Privacy Policy

Webfolio Website Builder

1. Introduction

This Privacy Policy explains how Upon Pro S.à r.l., a private limited company organised under the laws of the Grand Duchy of Luxembourg, having its registered office at rue Camille Mersch, 5260 Hesperange, Luxembourg, and registered with the Luxembourg Trade and Companies Register (RCS) under number B 247 528, trading as Webfolio ("Webfolio", "we", "us", or "our"), collects, uses, stores, shares, and protects personal data in connection with the Webfolio website builder and related services (the "Service").

This Privacy Policy applies to:

(a) Users of the Service — people who create an Account, subscribe to a paid plan, or otherwise use the Service to build and manage a website (each, a "User"); (b) Visitors to the Webfolio public marketing pages (e.g., webfolio.com); (c) People who contact us through support channels, email, or contact forms.

For personal data collected from visitors of websites built and operated by our Users (each, a "User Website"), Webfolio acts primarily as a data processor on behalf of the User, who is the data controller for that data. See Section 11.

This Privacy Policy forms part of, and is incorporated by reference into, the Webfolio General Terms and Conditions.

2. Data Controller and Contact

For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and other applicable data protection laws, the data controller for personal data covered by this Privacy Policy is:

Upon Pro S.à r.l. (trading as Webfolio) rue Camille Mersch 5260 Hesperange Luxembourg RCS Luxembourg: B 247 528

For any privacy-related question, request, or complaint, please contact: hello@webfolio.com

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Information you provide when creating an Account

(a) Account credentials — email address, password (stored as a salted hash; never visible in plaintext to Webfolio). (b) Profile and language preferences — display name, locale.

3.2 Information you provide about your business

When you complete the onboarding questionnaire or update your dashboard, you may provide:

(a) Business name, profession, services, descriptions, prices, and durations; (b) Business address, service area, opening hours, and location coordinates; (c) Contact details intended for display on your website (phone, email, postal address); (d) Information about team members, if you choose to display them; (e) Testimonials, FAQs, events, and other supplementary content.

This information typically describes your business, but may contain personal data about you (as a sole trader or independent professional) or about identifiable team members whom you have authorisation to include.

3.3 Content you upload to the Service

Images, photos, logos, gallery media, profile pictures, documents (PDFs, brochures, menus, price lists), favicons, and any other materials you choose to upload.

3.4 AI generation inputs and outputs

When you use the Service's AI features (for example, to generate a bio, service description, FAQ, or image), we process the inputs you provide and the outputs returned by our AI providers. These are stored as part of your Content.

3.5 Payment information

When you subscribe to a paid Subscription, payment is processed by Stripe, our payment service provider. Webfolio does not collect or store full payment card details on its own systems. From Stripe we receive limited subscription metadata, including: customer reference, subscription status, plan, billing period, billing email, partial card details (such as the last four digits and brand) for display purposes, and billing-address information where applicable.

3.6 Communications

When you contact us via email, contact form, or any support channel, we receive the content of your message and any personal data you choose to include.

3.7 Information collected automatically

When you access the Service, we automatically collect technical information necessary for security, fraud prevention, and the operation of the Service:

(a) IP address — used for authentication, rate limiting, security, and approximate geolocation. For analytics purposes (Section 11.1), raw IP addresses are never stored — they are hashed with a secret pepper before any processing or storage. (b) Device and browser information — browser type and version, operating system, screen size, language preference. (c) Service usage data — pages visited within the dashboard, actions performed, timestamps, error logs, and similar diagnostic information used to operate and improve the Service. (d) Session identifiers — stored in HTTP-only cookies; see Section 8.

3.8 Information from third parties

In limited cases, we may receive personal data from third parties — for example, payment confirmations from Stripe, or technical metadata from Vercel and Cloudflare in connection with hosting and security.

3.9 Sensitive personal data we do not intentionally collect

Webfolio does not intentionally collect "special categories of personal data" within the meaning of GDPR Article 9 (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation), nor "Sensitive Personal Information" as defined under applicable U.S. state laws (including, for example, precise geolocation, social security numbers, or contents of private communications).

If you choose to include such information in your Account, Content, or User Website (for example, by publishing health-related services, photographs of identifiable individuals, or other sensitive material), you do so under your own responsibility and warrant that you have obtained any consents required by applicable law and have a valid legal basis for the processing.

