Privacy Policy
Effective date: May 17, 2026
Last updated: May 17, 2026
Plain-English summary: We collect only what we need to run the Service, never sell your data, never use your content to train AI models without your consent, and give you full control to export or delete your data at any time. The detailed legal terms below describe our practices in full.
1. Introduction & Scope
This Privacy Policy ("Policy") describes how DNURA.AI ("we", "us", "our", "Company") collects, uses, discloses, and safeguards information when you visit, register, or use our website-building platform located at https://dnuura.dev and any related services, mobile applications, APIs, or websites we operate (collectively, the "Service"). This Policy applies to all users, regardless of location, and forms a binding legal agreement between you and DNURA.AI. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any provision herein, you must immediately discontinue use of the Service. This Policy operates in conjunction with our Terms of Service.
2. Definitions
For purposes of clarity: "Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data, whether or not by automated means. "Data Controller" means the entity that determines the purposes and means of processing Personal Data — DNURA.AI is the Data Controller for data collected through the Service. "Data Processor" means an entity that processes Personal Data on behalf of the Data Controller. "Generated Content" means any website code, images, text, or other materials produced by the AI tools provided by the Service. "User Content" means any material you upload, submit, or input into the Service, including prompts, brand assets, and configurations.
3. Information We Collect
We collect the following categories of information: (a) Account Information — your email address, hashed password (we never store plaintext passwords), display name, profile preferences, and authentication tokens; (b) Identity & Contact Data — name and email when you complete onboarding, contact information you provide voluntarily; (c) Payment Information — billing address, last four digits of payment card, transaction history, and subscription status; full payment card numbers are processed exclusively by Stripe, Inc. and never stored on our systems; (d) User Content — text prompts you submit, brand assets you upload, custom configurations, and any other inputs you provide; (e) Generated Content — AI-produced website code, logo images, and associated metadata; (f) Form Submissions — data submitted through forms on published sites you own (received on behalf of you, the site owner); (g) Usage Data — credit consumption logs, generation timestamps, feature interactions, session duration, and clickstream data; (h) Technical Data — IP address, browser type and version, device identifiers, operating system, language preferences, referring URLs, and access timestamps; (i) Communications — emails, support tickets, and other correspondence with our team; (j) Cookies & Tracking Data — as detailed in Section 9.
4. Sources of Information
We collect information from the following sources: (a) Directly from you — when you create an account, fill out forms, upload content, communicate with us, or use Service features; (b) Automatically — through cookies, server logs, analytics tools, and device sensors when you interact with the Service; (c) From third-party services — payment processors (Stripe), authentication providers (Google OAuth, if used), and analytics providers (Vercel Analytics); (d) From AI providers — usage and processing data from DeepSeek and Replicate when generating content on your behalf; (e) From form submissions on your published sites — visitor-submitted data that you have configured your sites to collect.
5. Legal Bases for Processing (GDPR)
For users in the European Economic Area, United Kingdom, and other jurisdictions requiring lawful basis identification, we process your Personal Data under the following lawful bases: (a) Performance of a contract (Art. 6(1)(b) GDPR) — to provide the Service you have signed up for, deliver generated content, process payments, and maintain your account; (b) Legitimate interests (Art. 6(1)(f) GDPR) — to prevent fraud and abuse, enforce rate limits, maintain security, debug technical issues, improve product quality, and conduct internal analytics; (c) Legal obligation (Art. 6(1)(c) GDPR) — to comply with tax laws, accounting requirements, lawful government requests, and other regulatory mandates; (d) Consent (Art. 6(1)(a) GDPR) — for non-essential cookies, marketing communications (where applicable), and other optional processing; you may withdraw consent at any time without affecting the lawfulness of prior processing.
