1. Who We Are (Data Controller)
The Webstorio platform and related services are operated by PT Rasylva Digital Lestari ("Webstorio", "we", "our", or "us"), Jakarta, Indonesia. For personal data processed about our account holders and website visitors, we act as the data controller. This Privacy Policy explains how we collect, use, disclose, and safeguard your information, and the rights you have under the EU/UK General Data Protection Regulation (GDPR) and similar laws.
For privacy questions or to exercise your rights, contact us at [email protected].
2. Our Roles: Controller and Processor
We are the controller for personal data relating to your Webstorio account and for first-party analytics we collect on websites published through Webstorio. Where you use Webstorio to build a site and collect data from your own visitors (for example through forms, accounts, or stored records), you are the controller of that data and we act as your processor, handling it on your instructions under our terms and any applicable data processing terms.
3. Information We Collect
- Account information: Name, email address, and profile data when you sign up or use third-party sign-in (e.g., Google).
- Content and projects: Websites, pages, and content you create, edit, or publish through Webstorio.
- Billing information: Plan and transaction details processed through our payment provider when you purchase a paid plan. We do not store full card details.
- Usage and technical data: How you use the platform, browser and device information, and similar technical identifiers.
- Visitor analytics (published sites): When analytics cookies are accepted, we collect page views, clicks, engagement duration, referrer, UTM parameters, browser/OS/device, approximate location, and a randomly generated visitor identifier. We use your IP address only transiently to derive an approximate location (city/country) and do not store the raw IP address with analytics events.
4. How We Use Your Information and Legal Bases
We process personal data on the following legal bases (GDPR Art. 6):
- Performance of a contract: to create and manage your account, provide and operate the service, store your projects and content, and process payments.
- Consent: for analytics and marketing cookies and for optional communications. You can withdraw consent at any time.
- Legitimate interests: to secure the platform, prevent abuse and fraud, and improve our services, balanced against your rights.
- Legal obligation: to comply with applicable laws and lawful requests.
5. Cookies and Similar Technologies
We use a small number of cookies and similar technologies, grouped into categories:
- Strictly necessary (always on): required for security, sign-in, and to remember your cookie choices.
- Analytics (opt-in): a session identifier and a visitor identifier cookie (stored for up to 1 year) used to measure usage. These are only set after you accept analytics cookies.
- Marketing (opt-in): used to measure campaigns, where applicable.
Non-essential cookies are off by default and are only used with your consent. You can change or withdraw your choice at any time using the "Cookie settings" link in the website footer.
6. Sharing, Recipients, and Sub-processors
We do not sell your personal information. We share data only with service providers that help us operate the platform, under confidentiality and data-protection obligations, including:
- Cloud hosting and database infrastructure providers.
- Content delivery and security (e.g., Cloudflare).
- Authentication (e.g., Google sign-in, if you use it).
- Payment processing for paid plans.
- Email delivery for transactional and support messages.
We may also disclose information when required by law or to protect our rights, safety, or property.
7. International Data Transfers
We are based in Indonesia and some of our service providers operate outside your country, including outside the European Economic Area. Where we transfer personal data internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or an adequacy decision, as applicable.
8. Data Retention
- Account and content data: retained while your account is active and for a limited period afterwards as needed to comply with legal, tax, and accounting obligations, then deleted or anonymized.
- Analytics events: retained according to your plan's retention window and automatically deleted once that window elapses.
- Cookie consent record: stored for up to 180 days, after which you will be asked again.
9. Your Rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten").
- Restrict or object to certain processing.
- Data portability (receive your data in a portable format).
- Withdraw consent at any time, without affecting prior processing.
To exercise these rights, email [email protected]. We will respond within one month. To request deletion of your account, contact us at the same address.
10. Right to Lodge a Complaint
If you are in the EU/EEA or UK and believe we have not handled your personal data lawfully, you have the right to lodge a complaint with your local data protection supervisory authority. We would, however, appreciate the chance to address your concerns first.
11. Security
We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or alteration, including encryption in transit, access controls, and rate limiting. No method of transmission or storage is fully secure, and we cannot guarantee absolute security.
12. Children's Privacy
Webstorio is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.
13. Automated Decision-Making
We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date.
15. Contact Us
PT Rasylva Digital Lestari, Jakarta, Indonesia. For privacy-related questions or requests, contact us at [email protected].