4. Purposes and Legal Bases for Processing

We process personal data only where we have a valid legal basis under applicable data protection law. The table below summarises the principal purposes and the corresponding legal bases under GDPR Article 6:

Where processing is based on legitimate interest, we have carried out a balancing exercise and consider that our interests are not overridden by your rights and freedoms. You have the right to object to such processing at any time (see Section 10).

5. What We Do Not Do

To be clear about our practices:

(a) We do not sell your personal data to advertisers or any third party. (b) We do not use your Content to train artificial-intelligence models - neither our own nor those of third parties. Your business information, uploaded files, and AI inputs/outputs are processed solely to operate the Service for you, as described in the Terms of Use. (c) We do not use cookies for advertising or third-party tracking on the Webfolio platform. The cookies we set are limited to those needed to operate the Service (see Section 8). (d) We do not place tracking cookies on User Websites for visitor analytics. Our analytics are designed to be cookieless and privacy-first (see Section 11.1). (e) We do not enrich your data with information from outside sources. Apart from payment-related confirmations received from Stripe, Webfolio does not purchase, supplement, or enrich your data using information obtained from advertising partners, data brokers, lead-enhancement services, social-media platforms, or other external sources.

6. Sharing of Personal Data — Subprocessors

To operate the Service, Webfolio shares personal data with carefully selected service providers ("Subprocessors"). Each Subprocessor is contractually bound to process personal data only on Webfolio's instructions and to maintain appropriate security measures.

The following table identifies our current principal Subprocessors. We may update this list from time to time as needed to operate the Service.

In addition to Subprocessors, we may disclose personal data to:

(a) Competent authorities, courts, and law enforcement, where required by law or in response to valid legal process; (b) Professional advisors (lawyers, accountants, auditors) bound by confidentiality obligations; (c) Successors or acquirers in the event of a merger, acquisition, reorganisation, or sale of all or part of Webfolio's business.

7. International Data Transfers

Some of our Subprocessors are headquartered or process data outside the European Economic Area (EEA). Where this is the case, we ensure that transfers are protected by appropriate safeguards under Chapter V of the GDPR, including:

(a) Adequacy decisions of the European Commission (for example, the EU–U.S. Data Privacy Framework, where the recipient is certified); (b) Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where necessary by additional technical and organisational measures; (c) Other safeguards permitted by Articles 46–49 of the GDPR.

For more information about the safeguards applicable to a specific transfer, please contact us at hello@webfolio.com.

8. Cookies and Similar Technologies

Webfolio uses a minimal set of cookies and similar technologies, primarily for essential functionality. We do not use advertising or third-party tracking cookies on the Webfolio platform.

8.1 Essential cookies

These cookies are necessary for the Service to function and do not require consent under the EU ePrivacy Directive:

8.2 No analytics or advertising cookies

The Webfolio platform does not set analytics, advertising, or marketing cookies. We do not embed third-party trackers (such as Google Analytics, Facebook Pixel, or similar).

8.3 User Websites

We do not set tracking cookies on User Websites for visitor analytics (see Section 11.1). However, Users may choose to add their own integrations (custom code, embedded maps, social-media widgets, video embeds, third-party analytics, etc.) to their User Website. Any cookies or trackers set by such User-added integrations are the responsibility of the User. See Section 11.3.

9. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Privacy Policy and to comply with our legal obligations.

9.1 Account data

(a) Active Subscriptions — data is retained for as long as the Account is active. (b) Trial Period — 14 days from Account creation (see Terms of Use, Section 5). (c) Limited Period — an additional 15 days after the end of the Trial Period if no paid Subscription is taken out, during which the Service is restricted (see Terms of Use, Section 5.4). (d) Cancellation or termination of a paid Subscription — personal data and Content are permanently deleted upon termination, with no grace period or export (see Terms of Use, Section 14). (e) Encrypted backups containing personal data are retained for a short period (up to 30 days) for disaster recovery and are then automatically purged.

9.2 Billing, accounting, and tax records

Invoices, payment records, and related accounting documents are retained for the period required by Luxembourg law (currently 10 years for commercial accounting records under the Luxembourg Code of Commerce). [CONFIRM specific retention period with counsel.]