6. Purposes of Processing
We use your information solely for the following purposes: (a) To create, authenticate, and maintain your account; (b) To provide AI generation services — including transmitting prompts to DeepSeek (for text/HTML) and Replicate (for images), receiving generated outputs, and storing them in association with your account; (c) To process payments and manage subscriptions; (d) To deliver form submissions from your published sites to your inbox and send notification emails (subject to rate caps to prevent abuse); (e) To send transactional emails — account verification, password resets, billing receipts, low-credit warnings, security alerts; (f) To prevent fraud, detect abuse, enforce rate limits, and protect the security and integrity of the Service; (g) To debug, troubleshoot, monitor, and improve product performance; (h) To comply with legal obligations and respond to lawful requests from authorities; (i) To analyze aggregated, anonymized usage patterns for product development; (j) With your explicit consent — to send marketing communications, which you may unsubscribe from at any time.
7. AI Processing & Automated Decision-Making
The Service uses artificial intelligence to generate website code, edit content, and create logo images. When you submit a prompt, it is transmitted to third-party AI providers (currently DeepSeek for code/text and Replicate for images) for processing. These providers may temporarily retain prompt data per their own retention policies. We do not use your prompts or generated content to train AI models, nor do we authorize our providers to do so on our behalf, unless you explicitly opt in via written consent. AI-generated content is provided as a service output and does not constitute automated decision-making with legal or similarly significant effects on you within the meaning of GDPR Article 22. You retain full editorial control and may modify, discard, or republish any generated content at your discretion.
8. Third-Party Data Processors & Sub-Processors
To operate the Service, we share data with the following processors, each contractually bound to process data only on our documented instructions and to maintain appropriate security: (a) Supabase, Inc. — database hosting, file storage, and authentication; processes all account data and user content; (b) Vercel, Inc. — web hosting, edge functions, CDN, analytics AND, where you purchase a domain through us, acts as the domain registrar (see Domain Registration section below); (c) DeepSeek — AI text generation; processes prompts and current HTML context to produce generated output; (d) Replicate, Inc. — AI image generation for logos; processes logo prompts and returns image URLs; (e) Stripe, Inc. — payment processing and subscription management; processes billing details and card information directly (PCI-DSS Level 1); (f) Resend, Inc. — transactional email delivery; processes recipient email addresses and message bodies; (g) Cloudflare, Inc. — bot protection (Turnstile) for sign-up flows; (h) ICANN-accredited registrars (eNom / OpenSRS, via Vercel) and TLD registries (Verisign for .com/.net, Identity Digital, etc.) — receive registrant contact data for any domain you register through DNURA.AI, as required by ICANN policy. Each processor's privacy policy applies to data they receive: please review their respective policies for full details. We maintain an up-to-date list of sub-processors and will provide reasonable advance notice of material changes upon request.
8a. Domain Registration Data (when you buy a domain through us)
If you purchase a domain name through DNURA.AI, additional data processing applies: (a) DATA COLLECTED: first name, last name, email address, country, and (optionally) phone/address — this is the legally-required ICANN registrant contact information. (b) PURPOSE: to register and maintain the domain on your behalf via Vercel Inc. (acting through an ICANN-accredited registrar such as eNom or OpenSRS) and the relevant TLD registry. (c) WHO RECEIVES IT: Vercel Inc., the downstream registrar, the TLD registry operator (e.g. Verisign for .com), and ICANN for compliance audits. (d) PUBLIC WHOIS: ICANN requires WHOIS records to be publicly queryable. We enable WHOIS PRIVACY PROTECTION BY DEFAULT on every domain we sell — this replaces your name and contact in public WHOIS with a privacy-service proxy. You may disable privacy protection at any time but doing so will publish your real contact info worldwide. (e) RETENTION: registrant data is retained for as long as the domain is registered + a mandatory ICANN retention period of 2 years after termination (per ICANN 2013 RAA). (f) LEGAL BASIS: contractual necessity (to perform the registration you requested) and compliance with ICANN policy. (g) YOUR RIGHTS: you may update registrant data at any time via My Domains. Deletion is constrained by ICANN retention requirements — we can mark you as 'redacted' but cannot delete registrant records until the retention period expires. (h) INTERNATIONAL TRANSFERS: registrar and registry operators may be located outside your country (commonly in the US). Transfers occur under Standard Contractual Clauses where required by GDPR.
