Privacy Policy

Last Updated: March 21, 2026

This Privacy Policy describes how RAPID DEV GROUP INC., an Ontario (Canada) corporation operating as Sitetra ("we," "us," or "our"), collects, uses, discloses, and protects your personal information when you use our platform at sitetra.com and any related services (collectively, the "Service").

Sitetra is a multi-tenant website building and management platform. We operate in a dual capacity:

• Data Controller: For users who create accounts directly with Sitetra (website operators, developers, and administrators).
• Data Processor: For end users of websites built and operated by our customers (website operators). In this capacity, the website operator is the data controller.

The English-language version of this Privacy Policy (en-CA) is the controlling and legally binding version. Translations are provided as a courtesy only.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

1.1 Account Information

When you create an account, we collect: full name, email address, password (stored in hashed form only, never in plain text), phone number (optional), preferred language/locale, and username.

1.2 Authentication and Security Data

We collect data related to your authentication activity: login timestamps, IP addresses, user agent strings (parsed to identify browser, operating system, and device), approximate geolocation derived from IP addresses, OAuth tokens and profile identifiers (when using Google, Microsoft, Facebook, or GitHub sign-in), MFA configuration data, and new device detection records.

1.3 Billing and Payment Information

Payment processing is handled by third-party processors including Stripe, Square, PayPal, and Wise. We do not store full credit card numbers on our servers. We may store partial card information (such as the last four digits and card brand), billing addresses, and transaction records as provided by these processors. We also maintain credit account balances and complete credit transaction histories.

1.4 Content Data

We store content that you create and upload through the Service, including: web pages, blog posts, articles, and FAQs; product listings, SKU configurations, and inventory data; images, documents, and other file uploads (stored on Cloudflare R2, with redundant backup on Vultr Object Storage); website configurations, styles, templates, and design settings.

1.5 E-Commerce and Transaction Data

When Website Operators use e-commerce features, we process: shopping cart contents (items, quantities, prices), checkout information (customer name, email, shipping and billing addresses), order records (ticket numbers, status, payment status, items, totals, tax, discounts), coupon usage and redemption records, payment method details (tokenized, last four digits only), and refund histories.

1.6 CRM and Relationship Data

Website Operators may store customer relationship data including: contact information (names, emails, phone numbers, addresses), business account records and sub-accounts, communication history (emails, notes, tags), sales agent assignments, and relationship types and categories.

1.7 Reservation and Booking Data

When reservation features are used, we process: appointment dates, times, and durations, party sizes and seating preferences, special requests and notes, pre-authorization payment holds, reservation status and confirmation details, and restaurant table and shift configurations.

1.8 Review Data

When review features are enabled, we collect: star ratings and category ratings (quality, value, service, etc.), written review text, review photos (uploaded through the file system), reviewer identity (authenticated or anonymous, depending on operator configuration), and verification of purchase status.

1.9 Newsletter and Communication Data

For newsletter and email marketing features, we process: subscriber email addresses and preferences, segment assignments and subscription topics, email delivery tracking data (delivered, bounced, opened, clicked) received via email provider webhooks, unsubscribe records and consent history, and SMS delivery status records.

1.10 AI Interaction Data

When you use our AI-powered features, we collect: prompts and instructions you provide to AI services, AI-generated responses and content, token usage counts and estimated costs, the AI model and provider used, session identifiers and conversation history, and business context data (voice/tone guidelines, business descriptions) submitted by operators.

1.11 Audio Data

If you use speech-to-text features, audio recordings are processed via OpenAI Whisper API (external processing) or Speaches (self-hosted, on-premise processing). Audio data is used solely for transcription and is not retained after processing is complete.

1.12 Identity Verification Data

When identity verification is requested by a Website Operator, IDenfy may process: facial recognition scans, government-issued document images and extracted data (name, date of birth, sex, document type, document number), verification status (waiting, emailed, approved, suspected), AML screening results, and proof-of-address documents. Biometric data (facial recognition) is processed by IDenfy. Sitetra stores verification results and extracted personal data but does not store raw biometric data.

1.13 Analytics and Tracking Data

We collect website usage data including: page views and navigation paths, session identifiers and duration, browser fingerprints (via FingerprintJS, used for security and anonymous cart identification, not advertising), device type and screen information, referrer URLs, and locale/language preferences.

1.14 File Upload Data

For uploaded files, we store: file names, sizes, and MIME types, public/private access designation, associated metadata and tags, special file types (icons, logos, covers), and virus scan results.

