Privacy Policy

1. Introduction

This Privacy Policy explains how Wemob Ltd ("Wemob", "we", "our", or "us") collects, uses, discloses, and safeguards personal data when you use our website at wemob.ioand our platform for designing, building, hosting, and publishing websites, e-commerce stores, web applications, and mobile applications through AI-assisted conversation (the "Service").

Wemob is operated by Wemob Ltd, a company registered in England and Wales. We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR) where applicable.

For personal data you submit when using the Service to manage your own account and projects, Wemob acts as a data controller. For personal data that flows through applications you build and deploy with Wemob (for example, sign-ups, orders, or analytics from your end users), Wemob acts as a data processor on your behalf — see Section 5.

2. Information We Collect

2.1 Information You Provide

• Account information: name, email address, hashed password, profile photo, company name, and (where you create or join one) organization or team membership.
• Authentication data: if you sign in via Google, GitHub, or another supported identity provider, we receive the basic profile information that provider returns (typically name, email, and a stable user ID).
• Billing information:billing address, country, VAT number (if applicable), and payment-method tokens. Card details are entered into our payment processor's hosted fields and are never stored on Wemob servers.
• Project content: prompts, conversations, project names and descriptions, generated and edited source code, design assets (icons, logos, splash screens, screenshots), data model definitions, environment variables, configuration settings, and any files or URLs you provide as references.
• Third-party credentials and API keys: when you connect integrations (for example Supabase, Neon, Stripe, Resend, fal.ai, OpenRouter, Firebase, Cloudinary, Iyzico, Upstash, Google Sheets), or when you opt into our managed publishing service for Apple App Store or Google Play, we store the credentials you provide. They are encrypted at rest and used only to operate the Service for you.
• Custom domain configuration: domain names you connect to your projects and DNS records required to serve them.
• Support and communications: the contents of messages you send to support, including any attachments, plus metadata such as date, channel, and subject line.

2.2 Information Collected Automatically

• Device and connection data: IP address, browser type and version, operating system, device type, screen size, referrer URL, and language preference.
• Usage data: pages and features used, actions taken in the editor, build and deploy events, project status changes, and timestamps.
• AI usage metering: credit and token consumption per project and per request, used for billing, fair-use limits, and abuse detection.
• Server and security logs: request logs, error traces, rate-limit events, authentication events, and webhook delivery records, retained for security, debugging, and regulatory compliance.
• Cookies and similar technologies: see Section 9.

2.3 Information from Third Parties

• Identity providers: as described in Section 2.1.
• Payment processors: our payment processor sends us non-sensitive metadata about transactions (last four digits of the card, card brand, country, transaction status), customer and subscription IDs, and billing events.
• Reference content: when you supply a website URL or other public reference for the AI to study, we may fetch and analyze its content. We do not bypass paywalls, robots.txt, or access controls; you are responsible for ensuring you have the right to use the references you provide.

2.4 Special Category Data

We do not ask for and do not need special category data (for example data about health, ethnicity, religion, sexuality, or biometrics). Please do not paste it into prompts, project files, or support messages. If you do, we will treat it as ordinary personal data and apply the protections in this Policy, but the Service is not designed to handle special categories and we recommend redacting sensitive content before sharing it.

3. How We Use Your Information

We process your personal data only where we have a lawful basis under UK GDPR / EU GDPR. The table below summarises what we do and why.

3.1 To Provide the Service (Contractual Necessity)

• Create and manage your account, organizations, and teams.
• Generate code, layouts, copy, and assets in response to your prompts; preview and edit projects; run sandboxes; build and deploy your web and mobile applications.
• Provision hosting, custom domains, SSL/TLS certificates, and static asset delivery for projects you publish through us.
• Process payments, manage subscriptions, and issue invoices.
• Provide customer support and respond to your enquiries.

