Privacy Policy

Last Updated: December 17, 2024

1. Legal Framework and Scope

1.1 Regulatory Compliance

This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable international data protection laws. The comprehensive legal framework ensures that our data processing practices meet the highest standards of user privacy and data protection across multiple jurisdictions.

1.2 Policy Applicability

This policy comprehensively governs all data processing activities for Modul.so's personal website builder service. Its provisions are equally applicable to website visitors, registered users, potential customers, and all individuals engaging with our service through various interaction channels. The policy establishes a uniform approach to data handling and protection for all user categories.

2. Data Collection Principles

2.1 Lawful Basis for Processing

We maintain a strict and transparent approach to personal data processing. Our data collection is exclusively permitted under specific legal frameworks: when users provide explicit consent, when processing is necessary for contract performance, to ensure compliance with legal obligations, to protect vital interests, or to pursue legitimate business interests. Each data processing activity is carefully evaluated against these stringent criteria.

2.2 Collected Personal Information

Our data collection philosophy prioritizes minimal and necessary information gathering. We collect identification data including full name, email address, and contact information. Account-related data encompasses profile URL and country of residence. Transactional data, primarily payment information processed through Creem.io, includes essential billing details.

3. Data Collection Mechanisms

3.1 Direct Collection Methods

Direct data collection occurs through user registration forms, account creation processes, payment processing systems, and direct communications. Each collection point is designed to be transparent and user-centric, ensuring clear consent and understanding.

3.2 Automated Collection Technologies

We use Google Analytics for comprehensive visitor statistics collection and analysis. Google uses this information to evaluate website usage, compile detailed reports on website activity for our team, and provide additional services related to website activity and internet usage. This allows us to understand user interactions and continuously improve our platform. We partner with Microsoft Clarity and Microsoft Advertising to capture nuanced insights into how users interact with our website. Through behavioral metrics, heatmaps, and session replay technologies, we gain valuable understanding of user experiences. Website usage data is captured using first and third-party cookies and advanced tracking technologies to determine product popularity and online activity patterns. Our usage of these analytics technologies serves multiple purposes: site optimization, security and fraud prevention, and strategic advertising. Users can find detailed information about data collection and usage in the Microsoft Privacy Statement. Additionally, we utilize: PostHog for product analytics and anonymized session recordings Chatwoot for customer support tracking and communication management

4. Purpose of Data Processing

4.1 Primary Purposes

Our data processing activities are fundamentally oriented towards service delivery, account management, payment processing, customer support, and continuous product improvement. Each data point serves a specific, user-centric objective designed to enhance overall user experience.

4.2 Secondary Purposes

Secondary data processing objectives include personalization of user experiences, performance optimization of our platforms, and marketing communications—always conducted with explicit user consent and providing clear opt-out mechanisms.

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We may share collected data with carefully selected third-party service providers who are essential to our operational infrastructure. These providers include payment processors like Creem.io, analytics platforms, and customer support systems. Each third-party provider is rigorously vetted to ensure they maintain equivalent data protection standards and operate under strict confidentiality agreements. Our data sharing practices are governed by the principle of minimal disclosure, ensuring that only information absolutely necessary for specific service delivery is transmitted. We maintain comprehensive audit trails of all data sharing activities and regularly review these partnerships to protect user privacy.

5.2 Legal Disclosure

In certain circumstances, we may be required to disclose personal information in response to legitimate legal requests. These circumstances are strictly limited and include situations where disclosure is necessary to comply with valid legal processes, protect our legal rights, prevent fraudulent activities, or respond to compelling governmental requests. When such disclosures become unavoidable, we are committed to transparency and will make every reasonable effort to notify affected users, unless prohibited by law or where notification would compromise an ongoing legal investigation.

6. User Rights and Controls

6.1 Data Subject Rights

We recognize and fully support the fundamental rights of individuals concerning their personal data. Users are empowered with comprehensive controls over their personal information, including: The right to access personal data maintained by our systems, enabling users to review and verify the information we collect. Users can request comprehensive reports detailing their stored personal information. The ability to request correction of any inaccurate or incomplete personal data, ensuring the integrity and accuracy of their information. A straightforward mechanism to request complete data deletion, allowing users to remove their personal information from our systems under specified conditions. The option to restrict specific data processing activities, giving users granular control over how their information is utilized. A clear process to object to certain types of data processing, particularly in scenarios involving direct marketing or processing based on legitimate interests. The right to data portability, enabling users to receive their personal data in a structured, commonly used, and machine-readable format. A simple mechanism to withdraw consent for data processing at any time, with immediate effect on future data handling practices.

6.2 Consent Management

Our consent management approach is designed to be transparent, granular, and user-centric. We provide unbundled consent mechanisms that allow users to make informed, specific choices about their data. Consent is never assumed but explicitly obtained through clear, affirmative actions. Users can easily opt out of specific data processing activities or marketing communications through intuitive interface controls. The consent withdrawal process is straightforward and immediate, ensuring users can modify their privacy preferences with minimal friction.

