Back to Home

ThemeSmith Ltd

Privacy Policy

Last updated: November 2025

1. Introduction

ThemeSmith Ltd ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered website generation platform (the "Service").

We are registered in England and Wales and operate in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Data Controller

ThemeSmith Ltd is the data controller responsible for your personal data. If you have questions about this Privacy Policy or our data practices, please contact us at: privacy@themesmith.ai

3. Information We Collect

3.1 Information You Provide

We collect information you voluntarily provide when using our Service:

  • Account Information: Name, email address, and profile information collected through our authentication provider (Clerk)
  • Business Information: Business descriptions, industry details, branding preferences, and content you provide for website generation
  • Payment Information: Billing details processed through Stripe (we do not store complete card numbers)
  • Generated Content: Website content, blog posts, and design preferences you create or approve
  • Communications: Messages and correspondence when you contact our support team

3.2 Information Collected Automatically

When you access our Service, we automatically collect:

  • Usage Data: Pages visited, features used, time spent, and interaction patterns
  • Device Information: Browser type, operating system, device type, and screen resolution
  • Log Data: IP address, access times, and referring URLs
  • Performance Data: Error logs and application performance metrics

4. How We Use Your Information

We use your information for the following purposes:

  • Service Delivery: To generate websites, process AI requests, and provide the core functionality of our platform
  • AI Processing: To send your business descriptions and content to AI services (OpenAI, Anthropic, Google) for website generation
  • Account Management: To create and manage your account, authenticate access, and maintain your subscription
  • Payment Processing: To process subscription payments and manage billing through Stripe
  • Service Improvement: To analyse usage patterns, identify issues, and improve our platform
  • Communication: To send service updates, respond to enquiries, and provide customer support
  • Legal Compliance: To comply with legal obligations and protect our rights

5. Legal Basis for Processing

Under UK GDPR, we process your personal data on the following legal bases:

  • Contract Performance: Processing necessary to provide you with our Service (Article 6(1)(b))
  • Legitimate Interests: Processing for service improvement, security, and analytics where our interests do not override your rights (Article 6(1)(f))
  • Consent: Where you have provided specific consent, such as for marketing communications (Article 6(1)(a))
  • Legal Obligation: Processing required to comply with applicable laws (Article 6(1)(c))

6. Third-Party Services and Data Sharing

We share your data with the following categories of third-party service providers:

6.1 AI Services

Your business descriptions and content are processed by:

  • OpenAI (USA) - For content generation using GPT models
  • Anthropic (USA) - For website generation using Claude models
  • Google (USA) - For alternative AI processing using Gemini models

These providers process your data to generate website content. Please review their respective privacy policies for information about their data practices.

6.2 Authentication

  • Clerk (USA) - Manages user authentication, storing email addresses, names, and profile data

6.3 Payment Processing

  • Stripe (USA) - Processes payments and manages subscription billing. Stripe is PCI-DSS compliant.

6.4 Analytics and Error Tracking

  • Umami (EU-hosted) - Privacy-focused website analytics
  • Microsoft Clarity (USA) - Session recordings and heatmaps for user experience improvement
  • Sentry (USA) - Error tracking and application monitoring

6.5 Cloud Infrastructure

  • Amazon Web Services (EU - Ireland region) - Hosting, storage, database, caching, email delivery, and content delivery
  • Unsplash (Canada) - Stock image searches based on your content queries

7. International Data Transfers

Our primary infrastructure is located in the EU (AWS eu-west-1, Ireland). However, some of our third-party service providers are based in the United States. Where we transfer personal data outside the UK/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms under UK GDPR.

8. Data Retention

We retain your personal data as follows:

  • Account Data: Retained while your account is active and for a reasonable period thereafter
  • Generated Websites: Stored indefinitely while you maintain an active subscription
  • Backups: Daily backups retained for 30 days
  • Analytics Data: Aggregated usage data retained for service improvement
  • Upon Cancellation: Your data will be deleted following a grace period of 30 days, after which deletion is permanent

9. Your Rights

Under UK GDPR, you have the following rights:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Request limitation of processing
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Rights Related to Automated Decision-Making: Not to be subject to decisions based solely on automated processing

To exercise any of these rights, please contact us at privacy@themesmith.ai. We will respond within one month as required by law.

10. AI Autonomy Features

Our Service includes AI autonomy features that can make changes to your website automatically. You control the level of AI autonomy through four settings: Suggestions Only, Semi-Autonomous, Highly Autonomous, and Full Autopilot. All AI-initiated changes can be reviewed and rolled back at any time. We recommend reviewing AI changes regularly, particularly when using higher autonomy levels.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit and at rest, secure authentication, regular security audits, and access controls. While we strive to protect your personal information, no method of transmission over the Internet is 100% secure.

12. Children's Privacy

Our Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete such information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. We encourage you to review this Privacy Policy periodically.

14. Complaints

If you have concerns about our data practices, please contact us first. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues: ico.org.uk

15. Contact Us

For any questions about this Privacy Policy or our data practices, please contact us:

ThemeSmith Ltd
Email: privacy@themesmith.ai

Related Legal Documents

Terms of ServiceCookie Policy