One platform, priced by sites. Every module included. Docs All systems operational
Build it freeNo card · no time limit Start free
Legal

Privacy Policy

Last updated: June 2026

Draft pending legal review. This document is a working draft provided for product-preview purposes and is being finalized with legal counsel. It is not yet a binding agreement.

This policy is written to be read, not hidden behind. Where the law gives you a right, it is listed. Where a value is still to be confirmed, it is marked as a placeholder.

Effective date: placeholder, to be set on finalization. Last updated: placeholder, to be set on finalization.

1. Who we are and what this policy covers

SGEN is a software-as-a-service website-building and hosting platform. Customers build websites using our native modules, and we host those websites, including hosting, SSL, a CDN, a web application firewall (WAF), and security patching, which we provide on every plan, including the free Sandbox tier (the "Foundation Pack").

This Privacy Policy is published by [legal entity name, placeholder], a company incorporated in [jurisdiction of incorporation, placeholder], with its registered address at [registered address, placeholder]. In this policy, "SGEN," "we," "us," and "our" refer to that entity. The legal entity, jurisdiction, and address shown here are placeholders pending owner and counsel confirmation.

This policy applies to:

  • The SGEN marketing website (sgen.com) and our account and billing systems, and the personal data of people who visit the site, sign up, or contact us; and
  • The websites our customers build and host on SGEN, with respect to the personal data of those sites' visitors. Here our role is different (see Section 2).

It does not govern how an individual SGEN customer uses the personal data they collect on their own site. That is governed by each customer's own privacy notice.


2. Two roles: our visitors and your visitors

SGEN acts in two distinct privacy roles, and which role applies determines who is responsible to you.

Role A, Controller (our own visitors and customers). For personal data about visitors to sgen.com and about our account holders, billing contacts, and prospects, SGEN is the data controller: we decide why and how that data is processed. Sections 3 through 13 describe this directly.

Role B, Processor (your site's visitors). For personal data that flows through a customer's SGEN-hosted website, for example a form submission left by one of your site visitors, first-party analytics about your site's traffic, or a payment one of your customers makes, the SGEN customer (the website operator) is the controller, and SGEN is the data processor acting on that customer's documented instructions. We host, store, serve, and back up that data so the customer's site works; we do not use it for our own purposes.

The terms governing Role B, our processor obligations, the technical and organizational security measures, sub-processor authorization, breach notification, and data return or deletion, are set out in our Data Processing Agreement (legal-dpa), which is structured to GDPR Article 28. If you are a visitor on a site built with SGEN and want to exercise your rights over your data, contact that website's operator (the controller); we will assist them as their processor.


3. Information we collect

The categories below map to real SGEN product surfaces.

As controller (sgen.com and your SGEN account):

  • Account data: your name, email address, and login credentials when you register; team-member identities and the role assigned to each via our native role-based access control (Users and Roles).
  • Billing and payment data: the billing information needed to charge for a plan. Card payments are handled by our payment processors, Stripe and PayPal; SGEN facilitates the transaction and does not store full card numbers in the clear. The exact billing data SGEN itself retains is a placeholder pending confirmation against the Stripe and PayPal agreements.
  • Usage and device data: how you interact with the marketing site and the dashboard, plus standard technical data (IP address, browser, device, pages viewed). On the analytics side we use first-party analytics in the dashboard, designed to measure traffic and behavior without loading a third-party tracking tag by default.
  • Cookies and consent records: cookie data and the per-session consent decisions captured by our native Consent and Tracking module (see Section 6 and the Cookie Policy).
  • Support and communications data: what you send us when you contact support, request a demo, or subscribe to communications.

As processor (data on your SGEN-hosted site, where you are the controller):

  • Form-submission data: the personal data your site visitors enter into native forms (which can include name, email, phone, message, and any field you configure). This is personally identifiable information belonging to your visitors; we process it on your behalf so your forms work, store the entries, and back them up.
  • Site-visitor analytics data: first-party analytics about your site's traffic and behavior, shown to you in your dashboard.
  • Consent records of your visitors: the per-session, read-only consent log for each visitor decision on your site (timestamp, page, accept or decline outcome).
  • Payment data of your customers: where you accept payments, the transaction is processed by Stripe or PayPal as the payment processor; SGEN facilitates the connection. What payment data, if any, transits or is retained by SGEN versus handled directly by Stripe and PayPal is a placeholder pending confirmation.