3.2 To Operate, Secure, and Improve the Service (Legitimate Interests)

• Monitor performance, debug errors, and prevent abuse, fraud, and unauthorized access.
• Analyse aggregated usage to improve features, prompts, and model selection.
• Conduct internal research and run A/B tests on product behaviour (we do not use the contents of your prompts or generated code for these tests beyond aggregated metrics).
• Send transactional and Service-related communications (account notices, security alerts, build and deploy notifications, billing emails, and policy updates). You cannot opt out of these while you have an active account.

3.3 To Comply with Legal Obligations

• Maintain books, invoices, and tax records for the periods required by UK and EU law.
• Respond to lawful requests from courts and public authorities.
• Comply with anti-money-laundering, sanctions, and export controls.

3.4 With Your Consent

• Send marketing emails about new features, case studies, and offers (you can opt out at any time).
• Set non-essential cookies, including product analytics cookies (see Section 9).

4. Artificial Intelligence and Generated Output

4.1 How AI Is Used

The Service uses large language models and image generation models to turn your conversation, references, and configuration into working software, design assets, and copy. Specifically, we use AI to:

• Plan project structure and generate source code.
• Produce icons, splash screens, and other imagery.
• Summarise long conversations and reference materials.
• Suggest fixes, optimisations, and accessibility improvements.
• Power in-product help and search.

4.2 No Training on Your Content

We do not train Wemob-owned models on your prompts, conversations, generated code, project content, or files. Where we use third-party AI providers (see Section 6), we send requests under their commercial API terms with zero-retention or no-training options enabled where the provider supports them. We will not enable any provider option that would allow training on customer content without explicitly notifying you and obtaining consent where required.

4.3 Output Disclaimer

AI-generated output may be incomplete, incorrect, biased, or infringe third-party rights. You are responsible for reviewing, testing, and validating any output before relying on it, publishing it, or shipping it to your users. The Service is a productivity tool, not a guarantee of legal, accessibility, or regulatory compliance for the products you build with it.

4.4 No Solely Automated Decisions

We do not use AI to make decisions that produce legal effects concerning you or similarly significantly affect you (for example, decisions about access to the Service, billing disputes, or account closure) without meaningful human review.

5. End-User Data in Applications You Build

Applications and websites that you build, host, or deploy through Wemob may collect, store, and process personal data of your end users (your customers, visitors, employees, or community members). Examples include account sign-ups, orders, form submissions, uploaded files, and analytics events captured by the Wemob web-analytics module embedded in your deployed apps.

For that data, you are the data controller and Wemob is your data processor. This means:

• You are responsible for having a lawful basis to collect and process that data, for providing your end users with notice and (where required) obtaining their consent, and for honouring their data-subject rights.
• We process that data only on your documented instructions — principally the operation of the Service, including hosting, backups, security, support, and the integrations and analytics features you have enabled.
• We have entered into onward processing terms with our sub-processors (Section 6) that include appropriate confidentiality, security, and international transfer safeguards.
• A Data Processing Agreement (DPA) with Standard Contractual Clauses and the UK Addendum is available at privacy@wemob.io. By using the Service to process end-user personal data, you accept our standard DPA, which forms part of these terms by reference.

6. How We Share Your Information — Sub-Processors

We do not sell your personal data and we do not share it for cross-context behavioural advertising. We share it only with the following categories of recipient, under written agreements that require confidentiality and appropriate security.

6.1 Sub-Processors

We rely on the following sub-processors to operate the Service. We update this list when we add or remove a sub-processor.

