Privacy Policy

This Privacy Policy explains what personal data Lettle ("Lettle", "we", "us", "our") collects when you access or use our visual website builder, dashboard, deploy pipeline, marketing site, and related services (collectively, the "Service") at lettle.io, the legal bases on which we process it, who we share it with, how long we keep it, and the rights you have over it. By creating an account or otherwise using the Service you confirm that you have read and understood this Policy.

This Policy is written in plain English wherever the underlying obligation allows it. Where a defined legal term is unavoidable we use it deliberately.

1. Who is the data controller

The data controller for the personal data described in this Policy is Lettle (the operator of lettle.io). For any privacy-related request you can reach us at [email protected] or by post at the address published on our contact page.

Where you use Lettle to operate your own website, you are the controller of any personal data your site collects from its visitors. Lettle compiles and deploys the site to your own Cloudflare account; we do not receive, store, or process your visitors' traffic.

2. Personal data we collect

2.1 Account data

When you sign up via GitHub, Google, or a Passkey we receive your name, email address, an avatar URL, the unique identifier issued by the provider, and an OAuth access (and where applicable, refresh) token scoped to that provider. We do not store, see, or have any way of reading your provider password.

2.2 Workspace and content data

Anything you create inside Lettle — workspace name and slug, websites, pages, shared sections, uploaded images and files, custom HTML/CSS/JS — is stored in our database and object storage so that the editor can render it back to you and the deploy pipeline can compile it.

2.3 Cloudflare credentials

To deploy to your own Cloudflare account we store the API token and account identifier you provide. Tokens are encrypted at rest. We use them only to upload assets, create and update the Worker that serves your site, attach domains, and read deployment status. You can revoke the token at any time from your Cloudflare dashboard, which immediately and irrevocably terminates our ability to act on your account.

2.4 Billing data

Payments are processed by Lemon Squeezy, who acts as our merchant of record. We receive and store the subscription identifier, plan, billing email, country, last invoice date, and renewal date. We do not receive or store full card numbers, CVV codes, or bank account details.

2.5 Communications

If you email support, reply to a transactional email, or fill out a form on our marketing site, we keep the message and any attachments so we can respond and so we have a record of the exchange.

2.6 Technical and log data

For each request to the Service we record the IP address, user agent, requested URL, response code, timing, and a session identifier. We log application errors with stack traces and limited request context. These records are used for security, abuse prevention, debugging, and capacity planning, and are rotated on a rolling basis.

2.7 Cookies and similar technologies

We use a small number of strictly necessary cookies for authentication, CSRF protection, and session persistence. We do not run advertising or cross-site tracking cookies on the dashboard or editor. Where any non-essential cookie is set on the marketing site, we ask for your consent through the cookie banner and remember your choice. You can withdraw consent at any time by clearing the relevant cookies from your browser.

3. What we do not collect

• We do not sell, rent, or trade your personal data, ever.
• We do not share your data with advertisers, data brokers, or marketing platforms.
• We do not run analytics or tracking pixels on the websites you publish through Lettle. Those sites run on your Cloudflare account; we have no visibility into their traffic.
• We do not perform automated decision-making or profiling that produces legal or similarly significant effects on you.

4. Why we process your data and the legal basis

Where the EU/UK GDPR applies, we rely on the following legal bases under Article 6:

• Performance of a contract — to operate the editor, deploy pipeline, dashboard, and billing for the account you signed up to.
• Legitimate interests — to keep the Service secure, prevent abuse and fraud, debug and improve the platform, and send essential service notifications. We balance these interests against your rights and freedoms in each case.
• Legal obligation — to retain billing and tax records, respond to lawful requests from authorities, and meet our regulatory duties.
• Consent — for any non-essential cookies, marketing emails (if you opt in), and any other processing where we explicitly ask for your permission. You may withdraw consent at any time without affecting prior lawful processing.

5. Sub-processors

We use a limited number of third-party providers to deliver the Service. Each is bound by contract to process personal data only on our instructions and to protect it to a standard at least equivalent to ours.

• Cloudflare, Inc. (United States & global edge) — application hosting, R2 object storage for platform assets, DNS, and edge security.
• Lemon Squeezy — billing, subscriptions, tax handling, and merchant of record.
• Email delivery provider — transactional email (account, deploy, billing, support).
• Error monitoring and observability provider — capturing application errors and operational metrics.
• OAuth identity providers (GitHub, Google) and Passkey/WebAuthn relying-party services — authentication only, on the flow you initiate.

An up-to-date list of named sub-processors is available on request at [email protected]. We will give reasonable advance notice before adding or replacing a sub-processor that materially affects your data.

6. International transfers

Some of our sub-processors are located outside the European Economic Area and the United Kingdom. Where personal data is transferred outside those regions, we rely on appropriate safeguards under Article 46 GDPR, including the European Commission's Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum, together with supplementary technical measures (encryption in transit and at rest, access control, and pseudonymisation where practical).

7. Data retention

We keep personal data only for as long as we need it for the purposes described above:

• Active account data — for as long as your account is active.
• Soft-deleted records — workspaces, websites, pages, and deployments that you delete are flagged immediately and permanently erased within 30 days, except where retained under a legal obligation.
• Billing and tax records — kept for the period required by applicable tax law (typically up to 10 years).
• Security and abuse logs — kept up to 90 days, longer where an active investigation requires it.
• Backups — encrypted backups are rotated on a rolling basis and overwritten within 35 days.

Sites you have already published live on your Cloudflare account. Closing your Lettle account does not take them down — that is the design.

8. How we protect your data

We apply technical and organisational measures appropriate to the risk, including: TLS for all network traffic, encryption at rest for credentials and backups, role-based access control, audit logging, mandatory two-factor authentication for staff with production access, least-privilege production credentials, and regular security review of application dependencies. No system is perfectly secure; if we become aware of a personal data breach affecting you, we will notify you and, where required, the competent supervisory authority within the time frames mandated by law.

9. Your rights

Subject to applicable law, you have the right to:

• Access the personal data we hold about you and receive a copy of it.
• Rectify inaccurate or incomplete data.
• Erase data we no longer have a lawful basis to keep ("right to be forgotten").
• Restrict or object to certain processing, including processing based on legitimate interests.
• Portability — receive your data in a structured, machine-readable format, or have it transmitted directly to another controller where technically feasible. You can also export your sites as static HTML, CSS, and JS at any time from the dashboard.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with a data protection supervisory authority in the EU/EEA or UK, or with the equivalent authority in your jurisdiction.

To exercise any of these rights, email us at [email protected]. We will respond within one month, and we may ask you to verify your identity before we act.

10. Children

The Service is not directed at, and not intended for, children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Marketing communications

We send transactional email about your account, deployments, security, and billing — these are part of the Service and you cannot opt out of them while your account is active. Any non-essential marketing email is sent only with your prior consent and includes a one-click unsubscribe link.

12. Changes to this Policy

We may update this Policy from time to time to reflect changes in the Service, in our practices, or in the law. The "Last updated" date at the top of this page reflects the most recent revision. Where the change is material we will give all account holders at least 14 days notice by email before it takes effect. Continued use of the Service after the effective date is acceptance of the updated Policy.

13. Contact

For any privacy-related question, request, or complaint, email [email protected]. For general support, write to [email protected].