Plaza
Log in Start your site
N⁰ 00 · Legal

Privacy Policy

What we collect, why we collect it, and what we never do with it. Last updated June 1, 2026.

Effective: June 1, 2026

On this page

  1. 1. Quick summary
  2. 2. Who we are
  3. 3. What we collect
  4. 4. Why we collect it
  5. 5. How we share information
  6. 6. How long we keep it
  7. 7. Your privacy rights
  8. 8. California-specific rights (CCPA/CPRA)
  9. 9. Cookies and tracking
  10. 10. How we protect your data
  11. 11. Children's privacy
  12. 12. Changes to this policy
  13. 13. Contact

N⁰ 01 Quick summary

We collect the minimum information needed to build websites for our clients, process payments, run user accounts, and reply to your messages. We do not sell your data. We do not run targeted advertising. We use Stripe for payments, Resend for transactional email, and Google Analytics 4 (with IP anonymization) for aggregate site usage. If you are a California resident, see Section 8 for your additional rights under CCPA/CPRA.

N⁰ 02 Who we are

This Privacy Policy describes how Plaza ("we," "us," "our") collects, uses, and discloses personal information when you visit plazasites.com, create a Plaza account, or engage us as a client. The data controller for purposes of this policy is Plaza, contactable at [email protected].

N⁰ 03 What we collect

Information you give us directly

  • Contact and booking forms: name, business name, email address, phone number (optional), business location(s), and any details you provide in questionnaire or comment fields.
  • Account registration: name, email address, and a hashed password. We never store your password in plain text.
  • Kickoff content: logos, photos, brand assets, copy, and business information you send us to build your site.
  • Payment information: handled entirely by Stripe. Plaza does not receive or store your full card number. We receive limited transactional data from Stripe: your name, email, billing zip code, the last 4 digits of your card, and the transaction amount.
  • Email correspondence: messages you send to [email protected] or through our contact form.

Information collected automatically

  • Server logs: IP address, browser user-agent, referring URL, requested URL, and timestamp. Retained for up to 30 days for debugging and abuse prevention.
  • Session cookies: when you log in to your Plaza account, we set a signed session cookie to keep you authenticated. This cookie is essential for the account to function and expires when you log out or after a period of inactivity. See Section 9 for full cookie details.
  • Referral tracking: if you use a referral code at checkout or generate one through your account, we store the association between your account, the code, and any bookings or rewards linked to it. See our Terms of Service §7 for the full referral program terms.
  • Analytics: Google Analytics 4 with IP anonymization enabled. GA4 tracks page views, session duration, approximate location (city level), device type, and traffic source. We do not enable GA4's advertising features or audience signals.

N⁰ 04 Why we collect it

  • To respond to inquiries and schedule consultation calls.
  • To create and manage your Plaza account.
  • To build, deliver, and maintain the website you hired us for.
  • To process payments and manage subscriptions via Stripe.
  • To send transactional emails (booking confirmations, payment receipts, project updates, referral reward notifications, support replies) via Resend.
  • To operate the customer referral program — tracking codes, uses, and rewards.
  • To improve our website using aggregate, anonymized analytics.
  • To prevent fraud and abuse (spam filtering on forms, anomaly detection on payments).
  • To comply with legal obligations (tax records, responses to lawful requests from authorities).

N⁰ 05 How we share information

We do not sell your personal information. We share limited information with the following service providers ("processors") that help us operate Plaza:

  • Stripe — payment processing. Stripe's privacy policy.
  • Resend — transactional email delivery. Resend's privacy policy.
  • Render / Cloudflare — server hosting and CDN/DNS for plazasites.com. Standard server logs are processed by these providers as a technical necessity.
  • Google Analytics — aggregate, anonymized site usage analytics. Google's privacy policy.

We may also disclose information if required by valid legal process (subpoena, court order), to protect our rights or prevent harm, or in connection with a sale or transfer of the business — in which case the acquirer would be bound by this policy or provide you with adequate notice of any changes.

We do not share your information with third parties for their own marketing purposes.