• Fly.io (Fly.io, Inc., USA): hosting and execution of the Wemob platform and of the apps you deploy through us; container build and image registry.
• Amazon Web Services (AWS, Inc., EU/UK regions): object storage for assets, project files, and uploads.
• Cloudflare, Inc. (USA): DNS, edge networking, and DDoS protection for custom domains on wemob.app and connected user domains.
• Stripe Payments Europe, Ltd. (Ireland) and Stripe, Inc. (USA): payment processing, subscription management, and tax calculation. Card data is collected by Stripe directly.
• PostHog, Inc. (USA / EU): product analytics, feature flags, and session replay for the Wemob product itself.
• Resend (Resend Holdings, Inc., USA): transactional and notification email delivery.
• Twenty (Twenty PAS, France): customer relationship management for sales and lifecycle communications.
• Anthropic, PBC (USA): large language model inference (Claude family).
• OpenRouter (USA): aggregated access to multiple large language model providers used as fallbacks.
• Google LLC (USA / EU): Gemini models for specific generation tasks; OAuth sign-in.
• Moonshot AI (Singapore): Kimi family large language models used for specific tasks.
• Z.AI (Singapore): GLM family large language models used for specific tasks.
• fal.ai (Features & Labels, Inc., USA): image generation models for icons and imagery.
• E2B (FoundryLabs, Inc., USA): ephemeral code sandboxes for safe execution of generated code.
• Codemagic Ltd. (Estonia): mobile app build pipelines for iOS and Android.
• Apple Inc. (USA) and Google LLC (USA): App Store Connect and Google Play Console, used only when you choose our managed publishing service or supply your developer credentials.
• Infisical, Inc. (USA): secrets management for our infrastructure.
• BetterStack (Better Stack, s.r.o., Czech Republic): log aggregation, uptime monitoring, and incident management.
• Slack Technologies, LLC (USA): internal operational notifications.
• GitHub, Inc. (USA): optional one-way export of your generated source code to a repository you own.

We will give at least 30 days' notice on this page before adding a new sub-processor that materially changes how your data is handled. You can subscribe to changes by emailing privacy@wemob.io.

6.2 Business Transfers

If Wemob is involved in a merger, acquisition, financing, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you and any successor entity will be bound by terms no less protective than this Policy.

6.3 Legal Requests and Safety

We may disclose information where we believe in good faith that disclosure is necessary to comply with applicable law, a valid legal request, or court order; to enforce our Terms; to detect or prevent fraud, security incidents, or abuse; or to protect the rights, property, or safety of Wemob, our users, or the public.

6.4 With Your Direction

We may share information with third parties when you direct us to — for example, when you push generated code to a GitHub repository you own, connect a payment integration, submit an app to an app store, or invite collaborators to your organization.

7. International Data Transfers

Wemob is established in the United Kingdom. Personal data may be transferred to and processed in countries outside the UK and the European Economic Area (EEA), including the United States, wherever our team or our sub-processors are located.

We rely on the following safeguards for international transfers:

• Adequacy decisions issued by the European Commission and the UK Government, where applicable.
• Standard Contractual Clauses (EU SCCs, 2021) with the UK International Data Transfer Addendum for transfers from the EEA and UK to third countries that lack an adequacy decision.
• EU–US Data Privacy Framework certification where the receiving organisation is certified.
• Supplementary technical and organisational measures, including encryption in transit and at rest, and least-privilege access controls.

You may request a copy of the safeguards we use for a specific transfer by emailing privacy@wemob.io.

8. Data Security

We implement and maintain appropriate technical and organisational measures to protect personal data, including:

• TLS 1.2+ encryption for all data in transit.
• Encryption at rest for databases, object storage, secrets, and backups.
• Role-based access controls, hardware-backed multi-factor authentication for staff, and least-privilege production access.
• Network isolation, web application firewall, automated rate limiting, and DDoS protection.
• Centralised audit logging and continuous security monitoring.
• Vulnerability scanning, dependency tracking, and a coordinated disclosure process for reported security issues.
• Background-checked staff bound by written confidentiality obligations.
• A documented incident-response plan and breach-notification procedure consistent with Articles 33 and 34 GDPR.

No system can be guaranteed 100% secure. If you become aware of a suspected vulnerability, please contact security@wemob.io.

9. Cookies and Similar Technologies

Cookies and similar technologies (local storage, pixels, SDK identifiers) help us run the Service, remember your preferences, and understand how the Service is used.