9. Cookies, Local Storage & Tracking Technologies
We use the following categories of cookies and similar technologies: (a) Strictly Necessary Cookies — required for authentication, session management, security (CSRF tokens), and core Service functionality; these cannot be disabled without breaking the Service; legal basis: contractual necessity. (b) Functional Cookies & Local Storage — to remember your preferences (theme, language, cookie-consent choices, brand-kit settings); legal basis: legitimate interest or consent. (c) Analytics Cookies — anonymized usage tracking (Vercel Analytics) to understand feature adoption; you may decline these via our cookie banner; legal basis: consent (where required). We do not use third-party advertising cookies, behavioral retargeting, social media tracking pixels, or cross-site tracking technologies. Cookie lifespans range from session-only (deleted on browser close) to a maximum of 12 months. Your cookie-consent choice is recorded in browser local storage under the key "dnura_cookie_consent". You may clear cookies and local storage at any time via your browser settings; doing so may require you to re-authenticate.
10. Data Sharing & Disclosure
We do not sell, rent, lease, or trade your Personal Data to third parties for monetary or other valuable consideration. We do not share your data with advertisers, data brokers, or marketing networks. We may disclose your Personal Data in the following limited circumstances: (a) To processors and sub-processors as described in Section 8, under binding data processing agreements; (b) To comply with applicable law, regulation, legal process, or lawful governmental request (including subpoenas and court orders); we will, where legally permitted, notify affected users before disclosure; (c) To enforce our Terms of Service, including investigation of potential violations; (d) To protect the rights, property, safety, or security of DNURA.AI, our users, or the public, particularly to prevent fraud or address security or technical issues; (e) In connection with a corporate transaction — such as a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or substantially all of our assets — provided that any successor entity is bound by terms substantially equivalent to this Policy; (f) With your explicit consent, for any other purpose disclosed at the time of collection.
11. International Data Transfers
Personal Data we collect may be processed in jurisdictions outside of your country of residence, including the United States and other countries where our processors operate. These countries may have data protection laws different from — and in some cases less protective than — those in your home jurisdiction. When transferring Personal Data from the European Economic Area, United Kingdom, or Switzerland to countries not deemed to provide an adequate level of data protection by the European Commission, we rely on appropriate safeguards including: (a) Standard Contractual Clauses ("SCCs") approved by the European Commission, incorporated into our agreements with processors; (b) adequacy decisions where applicable; (c) supplementary technical and organizational measures including encryption in transit and at rest. By using the Service, you acknowledge and consent to such international transfers as a necessary condition of receiving the Service. You may request a copy of the safeguards in place by contacting us at privacy@dnuura.dev.
12. Data Retention
We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows: (a) Account data — retained for the lifetime of your active account; deleted within 30 days of verified account-deletion request, subject to legal-hold exceptions; (b) Generated content (sites, logos, chat history) — retained while the associated site/logo exists in your account; deleted within 30 days of removal from your account; (c) Form submissions to your published sites — retained while you maintain the site; you control the retention of this data and may delete individual submissions at any time; (d) Payment records and invoices — retained for 7 years to comply with tax, accounting, and financial reporting laws (e.g., U.S. IRS, EU Directive 2006/112/EC); (e) IP-based rate-limit and security logs — retained for 90 days; (f) Email logs (delivery records, not message content) — retained for 30 days; (g) Backup snapshots — retained for up to 90 days for disaster recovery; deleted data persists in backups until rotation. After retention periods expire, data is permanently deleted or anonymized in a manner that prevents re-identification.
