media file, or account. CDN and backup copies expire through their normal windows.
- Automated backups: kept on a rolling 7-day window (28 snapshots at 6-hour intervals), then permanently deleted.
- Server access logs: retained for up to 30 days before rotation.
Cookies & Local Storage
We set only what’s necessary:
- Authentication cookie (HttpOnly, Secure): your session JWT.
sb-lang: language preference (30 days, strictly necessary).sb_consent_v2: cookie consent preference (1 year, set only if you accepted).- CSRF token (session, HttpOnly): security token to protect form submissions.
We also store non-sensitive UI state (e.g., selected page ID) in localStorage.
- First-party analytics (page view counts) are only collected when you’ve accepted cookies via the consent banner. No fingerprinting. No cross-site tracking.
- We do not load Google AdSense or other advertising scripts on Tilkly pages.
If you add a GA4 ID in your site settings, the tracking script is injected into your published site behind Tilkly’s analytics consent gate. Under GDPR, you are responsible for getting cookie consent from your own visitors.
For full details, see our Cookie Policy.
Your Rights
Request a copy of all personal data we hold about you.
Update inaccurate data directly in Account Settings.
Delete your account and all data instantly from Account Settings → Delete My Account.
Export your site data anytime using the Export function in your dashboard.
Object to or restrict certain processing by contacting us.
Email privacy@tilkly.com for any request. We’ll respond within one month (up to three months for complex requests, with prior notice).
Security
- Authentication uses one-time codes sent to your email. No passwords stored anywhere.
- All traffic is encrypted via TLS 1.2+ (managed by Caddy with automatic HTTPS).
- JWT access tokens are short-lived (15 minutes); refresh tokens are rotated on every use.
- Rate limiting is applied to auth endpoints to block brute-force attacks.
- Security headers (CSP, HSTS, X-Frame-Options, etc.) are set on all responses.
No system is 100% secure. If you find a vulnerability, please disclose it responsibly to security@tilkly.com.
Children’s Privacy
Tilkly is not directed at children under 16. We don’t knowingly collect personal data from anyone under 16. If we discover that we have, we’ll delete it promptly.
Data Breach Notification
If a breach is likely to put your rights at risk, we’ll notify affected users without undue delay and inform the relevant supervisory authority within 72 hours of becoming aware. We’ll reach you at the email address associated with your account.
Sub-processors
| Company | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | CDN, R2 object storage, DNS, DDoS protection | Global (US HQ) SCC |
| Hostinger VPS | Compute and database hosting | Paris, France EU |
| Google Cloud Platform | Backup storage, Vertex AI | europe-west9 (Paris, France) EU |
| Name.com | Domain registration and DNS setup | US SCC |
| Stripe | Payment processing (AI credits, domain checkout, Stripe Connect) | US SCC |
| Spaceship (Spacemail) | Transactional email (OTP, notifications) | EU (Lithuania) EU |
EU No cross-border transfer SCC Transfer covered by Standard Contractual Clauses
Changes to This Policy
We may update this Privacy Policy occasionally. We’ll let you know about significant changes by posting the updated version here and updating the “Last updated” date. Where the law requires it, we’ll ask for fresh consent before changes take effect. Simply continuing to use the Service is not treated as consent under the GDPR.
Contact Us
We’re a small team and we actually read our email.
- 🔒 Privacy questions: privacy@tilkly.com
- 💬 General support: support@tilkly.com
- 🔐 Security issues: security@tilkly.com