9.1 Categories

• Strictly necessary: authentication, session management, billing, fraud prevention, and load balancing. These cannot be turned off.
• Functional: theme, language, recently opened projects, and editor preferences.
• Analytics: PostHog product analytics, used with IP-truncation and a privacy-respecting configuration.
• Marketing: we use a small number of marketing cookies on the public website (wemob.io) when you have consented to them; none are set inside the authenticated app.

9.2 Managing Cookies

Where required, we ask for your consent before setting non-essential cookies and you can withdraw consent at any time using the cookie banner or your browser settings. Disabling strictly necessary cookies will break parts of the Service.

Cookies set on apps you build and deploy through Wemob are subject to your own cookie policy with your end users.

10. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy, or as required by law. Default retention periods:

• Account data: retained while your account is active and for up to 30 days after deletion, after which it is purged from primary systems.
• Project content (prompts, conversations, source code, assets): retained while the project exists and for up to 30 days after deletion to allow recovery.
• Encrypted backups: may persist for up to 35 days after deletion before being overwritten on rotation.
• Web analytics events from your deployed apps: retained per the retention setting on your plan, or up to 12 months by default. Aggregated or anonymised analytics may be retained indefinitely.
• Billing and tax records: retained for 7 years to comply with UK and EU accounting requirements.
• Security and audit logs: retained for up to 24 months for security investigations, then purged or anonymised.
• Support communications: retained for 24 months after the case is closed.
• Marketing data: retained until you unsubscribe or two years of inactivity, whichever comes first.

11. Your Data Protection Rights

Subject to applicable law, you have the following rights regarding personal data we hold about you as a controller:

• Right to be informed — through this Policy and our other notices.
• Right of access — to obtain a copy of your personal data.
• Right to rectification — to correct inaccurate or incomplete data.
• Right to erasure(the "right to be forgotten") — subject to lawful retention exceptions.
• Right to restrict processing — in defined circumstances.
• Right to data portability — to receive your data in a structured, machine-readable format and have it transmitted to another controller where technically feasible.
• Right to object — to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent — without affecting the lawfulness of processing carried out before withdrawal.
• Right not to be subject to solely automated decisions producing legal effects on you (see Section 4.4).
• Right to lodge a complaintwith a supervisory authority — in the UK, the Information Commissioner's Office (ICO). We would, however, appreciate the chance to deal with your concerns first, so please contact us before you escalate.

To exercise any of these rights, email privacy@wemob.io. We will respond within one month of verifying your identity, with a possible two-month extension where the request is complex. We will not charge a fee unless your request is manifestly unfounded or excessive.

If your data is held by us as a processor on behalf of a Wemob customer (for example, you signed up to an app built on Wemob), please direct your request to the operator of that application; we will assist them in responding.

12. Children's Privacy

The Service is not directed at children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided personal data to us, contact us at privacy@wemob.ioand we will delete it. If you operate an app built on Wemob that targets children, you are responsible for complying with applicable children's privacy laws (including the UK Age-Appropriate Design Code, GDPR Article 8, and COPPA where relevant).

13. Marketing Communications

With your consent (or, where permitted, on a soft opt-in basis under PECR), we may send you marketing emails about new features, product updates, events, and offers. You can unsubscribe at any time using the link in any marketing email or by emailing privacy@wemob.io. Even if you opt out of marketing, we will still send Service-related messages (account, security, billing, and policy updates).

14. Third-Party Links and Services

The Service contains links to third-party websites and supports third-party integrations you choose to enable. We are not responsible for the privacy practices of those third parties. Read their privacy policies before sharing personal data with them.

15. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date and notify you in-product or by email at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

16. Contact Us

For privacy questions, requests, or to exercise your rights:

As a UK-established company, we do not require an EU representative under Article 27 GDPR for our own controller activities. EEA residents may contact us directly at the address above.