9.3 Support communications

Emails and support tickets are retained for a period of [3 years] after the most recent contact, in order to handle follow-up requests and protect our legal interests. [CONFIRM retention period.]

9.4 Analytics

Aggregated, pseudonymous analytics data is retained for up to 24 months.

9.5 Legal obligations and disputes

Where required to comply with legal obligations or to defend or assert legal claims, personal data may be retained for longer periods as permitted by applicable law.

10. Your Rights

Where the GDPR applies, you have the following rights in relation to your personal data:

(a) Right of access (Art. 15) — obtain confirmation that we process your data, and a copy of that data. (b) Right to rectification (Art. 16) — have inaccurate data corrected and incomplete data completed. (c) Right to erasure (Art. 17, "right to be forgotten") — have your data deleted where one of the grounds in Article 17 applies. (d) Right to restriction of processing (Art. 18) — limit how we use your data in certain situations. (e) Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format. (f) Right to object (Art. 21) — object to processing based on legitimate interest or to direct marketing. (g) Right to withdraw consent (Art. 7) — withdraw any consent you have given, without affecting the lawfulness of processing carried out before withdrawal. (h) Right to lodge a complaint with a supervisory authority (Art. 77).

To exercise any of these rights, please contact us at hello@webfolio.com with a description of your request. We will respond within one (1) month of receiving your request; this period may be extended by a further two months for complex or numerous requests, in which case we will inform you of the extension.

Identity verification. Before responding to a rights request, we may need to verify your identity in order to protect against fraudulent requests and unauthorised access to personal data. Verification may include, for example: confirming details associated with your Account (such as the registered email address or recent Service activity), requesting the billing reference used to purchase a paid Subscription, or — for higher-risk requests — requesting additional documentation as permitted by applicable law. Where we cannot reasonably verify the identity of the requester, we may decline to act on the request and will inform you accordingly.

Authorised agents. You may designate an authorised agent (for example, a lawyer, a family member, or another representative) to submit a rights request on your behalf. In such cases, we may require: (i) written proof of the agent's authorisation to act on your behalf (such as a signed power of attorney or written permission); (ii) verification of your own identity as well as the agent's identity; and (iii) where appropriate, direct confirmation from you that you have authorised the request.

You also have the right to lodge a complaint with the Luxembourg supervisory authority:

Commission nationale pour la protection des données (CNPD) 15, Boulevard du Jazz L-4370 Belvaux, Luxembourg Website: https://cnpd.public.lu

You may also lodge a complaint with the supervisory authority of the EU Member State in which you reside.

11. Personal Data of User Website Visitors

When you create a User Website with Webfolio, your visitors may interact with you - for example, by browsing your pages, viewing your gallery, or sending a message through your contact form. In relation to this data:

(a) You (the User) are the data controller for personal data collected from visitors of your User Website. You are responsible for providing your visitors with appropriate privacy notices, obtaining any required consents, and otherwise complying with applicable data protection law. (b) Webfolio acts as a data processor on your behalf and processes such data only to provide the Service.

11.1 Visitor analytics (cookieless, privacy-first)

Webfolio provides built-in analytics for each User Website. These analytics are designed to be privacy-first and to operate without cookies or third-party trackers, which means no cookie banner is required for analytics under the EU ePrivacy Directive.

Key features of our analytics:

(a) IP addresses are not stored. Visitor IP addresses are immediately hashed with a secret server-side "pepper" (SHA-256). Only the resulting hash is processed. (b) Daily pseudo-session identifiers. A session identifier is derived from the IP hash plus a daily salt and resets every 24 hours, preventing cross-day tracking of individual visitors. (c) Coarse geolocation. Country and city information is derived from server headers (provided by our hosting provider); no precise location is collected. (d) Referrer minimisation. Referrer URLs are stripped to the hostname only, reducing potential exposure of personal information embedded in URLs. (e) No user-agent storage. The user-agent string is used only for bot filtering and is not retained. (f) No fingerprinting and no third-party scripts.

We consider the legal basis for this processing to be legitimate interest (GDPR Art. 6(1)(f)) for first-party audience measurement, in line with guidance from EU data protection authorities. You remain responsible, as data controller, for the privacy notice provided on your User Website.