13. Your Rights — GDPR, UK GDPR & Similar Frameworks
If you are a data subject under the European Union General Data Protection Regulation, UK GDPR, Swiss FADP, or similar privacy frameworks, you have the following rights: (a) Right of Access — to obtain confirmation of whether we process your Personal Data and receive a copy of that data; (b) Right to Rectification — to correct inaccurate or incomplete Personal Data; (c) Right to Erasure ("Right to be Forgotten") — to request deletion of your Personal Data, subject to legal exceptions; (d) Right to Restriction of Processing — to limit how we use your Personal Data in certain circumstances; (e) Right to Data Portability — to receive your Personal Data in a structured, commonly used, machine-readable format and transmit it to another controller; (f) Right to Object — to object to processing based on legitimate interests, including profiling and direct marketing; (g) Right Not to be Subject to Automated Decision-Making — including profiling, where such decisions produce legal or similarly significant effects (see Section 7); (h) Right to Withdraw Consent — at any time, without affecting the lawfulness of prior consent-based processing; (i) Right to Lodge a Complaint — with your local supervisory authority (in the EU, see edpb.europa.eu/about-edpb/board/members; in the UK, see ico.org.uk). To exercise any of these rights, contact privacy@dnuura.dev. We will respond within 30 days (extendable by 60 additional days for complex requests) and will not charge a fee unless the request is manifestly unfounded or excessive.
14. Your Rights — CCPA, CPRA & U.S. State Privacy Laws
If you are a California resident, the California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA") grant you the following rights: (a) Right to Know — what categories of Personal Information we have collected, the sources, the purposes, and the categories of third parties with whom we share it; (b) Right to Delete — your Personal Information, subject to certain exceptions; (c) Right to Correct — inaccurate Personal Information; (d) Right to Opt-Out of Sale or Sharing — note that we do not sell or share Personal Information for cross-context behavioral advertising; (e) Right to Limit Use of Sensitive Personal Information — note that we do not use sensitive Personal Information for purposes beyond those allowed under CPRA without limitation; (f) Right to Non-Discrimination — we will not deny services, charge different prices, or provide a different level of quality because you exercised your privacy rights. Similar rights may exist under other U.S. state laws including Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and Utah UCPA. To exercise rights, email privacy@dnuura.dev with "Privacy Rights Request" in the subject line. We will verify your identity using information already on file. You may designate an authorized agent to make a request on your behalf.
15. Security Measures
We implement appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, including: (a) HTTPS/TLS encryption for all data in transit; (b) industry-standard password hashing (bcrypt/argon2) — we never store plaintext passwords; (c) row-level security policies in our database ensuring users cannot access other users' data; (d) least-privilege access controls for our team; (e) regular security audits and dependency updates; (f) rate limiting and bot-detection mechanisms; (g) server-side input validation and output sanitization; (h) honeypot and CAPTCHA protections on public forms; (i) Stripe-managed payment processing (we never see card numbers). Despite these measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. If you discover a security vulnerability, please report it responsibly to security@dnuura.dev — we will acknowledge receipt within 72 hours.
16. Data Breach Notification
In the event of a Personal Data breach that poses a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will also notify affected data subjects without undue delay (Article 34 GDPR), unless one of the statutory exemptions applies (e.g., the data was encrypted, subsequent measures eliminated the risk, or notification would involve disproportionate effort, in which case a public communication will be used). For users in the United States and other jurisdictions, we will comply with applicable state and federal breach-notification laws. Notifications will describe the nature of the breach, the likely consequences, the measures taken or proposed, and contact information for further inquiries.
17. Children's Privacy
The Service is not directed at or intended for use by children under the age of 13 (or 16 in the European Economic Area, or the equivalent minimum age in other jurisdictions). We do not knowingly collect Personal Data from children. If you are a parent or guardian and become aware that your child has provided us with Personal Data without your consent, please contact us at privacy@dnuura.dev. If we learn that we have collected Personal Data from a child without verified parental consent, we will promptly delete such information. We do not knowingly market the Service to children, nor do we use Personal Data in ways that would qualify as profiling of children under GDPR.
18. Account & Data Deletion
You may delete your account at any time from the Settings page in your dashboard. Upon submission of a verified deletion request: (a) all sites, generated content, logos, brand assets, and form submissions associated with your account are queued for permanent deletion within 30 days; (b) your authentication credentials and profile data are deleted; (c) billing records and tax-related data are retained for the legally mandated period (typically 7 years) in a restricted-access archive; (d) data in encrypted backups will be deleted upon the next backup rotation cycle (up to 90 days); (e) data already transmitted to third-party processors (e.g., DeepSeek for generation) is subject to those providers' retention policies and our requests to delete will be forwarded but cannot be guaranteed. To request account deletion, use the dashboard self-service tool or email privacy@dnuura.dev with the subject "Account Deletion Request" from the email address associated with the account.
