Legal
Privacy Policy
What we collect, why we collect it, and the things we deliberately never collect. Written to be read, not skimmed past.
Last updated: July 6, 2026
The short version
- We collect what we need to run your account and build your website — your email, your business details, and the content you give us. Nothing more.
- We never sell your data, and we never use it for advertising.
- Google Analytics on orpto.com runs only if you allow it in the consent banner.
- Visitors to the websites we host for our customers get cookieless, anonymised analytics — no cookies, no stored IP addresses, no tracking across days or sites.
- You can ask for a copy of your data, or ask us to delete it, anytime: privacy@orpto.com.
This summary is here to help — the full policy below is what applies.
01Who we are
Orpto ("we", "us") is a website-building service for local businesses, operated from Slovenia, in the European Union. We are the data controller for the personal data described in this policy, except where noted in section 05 — where we act on behalf of our customers.
For anything privacy-related, contact us at privacy@orpto.com.
02What we collect
Account information
When you register, we collect your email address and name. Authentication is managed securely through Supabase Auth.
Business and website content
To build your website we store the information you provide about your business — its name, services, opening hours, contact details, and any text or photos you add. This is the substance of the service: it is what your website is made of.
Payment information
Payments are processed by Stripe. We never see or store your full card details — Stripe shares only limited information with us, such as the last four digits of your card and your subscription status.
Location defaults during onboarding
During onboarding we may use your IP address to determine your approximate location (country and city), so we can prefill helpful defaults like your local phone prefix. This lookup is processed transiently through a third-party geolocation service (freeipapi.com). We do not store your IP address in our records.
Support correspondence
If you email us, we keep the correspondence so we can help you and refer back to earlier conversations.
03How AI is involved
Orpto uses AI to generate your website's text and images:
- Text. The business descriptions you provide during onboarding are sent to our AI provider, Mistral AI, which processes data within the European Union. The output is your website's copy — headlines, taglines, section text.
- Images. If you use AI image generation, the prompts describing the desired image are processed by Replicate, which may process data outside the EU (see section 08).
Your data is used solely to generate content for your website. We do not use your data to train AI models.
04Cookies & analytics on orpto.com
Essential cookies
We use strictly necessary cookies for signing you in (Supabase Auth) and for fraud prevention during payment (Stripe). These are required for the service to work.
Google Analytics — only with your consent
We would like to use Google Analytics to understand how people find and use orpto.com. It runs only if you accept it in the consent banner shown on your first visit; if you decline, no analytics scripts load at all. You can change your mind by clearing this site's data in your browser, which resets your choice. Google's own privacy practices are described at policies.google.com/privacy.
Fonts
We load typefaces from Bunny Fonts, a privacy-first, EU-based font service that does not track users or log personal data.
05Visitors to websites we host
If you are reading this as a visitor to a website built with Orpto (rather than an Orpto customer), this section is about you. Websites we host include a lightweight, first-party analytics measurement that is designed so it cannot identify you:
- No cookies, no local storage, no fingerprinting. Nothing is written to or read from your device.
- No IP address is ever stored. Your IP is used for a few moments to compute an anonymised token, then discarded.
- No tracking over time or across sites. The anonymised token changes every day and differs per website, so your visits cannot be linked together.
- Do Not Track and Global Privacy Control are honoured — if your browser sends either signal, no measurement happens at all.
- What is recorded: the page path, the referring site's domain, your country, and how long you stayed on the page. Raw data is automatically deleted after 90 days.
For these hosted websites, the business that owns the site is the data controller for any information you submit to it (for example, through its contact form); Orpto processes that data on the business's behalf to deliver it to them.
06How we use your data — and on what legal basis
- To provide the service — building, hosting and letting you edit your website; managing your account and subscription. Legal basis: performance of our contract with you.
- To generate your website content with AI, as described in section 03. Legal basis: performance of our contract.
- To answer support requests and communicate essential service updates. Legal basis: contract and legitimate interest.
- To process payments and prevent fraud. Legal basis: contract and legal obligation.
- To understand how orpto.com is used (Google Analytics). Legal basis: your consent.
- To send occasional product news, only if you have opted in — you can unsubscribe anytime. Legal basis: consent.
We do not sell personal data, and we do not share it with advertisers.
07Who we share it with
We share data only with the service providers that make Orpto work, each limited to its role:
- Supabase — authentication and database infrastructure.
- Stripe — payment processing.
- Mistral AI — text generation (processed within the EU).
- Replicate — AI image generation.
- Bunny.net — content delivery and hosting for published websites (an EU company).
- Google — analytics on orpto.com, only with your consent.
We may also disclose information where the law requires it. If Orpto is ever part of a merger or acquisition, your data would remain protected under this policy or one at least as protective, and we would tell you.
08International transfers
We keep processing in the EU where we can — our hosting, database and text-generation providers process data within the European Union. Some providers (such as Replicate and Google) may process data outside the EU; where that happens, transfers rely on recognised safeguards such as the EU–US Data Privacy Framework or Standard Contractual Clauses.
09How long we keep it
- Account and website data — for as long as your account is active. If you cancel, we keep your data for a limited wind-down period (so you can come back or export it), then delete it.
- On request — email privacy@orpto.com and we will delete your account and data without the wind-down wait.
- Billing records — kept as long as tax and accounting law requires.
- Hosted-site analytics — raw visit data is deleted automatically after 90 days; only aggregate statistics remain.
10Your rights
Under the GDPR you can, at any time:
- Access the personal data we hold about you, and receive a copy in a portable format.
- Correct data that is inaccurate or incomplete.
- Delete your data ("right to be forgotten").
- Restrict or object to certain processing.
- Withdraw consent where processing is based on it (for example analytics or marketing email), without affecting the lawfulness of what was done before.
To exercise any of these, email privacy@orpto.com — we respond within 30 days. You also have the right to lodge a complaint with your local data protection authority; in Slovenia, that is the Information Commissioner (Informacijski pooblaščenec, ip-rs.si).
11Security
All traffic to and from Orpto is encrypted in transit (TLS). Access to production systems is restricted and credential-protected, payment credentials never touch our servers, and published websites are served as static files — which keeps their attack surface deliberately small. No system is perfectly secure, but we design so that the data we hold is the minimum we need.
12Children
Orpto is a tool for running a business and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.
13Changes to this policy
When we change this policy in any meaningful way, we will update the date at the top and, for significant changes, notify you by email or in the app before they take effect.
14Contact
Questions, requests, or concerns about privacy: privacy@orpto.com.