1.15 Domain Registration Data

If you register a domain through the Service, WHOIS registration data is processed through EasyDNS or Cloudflare Registrar. This may include your name, organization, address, email, and phone number as required by domain registration regulations and ICANN policies.

1.16 Push Notification Data

If you enable push notifications, we store device tokens (endpoints and encryption keys) necessary to deliver notifications to your device.

1.17 Market and Financial Data

For websites using precious metals features, we process: real-time price feed data (gold, silver, platinum, palladium bid/ask prices), London Fix daily settlement prices, historical price chart data, and commodity market news.

We use the information we collect for the following purposes:

• Service Operation: To provide, maintain, and improve the Sitetra platform, including website building, content management, hosting, and multi-tenant infrastructure.
• AI Content Generation: To power AI-assisted features such as content creation, translation, SEO optimization, website building, speech-to-text transcription, and image analysis using third-party AI providers.
• E-Commerce Processing: To facilitate product management, shopping cart functionality, order processing, payment coordination, coupon management, and inventory tracking on behalf of Website Operators.
• Reservation Management: To process reservations, bookings, appointments, and calendar synchronization on behalf of Website Operators.
• Identity Verification: To facilitate KYC/AML verification when required by Website Operators, using IDenfy.
• Stock Image Licensing: To search, preview, license, and deliver stock images from Shutterstock.
• Domain Management: To register, renew, monitor, and manage domain names through EasyDNS or Cloudflare Registrar.
• Security: To protect accounts and the platform through ClamAV malware scanning, multi-factor authentication (MFA), browser fingerprinting for fraud detection, rate limiting, authentication logging, and IP-based geolocation.
• Billing and Payments: To process payments, manage credit accounts, handle auto-recharge, process monthly website billing, and maintain financial records.
• Transactional Communications: To send service-related emails and SMS messages, including account verification, password resets, billing notifications, security alerts, order confirmations, reservation confirmations, and abandoned cart recovery emails.
• Newsletter Delivery: To send marketing newsletters and email campaigns on behalf of Website Operators to their subscribed recipients.
• Push Notifications: To deliver billing alerts, order notifications, reservation confirmations, review notifications, and other real-time notifications.
• Analytics: To aggregate page views and events into daily and monthly summaries, providing Website Operators with traffic and usage insights.
• Calendar Synchronization: To sync reservation and event data with external calendar services via CalDAV protocol.
• Service Improvement: To analyze aggregated, anonymized usage data to improve features, performance, and user experience.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

We do not sell your personal information.

We share information with the following categories of third parties only as necessary to provide and secure the Service:

3.1 AI Service Providers

• Anthropic (Claude): Content prompts and context data for AI generation.
• OpenAI: Content prompts, context data, and audio data for AI generation and speech-to-text.
• Google (Gemini): Content prompts and context data for AI generation.
• Ollama (self-hosted): Data stays on our infrastructure and is not transmitted externally.

3.2 Payment Processors

Stripe, Square, PayPal, and Wise for payment processing, subscriptions, and money transfers.

3.3 Communication Providers

Postmark and Mailgun for email delivery (including delivery status tracking). VoIP.ms for SMS delivery.

3.4 Domain Registrars

EasyDNS and Cloudflare Registrar for domain registration, renewal, and DNS management.

3.5 Stock Image Provider

Shutterstock for stock image search queries and image licensing.

3.6 Identity Verification

IDenfy for KYC/KYB/AML identity verification, facial recognition, and document verification.

3.7 Infrastructure Providers

Cloudflare for CDN, DNS, web application firewall, DDoS protection, and file storage (R2). Vultr for redundant backup file storage (New York, United States).

3.8 Analytics

Google Analytics (only when enabled by the Website Operator on their individual website).

3.9 OAuth/Authentication Providers

Google, Microsoft, Facebook, and GitHub for social login authentication (only when you choose to authenticate via these providers).

3.10 Website Operators

Website Operators receive their own customer data through the Platform's admin interface and API. Builders with cross-website access (via the builder assignment system) can view data across their assigned websites.

3.11 Legal Requirements

We may disclose your information if required to do so by law, court order, subpoena, or valid legal process, or if we believe in good faith that such action is necessary to: comply with a legal obligation, protect and defend the rights or property of RAPID DEV GROUP INC., prevent or investigate possible wrongdoing, or protect the personal safety of users or the public.