11.2 Contact form submissions

When a visitor submits the contact form on your User Website, the submission is delivered to you (the User) by email. Webfolio temporarily stores limited metadata (such as a hashed IP and timestamp) for spam-prevention and rate-limiting purposes.

11.3 Cookies and third-party content on User Websites

Webfolio itself does not set tracking cookies on User Websites. However, if you (as the User):

(a) embed custom HTML, CSS, or JavaScript; (b) embed third-party content (e.g., Google Maps, YouTube, social-media widgets); (c) integrate external analytics or marketing tools;

…then you are responsible for any cookies or trackers those features may set and for the consent and notice obligations they may trigger (including, in the EU, under the ePrivacy Directive and national implementations).

12. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include, without limitation:

(a) TLS encryption for data in transit; (b) encryption at rest for stored data and backups; (c) password hashing (handled by Supabase Auth with industry-standard algorithms); (d) HTTP-only session cookies; (e) session security controls (30-minute idle timeout, 7-day absolute session maximum, cross-tab sign-out); (f) row-level security on database tables to ensure tenant isolation; (g) IP rate limiting and bot prevention (Cloudflare Turnstile); (h) restricted access to personal data by Webfolio personnel on a need-to-know basis; (i) regular security reviews, dependency updates, and patching.

No system can guarantee absolute security. If you suspect any unauthorised access to your Account or any security incident affecting personal data, please contact us immediately at hello@webfolio.com.

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, Webfolio will notify the CNPD and, where required, affected individuals in accordance with Articles 33 and 34 of the GDPR.

13. Children's Privacy

The Service is not directed to children under 16 years of age, or such other minimum age as may be set by applicable law in the country where the User resides. We do not knowingly collect personal data from children without parental consent.

If you become aware that a child has provided us with personal data without appropriate consent, please contact us at hello@webfolio.com and we will take appropriate steps to delete the information.

14. Marketing Communications

We may send you:

(a) Service and transactional emails — relating to your Account, billing, security, and operation of the Service. These are necessary for the performance of the contract and cannot be opted out of while the Account is active. (b) Optional marketing communications — such as product updates, newsletters, and tips. These are sent only with your consent (or as otherwise permitted by law in the context of an existing customer relationship), and you can unsubscribe at any time using the link in each email or by contacting us at hello@webfolio.com.

15. Automated Decision-Making and Profiling

Webfolio does not use personal data to make automated decisions that produce legal effects or similarly significant effects on individuals within the meaning of GDPR Article 22.

The Service includes AI features that generate content suggestions based on inputs you provide. These features assist you in creating your website but do not make decisions affecting you legally or in a similarly significant way — you remain in full control of what is published.

16. Information for Residents of the United States

This Section 16 provides additional information for residents of U.S. states with comprehensive privacy laws - including, as of the date of this Privacy Policy, California (CCPA, as amended by CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states as their laws come into effect. This Section applies in addition to the rest of this Privacy Policy.

16.1 Categories of personal information collected

In the past twelve (12) months, Webfolio has collected the following categories of personal information from U.S. residents, as defined under applicable state laws:

16.2 Sources of personal information

We collect personal information:

(a) directly from you (when you register, complete the onboarding questionnaire, upload Content, or contact support); (b) automatically from your device when you use the Service (see Section 3.7); (c) from our payment processor (Stripe), for limited payment-related metadata.

As stated in Section 5(e), Webfolio does not purchase personal information from data brokers, advertising partners, or lead-enhancement services.

16.3 Purposes for which we use personal information

We use personal information for the purposes set out in Section 4 of this Privacy Policy, including providing and operating the Service, processing payments, security and fraud prevention, customer support, legal compliance, and — with your consent — optional marketing communications.

16.4 Disclosure of personal information for business purposes

In the past twelve (12) months, Webfolio has disclosed the categories of personal information identified in Section 16.1 to the categories of Subprocessors identified in Section 6 of this Privacy Policy, solely for the business purposes described in Section 4. We may also disclose personal information to legal recipients (authorities, professional advisors, successors) as described in Section 6.