4. How we use your information, and our lawful bases (GDPR)

We use personal data for the purposes below. Where the EU and UK GDPR apply, each purpose relies on a lawful basis. The lawful-basis mapping below is a reasonable starting draft and must be confirmed by counsel, because the basis chosen has legal consequences (for example, consent can be withdrawn; legitimate interest requires a balancing test).

  • Service delivery and account administration: creating and running your account; hosting and serving your sites; providing the dashboard and Foundation Pack. Lawful basis: performance of a contract (Art. 6(1)(b)).
  • Processing payments: charging for plans; facilitating Stripe and PayPal transactions. Lawful basis: performance of a contract (Art. 6(1)(b)); legal obligation for tax and accounting records (Art. 6(1)(c)).
  • Product analytics and improvement: understanding usage to improve the platform, using first-party analytics. Lawful basis: legitimate interest (Art. 6(1)(f)), subject to a balancing test (counsel to confirm).
  • Security, fraud prevention, and abuse detection: operating the WAF, security patching, and platform protections; investigating misuse. Lawful basis: legitimate interest (Art. 6(1)(f)); legal obligation where applicable.
  • Marketing communications: sending product news and offers you can opt out of. Lawful basis: consent (Art. 6(1)(a)) where required, or legitimate interest for existing-customer messaging (counsel to confirm).
  • Legal compliance and enforcing terms: meeting legal obligations; enforcing our Terms of Service. Lawful basis: legal obligation (Art. 6(1)(c)); legitimate interest (Art. 6(1)(f)).

When we act as processor for data on your site (Role B), we process only on the customer-controller's documented instructions and for the purpose of delivering the service, not for our own analytics, marketing, or profiling. The lawful basis for processing your visitors' data is established by you, the controller, in your own privacy notice.


5. How we share information: service providers and sub-processors

We do not sell personal data. Whether any SGEN activity would be a "sale" or "share" under CCPA and CPRA is to be confirmed by counsel before this statement is final; if any such activity exists, it must be disclosed here and an opt-out provided (see Section 9).

We share personal data with the following categories of recipients:

  • Sub-processors and service providers: vendors that help us run the platform: our hosting and infrastructure and CDN provider(s), our payment processors (Stripe and PayPal), and operational tools (for example, support, email, error monitoring). When we act as processor, these are our sub-processors and we flow down equivalent data-protection terms.
  • Professional advisers and authorities: where required by law, legal process, or to protect rights and safety.
  • Corporate transactions: in a merger, acquisition, or asset sale, subject to this policy.

Sub-processor list. The actual, current sub-processor list (legal name, service provided, processing location) is a placeholder to be inserted and kept current; we will not publish a partial list as if it were exhaustive. The confirmed product-level integrations on which the list will rest include the payment processors Stripe and PayPal and the hosting and CDN provider(s) that deliver the Foundation Pack, but the legal vendor identities and locations are placeholders pending owner confirmation.

The processor relationship, the sub-processor authorization mechanism, and change-notification are governed by our Data Processing Agreement (legal-dpa).


6. Cookies and tracking

SGEN uses cookies and similar technologies on sgen.com and provides a native consent mechanism on customer sites. Our native Consent and Tracking module shows a consent banner that gates tracking scripts until the visitor accepts; on decline, those scripts do not load. Every decision is written to a per-session, read-only consent log (timestamp, page, accept or decline): the audit trail. Operators can exempt policy pages (privacy, cookie, terms) from the banner so they can be read unobstructed.

Separately, visitor accessibility-menu preferences are stored in the visitor's session, not as a tracking cookie.

Full detail, including the cookie categories and how to manage choices, is in our Cookie Policy (legal-cookie-policy). The actual cookie inventory (names, providers, durations) lives in that document and is to be completed there.


7. Data retention

We keep personal data only as long as needed for the purposes in this policy, then delete or anonymize it. The retention periods below are placeholders pending the actual windows for each category.