3.12 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information becomes subject to a different privacy policy.

We implement appropriate technical and organizational measures to protect your personal information:

• Location: Our primary infrastructure is located in Canada (Ontario). File storage on Cloudflare R2 may be globally distributed. Redundant file backups are stored on Vultr Object Storage in the United States (New York).
• Database: Data is stored in PostgreSQL with UUID primary keys and enforced data type validation.
• Multi-Tenant Isolation: Data is logically isolated between websites using a websiteId-based architecture. Each website's data is separated and cannot be accessed by other tenants.
• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS/HTTPS.
• Password Security: Passwords are stored using industry-standard bcrypt hashing. We never store plain-text passwords.
• API Credential Security: Third-party API keys and webhook secrets stored in per-website settings are encrypted at rest.
• Multi-Factor Authentication: MFA is available for all accounts and required for developer-level cross-website access.
• Malware Scanning: All uploaded files are scanned using ClamAV.
• Authentication: API access is secured using JWT (JSON Web Token) authentication with configurable expiry.
• Rate Limiting: Rate limits are applied to authentication endpoints, AI processing, and general API access to prevent abuse.
• CORS: Cross-Origin Resource Sharing restrictions are enforced based on website domains.
• Soft-Delete Architecture: Deleted records are initially soft-deleted (marked with a deletion timestamp) before permanent removal, providing a recovery window.

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

Operators may request earlier deletion of their website data, subject to legal holds and regulatory requirements.

6.1 All Users

Regardless of your location, you have the right to:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information.
• Portability: Request your data in a structured, commonly used, machine-readable format (JSON).
• Opt-Out: Opt out of non-essential marketing communications at any time.
• Newsletter Unsubscribe: Every marketing email includes a working unsubscribe link.
• Push Notification Control: Revoke push notification permission at any time via your browser or device settings.
• Account Deletion: Request complete deletion of your account and associated data.

6.2 Canadian Residents (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to: access your personal information held by us, challenge the accuracy and completeness of your information and have it amended, and withdraw consent for the collection, use, or disclosure of your information, subject to legal or contractual restrictions.

We will respond to access requests within 30 days. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada.

6.3 European Residents (GDPR)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

• Right of Access (Art. 15): Obtain confirmation of whether we process your data and request a copy.
• Right to Rectification (Art. 16): Have inaccurate personal data corrected.
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

We will respond to GDPR requests within 30 days. You also have the right to lodge a complaint with your local data protection authority.

6.4 California Residents (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request information about the categories and specific pieces of personal information we have collected.
• Right to Delete: Request deletion of your personal information.
• Right to Opt-Out of Sale: We do not sell personal information, so this right is not applicable.
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights.

We will respond to CCPA requests within 45 days.

6.5 End Users of Operator Websites

If you are an End User of a website operated on the Sitetra platform, please direct privacy requests to the Website Operator first, as they are the data controller for your information. If you are unable to reach the Operator or resolve your request, you may contact Sitetra and we will assist to the extent possible.

RAPID DEV GROUP INC. is based in Ontario, Canada. Your information may be transferred to and processed in countries other than your own through our third-party service providers.

Key data transfer destinations include:

• United States: AI providers (Anthropic, OpenAI, Google), payment processors (Stripe, Square, PayPal), email providers (Postmark, Mailgun), stock images (Shutterstock), and identity verification (IDenfy).
• Canada: Primary infrastructure and database.
• Globally distributed: Cloudflare CDN and file storage (R2). Vultr Object Storage for redundant file backups (New York).

Canada has received an adequacy decision from the European Commission, meaning that Canadian data protection laws are recognized as providing an adequate level of protection for personal data transferred from the EU/EEA.

For transfers to the United States and other jurisdictions without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards as required by applicable law.

For AI processing via Ollama and speech-to-text via Speaches, data remains on our own infrastructure in Canada and does not leave our servers.

By using the Service, you consent to the transfer of your information to Canada and other countries as described in this Privacy Policy.

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

Website Operators who create websites that may be accessed by children are responsible for ensuring compliance with the Children's Online Privacy Protection Act (COPPA) and other applicable children's privacy laws in their jurisdiction.

If you believe we may have collected information from a child under 16, please contact us immediately.

We do not use advertising cookies or cross-site tracking cookies.

Consent Modes

The Platform supports three consent modes, configurable per website by the Operator:

• Notice: Displays an informational banner about cookie use.
• Jurisdiction: Applies jurisdiction-based default consent settings.
• Full: Requires explicit opt-in consent before non-essential cookies are set.