N⁰ 06 How long we keep it

  • Server logs: up to 30 days.
  • Contact form submissions: up to 24 months, then deleted unless you have become a client.
  • Account data (name, email, hashed password, referral codes): for as long as your account is active. If you request account deletion, we will delete your account data within 30 days, subject to the retention exceptions below.
  • Client records (project files, communications, payment records): for the duration of our engagement, plus 7 years after the last invoice, for tax and legal compliance.
  • Email correspondence: up to 7 years.
  • Analytics data: per Google Analytics defaults (currently 14 months at user-level granularity).

You may request early deletion of your personal information at any time — see Section 7. Deletion requests are subject to our legal retention obligations (e.g. we must retain tax records for 7 years).

N⁰ 07 Your privacy rights

Regardless of where you live, you may email [email protected] to:

  • Ask what personal information we hold about you.
  • Request a correction to inaccurate information.
  • Request deletion of your information (subject to legal retention requirements).
  • Opt out of marketing emails (every marketing email also contains an unsubscribe link).
  • Object to certain processing.

We aim to respond to privacy requests within 30 days. We may need to verify your identity before fulfilling requests, particularly deletion requests.

N⁰ 08 California-specific rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights:

  • Right to know what categories of personal information we collect, the sources, the purposes, and the categories of recipients.
  • Right to access the specific personal information we have about you.
  • Right to delete personal information we hold (subject to legal exceptions).
  • Right to correct inaccurate information.
  • Right to opt out of sale or sharing. Plaza does not sell personal information as defined under CCPA, and does not share personal information for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information. We do not collect sensitive personal information beyond what is necessary to deliver our services.
  • Right to non-discrimination — we will not refuse service or charge you more for exercising any of these rights.

To exercise these rights, email [email protected] with the subject line "California Privacy Request" and a description of your request. You may also designate an authorized agent to make a request on your behalf — we will require written proof of authorization.

N⁰ 09 Cookies and tracking

Plaza uses a small number of cookies:

  • Essential session cookie: set when you log in to your Plaza account. Required for authentication to function. This cookie is not used for tracking or advertising. It expires on logout or after a period of inactivity.
  • Analytics cookies: set by Google Analytics 4 to measure aggregate, anonymized site usage. IP anonymization is enabled. GA4 advertising features are not enabled.

You can disable cookies in your browser settings at any time. The public site will continue to function without cookies. Account features require the session cookie to work. To opt out of GA4 tracking specifically, you can install the Google Analytics Opt-out Browser Add-on.

Do Not Track. Some browsers send a "Do Not Track" (DNT) signal to websites. Because there is no universally accepted standard for how websites should respond to DNT signals, Plaza does not alter its data collection practices in response to DNT signals at this time.

N⁰ 10 How we protect your data

  • HTTPS encryption on all pages and API endpoints.
  • Passwords hashed using scrypt before storage — we never store plain-text passwords.
  • Encrypted database storage at rest, provided by our hosting infrastructure.
  • Password-gated admin areas with restricted internal access.
  • Regular review of third-party processors' security practices.

No system is 100% secure. If we become aware of a data breach affecting your personal information, we will notify you by email within 72 hours of becoming aware of the incident (where feasible), and will notify any required regulators as required by applicable law. The notification will describe the nature of the breach, the categories of data affected, and the steps we are taking to address it.

N⁰ 11 Children's privacy

Plaza's services are intended for businesses and adults. We do not knowingly collect personal information from anyone under 13. If you believe we have collected information from a child, please email [email protected] and we will delete it promptly.

N⁰ 12 Changes to this policy

We may update this Privacy Policy to reflect changes in our services, data practices, or the law. The "Effective" date at the top reflects the most recent revision. For material changes affecting your rights, we will notify active clients by email at least 14 days before the new policy takes effect.

N⁰ 13 Contact

Privacy questions or data requests: [email protected] or use our contact form. We aim to respond within 1 business day.

Questions about your data?

Real Sites · Real People · Real Business
Email support@ → Contact form