16.5 No "sale" or "sharing" of personal information

Webfolio does not "sell" personal information for monetary or other valuable consideration, and does not "share" personal information for cross-context behavioural advertising, within the meaning of the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), or equivalent terms under other applicable U.S. state laws.

Webfolio does not knowingly sell or share the personal information of consumers under 16 years of age.

16.6 Your rights under U.S. state privacy laws

Depending on the U.S. state in which you reside, you may have some or all of the following rights:

(a) Right to know / right to access — request confirmation of whether we process your personal information and a copy of the personal information we hold about you; (b) Right to delete — request deletion of personal information we have collected about you, subject to legal exceptions (such as for record-keeping, fraud prevention, security, or compliance with legal obligations); (c) Right to correct — request correction of inaccurate personal information; (d) Right to data portability — receive your personal information in a portable, commonly used, machine-readable format; (e) Right to opt out of "sale" or "sharing" — direct us not to sell or share your personal information. As stated in Section 16.5, Webfolio does not engage in either activity, but you may still exercise this right; (f) Right to limit the use of Sensitive Personal Information — direct us not to use Sensitive Personal Information for purposes other than those permitted under applicable law. As stated in Section 3.9, Webfolio does not intentionally collect Sensitive Personal Information; (g) Right to opt out of automated decision-making and profiling — to the extent applicable. As stated in Section 15, Webfolio does not use personal information for such purposes; (h) Right of appeal — if we deny a rights request, you may appeal our decision (see Section 16.9).

16.7 How to exercise your rights

To exercise any of these rights, please contact us at hello@webfolio.com with a clear description of your request. We will respond within the time period required by applicable law (generally 45 days under CCPA/CPRA, with the possibility of a 45-day extension when reasonably necessary).

Identity verification and authorised-agent rules described in Section 10 apply equally to U.S. rights requests.

16.8 Global Privacy Control (GPC) signal

Webfolio recognises and honours the Global Privacy Control (GPC) browser signal as a valid opt-out signal under applicable U.S. state laws. When we detect a GPC signal from your browser, we treat it as a request to opt out of any "sale" or "sharing" of personal information (although, as stated in Section 16.5, Webfolio does not engage in either activity).

To learn more about the Global Privacy Control, please visit https://globalprivacycontrol.org.

16.9 Right to appeal

If we deny a rights request, you may appeal our decision by contacting us at hello@webfolio.com with the words "Privacy Appeal" in the subject line and a brief explanation of why you believe the decision should be reconsidered. We will respond to your appeal within the time required by applicable law (generally 60 days under VCDPA, CPA, CTDPA, and similar laws).

If your appeal is denied, you may contact the attorney general of your state or another competent authority to lodge a complaint, where applicable law provides for such a process.

16.10 "Do Not Sell or Share My Personal Information"

As stated in Section 16.5, Webfolio does not sell or share personal information within the meaning of U.S. state privacy laws. If you nonetheless wish to record a formal opt-out preference, you may do so by contacting us at hello@webfolio.com with the words "Do Not Sell or Share" in the subject line, or by sending a GPC signal as described in Section 16.8.

16.11 Non-discrimination

Webfolio will not discriminate against you for exercising any of the rights described in this Section 16. We will not deny you the Service, charge you different prices, or provide you with a different level or quality of Service because you exercised a privacy right.

16.12 Retention

We retain personal information of U.S. residents for the time periods set out in Section 9 of this Privacy Policy. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm, the purposes for which we process the data, and applicable legal requirements.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or legal requirements.

(a) Material changes will be communicated by email (where we have your address) or through the Service at least thirty (30) days before they take effect. (b) Non-material changes (such as clarifications or corrections) may take effect upon publication.

The "Last updated" date at the top of this Privacy Policy indicates when it was most recently revised. Continued use of the Service after the effective date of an update constitutes acceptance of the updated Privacy Policy.

18. Contact

For any privacy-related question, request, or complaint, please contact:

Upon Pro S.à r.l. (trading as Webfolio) rue Camille Mersch 5260 Hesperange Luxembourg RCS Luxembourg: B 247 528

Email: hello@webfolio.com

You also have the right to lodge a complaint with the Commission nationale pour la protection des données (CNPD) at https://cnpd.public.lu, or with the supervisory authority of the EU Member State in which you reside.

End of Privacy Policy.