Sitetra serves as a platform for Website Operators to build and manage their own websites. In this context:

10.1 Roles and Responsibilities

• Website Operators are the data controllers for the personal information of their own End Users and customers.
• Sitetra acts as a data processor, processing data on behalf of and under the instructions of the Website Operator.

10.2 Operator Obligations

Website Operators are responsible for:

• Maintaining their own privacy policies that comply with applicable laws.
• Obtaining necessary consents from their End Users for data collection and processing.
• Responding to data subject requests from their customers.
• Determining the lawful basis for processing their customers' data.
• Ensuring their use of Platform features (email marketing, reviews, analytics) complies with applicable privacy and anti-spam laws.

10.3 Automated Processing

Sitetra performs the following automated processing on behalf of Operators: abandoned cart recovery emails, review request emails, subscription billing, reservation confirmations, newsletter delivery, website billing, and scheduled data cleanup.

10.4 Data Isolation

All data is isolated by websiteId. One Website Operator cannot access the data of another Operator's End Users. Builders with cross-website access can only view data for websites specifically assigned to them.

10.5 Sub-Processors

Our sub-processors are listed in Section 18 of this Privacy Policy. Website Operators should reference this list in their own privacy policies as applicable.

10.6 Data Processing Agreement

A formal Data Processing Agreement (DPA) is available upon request for Operators requiring one for GDPR or other regulatory compliance.

10.7 Data Deletion

When a website is deleted, all associated data (including End User data) is permanently removed after the 90-day retention period.

Our platform integrates with multiple AI providers. Here is how data is handled for each:

• Anthropic (Claude): Text prompts, content context, business guidelines, and existing site content are sent to Anthropic's API. Anthropic's data handling is governed by their privacy policy and terms of service.
• OpenAI: Text prompts, content context, and audio data (for speech-to-text via Whisper) are sent to OpenAI's API. Image data may be sent for vision analysis (logo analysis, image classification). OpenAI's data handling is governed by their privacy policy and terms of service.
• Google (Gemini): Text prompts and content context are sent to Google's Gemini API. Google's data handling is governed by their privacy policy and terms of service.
• Ollama (Self-Hosted): Text prompts are processed entirely on our own infrastructure. No data is sent to external servers.
• Speaches (Self-Hosted): Audio data for speech-to-text is processed entirely on our own infrastructure. No data is sent to external servers.

AI Usage Logging

For each AI interaction, we log: the AI provider and model used, token input/output counts, estimated credit cost, a session identifier, and the associated website. This data is used for billing, usage analytics, and service improvement.

AI Context Data

When generating content, the AI may receive: your website's name, description, and business context, voice/tone guidelines configured by the Operator, existing content from your website (for context-aware generation), reference website data (when a reference URL is provided), and search queries for stock images.

Important: Please avoid submitting sensitive personal information (such as government identification numbers, financial account numbers, or health information) in AI prompts. While we implement security measures, AI prompts are transmitted to third-party providers as described above.

When a Website Operator enables identity verification, the following data practices apply:

12.1 Data Flow

Users submit identity documents through IDenfy's verification interface. IDenfy processes the documents and sends verification results to Sitetra via secure webhook. Sitetra stores the verification results and extracted personal data.

12.2 Biometric Data

Facial recognition processing is performed by IDenfy. Sitetra does not store raw biometric data (facial recognition templates). We store only the verification result and extracted personal information (name, date of birth, document details).

12.3 Data Stored

For each verification, we store: verification type (KYC, KYB, POA, AML), verification status (waiting, emailed, approved, suspected), extracted personal information (name, date of birth, sex, document type, document number), provider response metadata, and the timestamp of the verification.

12.4 Retention

Verification data is retained as long as the associated user account exists, or as required by applicable KYC/AML regulations. Operators and users may request deletion of verification data, subject to regulatory requirements.

12.5 Access

Users can request access to their verification records through the Website Operator or by contacting Sitetra directly. Verification statuses are visible to the Website Operator through the admin interface.

