Privacy Policy

We do not collect personal data from visitors to our website, except for:

• Login Information: Users provide an email address or phone number to access our services. We use one-time passcodes (OTP) for authentication — we do not store passwords.
• Cookies: We use cookies strictly for authentication and session management to maintain a secure and functional user experience.
• Device and Technical Data: We may collect limited technical information such as IP addresses, browser type, and operating system solely for security purposes, such as fraud prevention and system diagnostics.
• Account Activity: We may log basic account activity, such as login times and failed login attempts, to enhance security and detect unauthorized access.
• Payment Information: When you make a purchase, billing and payment details are collected and processed by Stripe on our behalf. We do not store card details on our servers.
• Legal and Compliance Records: We may retain minimal records necessary to comply with legal obligations, enforce our policies, or respond to security incidents.

We do not collect any other personal information, including browsing history, behavioral analytics, location tracking, or marketing data. Our website does not integrate third-party tracking tools, analytics platforms, or advertising networks.

Cookies are small text files stored on your device to enhance security and functionality. We use cookies exclusively for the following purposes:

• User Authentication: To verify login sessions, maintain a secure session, and prevent unauthorized access.
• Session Management: To ensure a seamless user experience while navigating our website and maintaining login states across pages.
• Security and Fraud Prevention: To detect and prevent malicious activities, unauthorized logins, and other potential security threats.
• Website Performance: To optimize website functionality, ensure system stability, and improve user experience.
• Regulatory Compliance: To adhere to applicable legal and security requirements, ensuring compliance with data protection laws and industry standards.

We do not use cookies for tracking, advertising, analytics, or third-party data collection. Additionally, we do not sell or share cookie data with external entities.

You may disable cookies through your browser settings; however, this may affect website functionality, including login access and session stability.

The limited information we collect is used solely for the following purposes:

• Providing Access to Services: Verifying user identity via OTP authentication and granting access to our platform.
• Processing Payments: Facilitating purchases securely through our payment processor, Stripe.
• Delivering Authentication Codes: Sending one-time passcodes to your email address or phone number to verify your identity at login.
• Enhancing Security: Protecting user accounts, detecting unauthorized access attempts, and preventing fraud or other security threats.
• Maintaining Website Functionality: Ensuring smooth operation, optimizing system performance, and troubleshooting technical issues.
• Legal and Compliance Requirements: Complying with applicable laws, regulations, and legal obligations related to security, fraud prevention, and data protection.

We do not sell, share, or use this information for marketing, advertising, profiling, or any purpose beyond those listed above.

We implement appropriate technical and organizational measures to safeguard the limited data we collect. These measures include:

• Encryption: Protecting stored and transmitted data using industry-standard encryption protocols.
• Passwordless Authentication: We use one-time passcodes (OTP) instead of passwords, reducing the risk associated with credential theft or reuse.
• Access Controls: Restricting access to user data and technical systems to authorized personnel only.
• Regular Security Assessments: Conducting routine security audits, vulnerability testing, and system updates to mitigate potential threats.
• Fraud Prevention: Monitoring login activity to detect and prevent unauthorized access or suspicious behavior.

Despite these safeguards, no system is entirely secure. We encourage users to take necessary precautions, including:

• Keeping their email address and phone number secure.
• Logging out of sessions on shared or public devices.
• Contacting us immediately if they suspect unauthorized access.

We do not integrate third-party tracking services, analytics platforms, advertising networks, or external data collection tools. We do not sell user information to third parties.

We do use the following third-party services to operate our platform:

• Stripe (Payment Processing): We use Stripe to process payments. When you make a purchase, your name, billing address, and payment details are shared with Stripe solely for the purpose of processing your transaction and fraud prevention. We do not store card details on our servers. Stripe's handling of your data is governed by their privacy policy, available at stripe.com/privacy.
• ZeptoMail (Email Delivery): We use ZeptoMail to deliver email-based authentication codes to our users, and to forward contact form submissions from hosted websites to our customers. Your email address is shared with ZeptoMail for authentication purposes. Contact form data (such as name, email, and message content) passes through ZeptoMail solely to deliver it to the intended recipient — we do not store this data on our servers. Their privacy policy is available at zoho.com/privacy.
• Twilio (SMS Delivery): We use Twilio to deliver SMS-based authentication codes. Your phone number is shared with Twilio solely for this purpose. Their privacy policy is available at twilio.com/legal/privacy.