19. Third-Party Links & Embedded Content
The Service may contain links to third-party websites, services, or embedded content (such as videos, fonts loaded from Google Fonts, or third-party scripts). This Privacy Policy does not apply to such third-party content. We are not responsible for the privacy practices or content of third-party services. We encourage you to review the privacy policies of any third-party sites or services you visit. Generated content you publish may contain references to third-party services you have integrated — you are responsible for ensuring such integrations comply with applicable privacy laws.
20. Marketing Communications
We may send you transactional emails relating to your account, billing, security, and Service updates — these are not marketing and cannot be unsubscribed from while your account is active. With your consent (where required by law), we may send marketing emails about new features, tips, and promotional offers. You can unsubscribe from marketing emails at any time using the "unsubscribe" link in any such email, or by emailing privacy@dnuura.dev. Withdrawing consent to marketing does not affect the lawfulness of prior consent-based processing.
21. Do Not Track & Global Privacy Control
Some browsers offer "Do Not Track" (DNT) signals or Global Privacy Control (GPC) settings. The legal status and obligation to honor such signals vary by jurisdiction. We currently treat verified GPC signals as a request to opt out of any "sale" or "sharing" of Personal Information under California law — though we do not currently engage in such sales or sharing. We do not respond to DNT browser signals as no universal standard for interpretation has been adopted.
22. Changes to This Privacy Policy
We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will: (a) update the "Last updated" date at the top of this Policy; (b) notify you by email and prominent in-app notice at least 14 days before the changes take effect, where the changes materially expand the categories of data collected or the purposes of processing. Your continued use of the Service after the effective date of any update constitutes acceptance of the revised Policy. If you do not agree with the changes, you must discontinue use of the Service and may exercise your deletion rights.
23. Dispute Resolution & Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of the jurisdiction in which DNURA.AI is established, without regard to its conflict-of-laws principles. Any dispute, claim, or controversy arising out of or relating to this Policy or the processing of your Personal Data shall first be attempted to be resolved through good-faith informal negotiation. If unresolved within 60 days, disputes shall be resolved through binding arbitration or in the competent courts of the jurisdiction where DNURA.AI is established, at our election, except where otherwise required by mandatory consumer-protection law. EU/UK/Swiss data subjects retain the right to lodge a complaint with their local supervisory authority and to pursue judicial remedy in the courts of their member state of residence.
24. Limitation of Liability (for Privacy Matters)
To the maximum extent permitted by applicable law, our total cumulative liability arising out of or related to this Privacy Policy, including any claim for damages arising from the processing of your Personal Data, shall not exceed the greater of (a) the amounts you have paid to DNURA.AI in the twelve months preceding the event giving rise to the claim, or (b) one hundred U.S. dollars (USD 100). This limitation does not apply to liability that cannot be limited under applicable law, such as liability arising from intentional misconduct or gross negligence in jurisdictions that prohibit such limitations.
25. Contact Information
For any questions, concerns, requests, or complaints regarding this Privacy Policy or our data practices, please contact us at: Email — privacy@dnuura.dev (privacy inquiries and data-subject requests); legal@dnuura.dev (legal notices); security@dnuura.dev (security vulnerability disclosures). We will acknowledge receipt within 5 business days and provide a substantive response within 30 days (or as required by applicable law). If you are not satisfied with our response, you may lodge a complaint with your local data protection authority.
26. Severability & Entire Agreement
If any provision of this Privacy Policy is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable, or if such modification is not possible, shall be severed from this Policy. The remaining provisions shall continue in full force and effect. This Privacy Policy, together with our Terms of Service, constitutes the entire agreement between you and DNURA.AI regarding the processing of your Personal Data and supersedes all prior agreements, communications, or understandings, whether written or oral, on the same subject matter.
DNURA.AI — AI-powered website-building platform. Operated at https://dnuura.dev.
This Privacy Policy is provided in English. Translations are for convenience only; the English version controls in case of inconsistency.