In compliance with GDPR Article 22, we disclose the following automated decision-making processes:

• AI Content Generation: AI generates content based on prompts and context. This involves automated processing but does not make decisions with legal effects on individuals. All AI-generated content is reviewed by humans before publication.
• Identity Verification: Verification results are produced by IDenfy's automated systems. These results are advisory only. Final decisions regarding account approval or restrictions are made by the Website Operator (human decision-maker).
• Credit Balance Checks: Operations are automatically blocked when a user's credit balance reaches zero or below. Users can resolve this immediately by purchasing additional credits.
• Rate Limiting: API requests are automatically throttled when rate limits are exceeded. This is resolved by waiting for the rate limit window to reset.
• Website Suspension: Websites are automatically suspended after 30 days of non-payment. This follows a documented timeline with warnings at Day 0 and Day 15, and can be reversed by adding sufficient credits.
• MCP-Connected AI Tools: When you connect a third-party AI tool to your website via Sitetra's MCP server, that tool may access your website data (including content, orders, contacts, and other information) through your Sitetra account. Data accessed through MCP connections is subject to the privacy policies of the AI tools you choose to connect. Sitetra does not control or monitor the data practices of third-party AI tools.
• Review Auto-Approval: When enabled by the Operator, reviews may be automatically published without manual moderation. This is an Operator configuration choice.

You have the right to request human review of any automated decision that significantly affects you. Contact us or the Website Operator to request a review.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Sitetra will:

• Notify affected Website Operators within 72 hours of becoming aware of the breach (in accordance with GDPR Article 33).
• Assist Operators in meeting their notification obligations to their End Users and relevant authorities.
• Report to the Office of the Privacy Commissioner of Canada where the breach involves Canadian personal information and meets PIPEDA reporting thresholds.

Breach Notification Content

Breach notifications will include: the nature of the breach, the categories of data affected, the approximate number of records involved, the measures taken or proposed to address the breach, and contact information for further inquiries.

Incident Response

Sitetra maintains incident response procedures including comprehensive authentication logging, error logging, IP geolocation tracking, and webhook event recording to assist in breach investigation and response.

Under GDPR Article 6, we process personal data on the following lawful bases:

16.1 Opt-In Requirement

Push notifications require explicit browser or device permission. You will be prompted to grant permission before any push notifications are sent. We will never send push notifications without your consent.

16.2 Types of Notifications

Push notifications may include: billing alerts (low balance, insufficient credits, auto-recharge confirmations), order and payment notifications, reservation confirmations and reminders, review notifications, and other operational notifications configured by the Website Operator.

16.3 Data Stored

When you subscribe to push notifications, we store a push subscription endpoint and associated encryption keys. This data is stored per-user and per-device.

16.4 Revocation

You may revoke push notification permission at any time through your browser or device settings. Revoking permission stops all push notifications immediately. You may also unsubscribe from specific notification types through your account settings.

The Platform maintains various logs for security, debugging, compliance, and dispute resolution:

• Authentication Logs: All login attempts (successful and failed) are recorded with IP address, user agent, and approximate geolocation.
• Error Logs: Application errors are recorded with service name, method, and relevant data context (with sensitive data redacted).
• Email Delivery Tracking: Email send status (delivered, bounced, complained, opened, clicked) is tracked via webhooks from email providers.
• SMS Delivery Tracking: SMS delivery status and replies are tracked via webhooks from VoIP.ms.
• Credit Transaction History: All credit transactions are immutable records including the transaction type, amount, balance before and after, and associated metadata.
• Inventory Logs: Inventory movements (in, out, locked, adjustment, sync, backorder) are recorded with before and after quantities.
• Activity Logs: User actions within the admin interface may be logged for audit trail purposes.
• Webhook Event Logs: Incoming webhook events from payment processors, email providers, and other services are logged for debugging and reconciliation.

Website Operators can view relevant logs for their website through the admin interface.

The following table lists our current sub-processors. We will notify Website Operators of material changes to this list.

Note: Ollama (AI) and Speaches (speech-to-text) run on our own infrastructure and are not external sub-processors.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on the Service and updating the "Last Updated" date. Where required by law, we will provide at least 30 days' notice before changes take effect.

Your continued use of the Service after changes become effective constitutes your acceptance of the revised Privacy Policy.

Your use of Sitetra is also governed by our Terms of Service, which are incorporated by reference into this Privacy Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

RAPID DEV GROUP INC.
Operating as Sitetra
Ontario, Canada

Privacy inquiries: [email protected]
General inquiries: [email protected]
Legal and law enforcement: [email protected]

For privacy complaints or inquiries related to specific jurisdictions:

• Canada: Office of the Privacy Commissioner of Canada (www.priv.gc.ca)
• European Union: Contact your local Data Protection Authority
• California: California Attorney General's Office