Our website may also contain links to third-party websites for informational purposes. These external websites are not governed by this Privacy Policy, and we do not control or take responsibility for how they collect, use, or protect your data. We recommend reviewing their privacy policies before providing any personal information. We are not liable for the content or data practices of external websites.

Under UK GDPR, we are required to have a lawful basis for processing your personal data. We rely on the following:

• Contract: Processing your email address or phone number to deliver authentication codes, provide access to our services, and handle payments via Stripe is necessary to fulfil the contract between you and Hex.
• Legitimate Interests: Collecting limited technical data such as IP addresses and login activity is necessary for fraud prevention, security monitoring, and keeping our platform safe for all users.
• Legal Obligation: We may retain certain records where required to comply with applicable laws or respond to lawful requests from authorities.

We only retain your personal data for as long as necessary. In practice, this means:

• Account Data: Your email address, phone number, and associated account information are retained for as long as your account is active.
• Account Deletion: When you delete your account, your personal data is deleted immediately and permanently. We do not retain it after deletion.
• Technical and Security Logs: IP addresses and login activity logs are retained for up to 90 days for security and rate limiting purposes, after which they are deleted.
• Legal Records: Where we are required by law to retain certain records, we will do so only for the minimum period required.

Under UK GDPR, you have the following rights regarding your personal data:

• Right of Access: You can request a copy of the personal data we hold about you at any time.
• Right to Rectification: You can ask us to correct any inaccurate or incomplete data we hold about you.
• Right to Erasure: You can request that we delete your personal data. You can also do this directly by deleting your account, which removes your data immediately.
• Right to Object: You have the right to object to the processing of your personal data in certain circumstances.
• Right to Data Portability: You can request a copy of your data in a structured, commonly used format.
• Right to Complain: If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, please contact us using the details below. We will respond to all requests within one month, in line with UK GDPR requirements.

Hex is a website creation and hosting platform. When we host websites on behalf of our customers, we may process limited technical data — such as the IP addresses of visitors to those websites — for the purposes of DDoS protection and rate limiting.

In this context, Hex acts as a data processor on behalf of our customers, who are the data controllers for their own visitors' data. This means:

• The privacy policies of our customers' websites govern how their visitors' data is handled — not this Privacy Policy.
• We do not use visitor IP addresses for any purpose beyond security, DDoS mitigation, and rate limiting.
• Visitor IP addresses collected in this context are retained for up to 90 days, after which they are deleted.
• Where hosted websites include contact forms, any data submitted (such as name, email address, or message content) passes through our servers solely to be forwarded to our customer via ZeptoMail. We do not store contact form submissions.
• We do not share, sell, or use visitor data from hosted websites for any commercial purpose.

All websites built and hosted by Hex include a standard privacy policy and terms of service covering the data flows described above. For websites migrated to Hex from another provider, we offer to add compliant policies as part of the migration process. Where a customer declines this, responsibility for ensuring their site has a compliant privacy policy rests entirely with them.

If you are a visitor to a website hosted on Hex and have questions about how your data is handled, please refer to that website's own privacy policy or contact its owner directly.

We may update this Privacy Policy from time to time to reflect changes in our business practices, legal requirements, or technological advancements.

• Notification of Changes: We will notify users of any significant changes to this Privacy Policy, for example by displaying a notice on our website or sending an email to registered users.
• Stayed Informed: We encourage you to review this page periodically. The date at the top of this page will always reflect when it was last updated.

If you have any questions or concerns about updates to this Privacy Policy, please contact us.