  • Account data: for the life of the account, then a placeholder period after closure, except where law requires longer.
  • Billing and payment records: a placeholder period for tax and accounting (legal obligation); the jurisdictional period is to be confirmed by counsel.
  • Usage and analytics data: a placeholder period in identifiable form, then aggregated.
  • Consent records (your visitors' log): retained for the controller's audit purposes for a placeholder period.
  • Form-submission data (processor role): retained per the customer-controller's instruction; returned or deleted per the DPA on termination.
  • Backups: backups are on-demand snapshots with retention, so residual copies may persist after live deletion until the retention window expires. The specific backup retention window is a placeholder pending confirmation.

On account closure we return or delete personal data per the DPA (legal-dpa), subject to legal retention and the backup retention window above.


8. International data transfers

Where personal data is transferred out of the European Economic Area or the United Kingdom, for example to infrastructure or sub-processors located elsewhere, we rely on an appropriate transfer mechanism (such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum). Whether EU Standard Contractual Clauses or UK transfer tools are required depends on the jurisdiction of SGEN's hosting infrastructure, which is not yet confirmed. This is the highest-stakes open item for GDPR-heavy buyers and must be resolved (infrastructure data-residency and the actual transfer mechanism) before this section is final.


9. Your privacy rights (GDPR, UK GDPR, CCPA and CPRA)

If you are in the EEA or UK (GDPR and UK GDPR) you have the right to: access your data; have it corrected (rectification); have it erased (the "right to be forgotten"); restrict processing; data portability; object to processing (including to legitimate-interest processing and to direct marketing); and withdraw consent at any time where processing is based on consent. You also have the right to lodge a complaint with your supervisory authority.

If you are a California resident (CCPA and CPRA) you have the right to: know what personal information we collect and how it is used and shared; delete it; correct it; opt out of any "sale" or "sharing" of personal information; limit use of sensitive personal information; and not be discriminated against for exercising these rights. Whether SGEN meets the CCPA and CPRA applicability thresholds is to be confirmed before asserting CCPA obligations, along with whether any activity constitutes a "sale" or "share" (see Section 5).

How to exercise your rights. Submit a request to the contact in Section 13. We will verify your identity and respond within the timeframe the applicable law requires. A specific response timeframe is not stated here pending confirmation of the operational commitment and the legally required window for each regime.

Authorized agents and visitors of customer sites. If your data was collected on a website built with SGEN, SGEN is the processor and that site's operator is the controller. Direct your rights request to that operator, and we will assist them in responding (see Section 2 and the DPA).


10. Data security

We protect personal data with the same native security layer that runs on every SGEN site: a web application firewall (WAF) in front of every site, SSL, a CDN, and platform-level security patching, all part of the Foundation Pack, included free on every plan. Access to data is governed by role-based access control (Users and Roles), and consent decisions are captured in a read-only audit log.

SOC 2 and ISO certification status is not asserted here; we do not claim "certified" or display a certification badge. If certifications are in progress, they will be described as "in progress," never as held. No security measure is perfectly secure; the security-disclaimer wording is to be finalized by counsel.


11. Children's privacy

SGEN's services are not directed to children, and we do not knowingly collect personal data from children below the age at which consent is required in the relevant jurisdiction. The applicable age threshold(s) (for example, 13 under COPPA in the US; 16 or a lower member-state age under GDPR) and the takedown process for data collected from a child are to be confirmed. Customers who collect children's data on their own SGEN-hosted sites are responsible as controllers for their own compliance.


12. Changes to this policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date above and, for material changes, provide a more prominent notice (such as an email or an in-app notice). The notification method actually used and the change-notice wording, especially where a change requires fresh consent, are to be confirmed.


13. How to contact us

For privacy questions or to exercise your rights, contact us at:

  • Privacy contact: privacy contact email is a placeholder pending confirmation.
  • Postal address: the registered address from Section 1 (placeholder).
  • Data Protection Officer: to be inserted if one is appointed; appointment may be required under GDPR Art. 37 depending on processing.
  • EU and UK representative: if SGEN is established outside the EU and UK but processes EEA or UK personal data, a representative may be required under GDPR Art. 27 and UK GDPR. Name and address to be inserted if applicable.

You also have the right to complain to your data-protection supervisory authority. The lead authority, if one applies, is to be named on finalization.