7. Data Retention and Deletion

7.1 Retention Periods

We maintain precise data retention policies aligned with legal requirements and operational necessities: Account data is retained actively until complete account deletion, ensuring users maintain continuous access to their information.Transactional records are preserved for seven years to meet financial compliance and auditing requirements. Usage logs are maintained for twelve months, providing sufficient historical context for service improvement while respecting user privacy.Marketing-related data is retained only until explicit consent is withdrawn, giving users immediate control over their marketing information.

7.2 Deletion Procedures

Our data deletion processes are comprehensive and irreversible: Users can initiate manual deletion requests through their account settings or by contacting our data protection officer. Automated deletion mechanisms ensure complete and permanent removal of personal data upon user request or account termination. We provide clear confirmation of deletion, including documentation of the complete data removal process.

8. Security Measures

8.1 Technical Protections

Our technical security infrastructure is designed to provide comprehensive protection for user data through multiple sophisticated layers of defense. We implement end-to-end encryption protocols that secure data transmission across all system interactions. Secure data transmission is exclusively conducted through TLS (Transport Layer Security) protocols, ensuring that all data exchanges are protected from unauthorized interception. Regular security audits are conducted by independent cybersecurity experts to identify and address potential vulnerabilities. These comprehensive assessments evaluate our entire digital ecosystem, including server infrastructure, application security, and data handling processes. Access control mechanisms are rigorously implemented, utilizing multi-factor authentication, role-based access restrictions, and continuous monitoring systems. Each system access point is protected through advanced authentication technologies that prevent unauthorized entry.

8.2 Organizational Safeguards

Beyond technical measures, we maintain robust organizational protections to ensure data security. A dedicated data protection officer oversees all privacy and security initiatives, providing strategic guidance and ensuring compliance with evolving regulatory requirements. Mandatory staff training programs are conducted quarterly, ensuring that every team member understands the critical importance of data protection. These training sessions cover the latest privacy regulations, emerging cybersecurity threats, and best practices in data handling. Vendor risk assessment processes are comprehensive, involving detailed security evaluations of all third-party service providers. Each potential vendor undergoes stringent scrutiny to ensure they meet our exacting privacy and security standards. A formally documented incident response plan enables rapid and effective action in the unlikely event of a potential data security incident. This plan includes clear escalation protocols, communication strategies, and remediation procedures.

9. International Data Transfers

9.1 Transfer Mechanisms

Given the global nature of digital services, we have implemented robust mechanisms to ensure secure and compliant international data transfers. Standard Contractual Clauses are utilized to provide adequate protection guarantees during any cross-border data exchanges. Our approach ensures full compliance with international data protection standards, including GDPR requirements for international data movement. We continuously monitor and update our transfer mechanisms to reflect the most current regulatory guidance.

10. Children's Privacy

We are unequivocally committed to protecting the privacy of minors. No data collection is permitted from individuals under 18 years of age. In the unexpected event that we discover any personal information has been collected from an underage individual, we will implement immediate and permanent deletion procedures. Parents and guardians are encouraged to monitor their children's online interactions and report any concerns directly to our data protection contact.

11. Data Breach Protocol

11.1 Notification Procedures

In the unlikely event of a data breach, we are committed to immediate, transparent, and comprehensive communication: Affected users will be notified promptly through multiple communication channels, providing clear and detailed information about the nature and potential impact of the breach. Relevant regulatory bodies will be reported in strict accordance with legal requirements, ensuring full transparency and compliance. Our communication will include specific details about the breach, potential consequences, and the precise steps we are taking to mitigate any potential risks. A comprehensive remediation plan will be immediately implemented, focusing on preventing future occurrences and protecting user interests.

12. Changes to Privacy Policy

We are committed to maintaining a dynamic and responsive privacy policy. Quarterly reviews are conducted to ensure our policy reflects current technological landscapes and regulatory environments. Users will receive notification 30 days prior to any significant policy changes. Continued use of our services following policy updates implies acceptance of the new terms.

13. Consent and Opt-Out

13.1 Advertising Pixels (Future Use)

For any future implementation of advertising technologies, we will require explicit opt-in consent. Clear and straightforward deactivation instructions will be provided, ensuring users maintain complete control over their tracking preferences. No default tracking will be enabled without explicit user consent.

14. Contact and Inquiries

Data Protection Contact:
Email: privacy@modul.so
Postal Address: 440 W Huntington Dr, Arcadia, CA 91007

15. Governing Law and Jurisdiction

Disputes related to this privacy policy shall be resolved under USA Delaware laws, with exclusive jurisdiction assigned to USA Delaware courts.

Contact and Inquiries

Data Protection Contact:

Email: privacy@modul.so

Postal Address: 440 W Huntington Dr, Arcadia, CA 91007

Governing Law and Jurisdiction

Disputes related to this privacy policy shall be resolved under USA Delaware laws, with exclusive jurisdiction assigned to USA Delaware courts.