Privacy Policy

This Privacy Policy describes how Brightwing Systems, LLC ("we", "us", or "our") collects, uses, and protects information when you use Deplixo ("the Service") available at deplixo.com. By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Deployed Content

When you deploy an app through the Service, we collect the code and files you submit (HTML, CSS, JavaScript, and related assets), along with any optional metadata you provide (such as an app title or custom URL slug).

Data Received via AI Platform Integrations

Deplixo integrates with third-party AI platforms (such as Claude by Anthropic and ChatGPT by OpenAI) through the Model Context Protocol (MCP). When you deploy an app from within an AI assistant, the deploy payload — your code, files, and metadata — is sent from the AI platform to our MCP server and then to our API. We receive and store only the deploy payload. We do not receive, access, or store your conversations with the AI assistant, and we do not share your deployed content back to the AI platforms.

Account Information

If you create an account (optional), we collect your email address and, if you use social login (Google or GitHub), basic profile information provided by those services (such as your name and profile picture). You can also deploy apps without creating an account.

Usage Data

We collect standard server logs (IP addresses, browser type, pages visited, timestamps) to operate and improve the Service. This includes logs generated by both our main application servers and our MCP server. For deployed apps, we track page views using a privacy-friendly visitor hash — we do not store raw IP addresses in page view records. IP addresses collected for abuse prevention are automatically scrubbed after 30 days.

App Visitor Data

When you visit a deployed app on Deplixo (even without a Deplixo account), a randomly generated visitor ID is stored in a cookie (bw_visitor_id) to enable cross-session features like data persistence and display names. This is a functional cookie that returns your own data to you. Visitors to deployed apps are covered by this Privacy Policy.

App Storage Data

If your deployed app uses the built-in data storage (collections or SQL via window.deplixo.db), that data is stored on our servers to provide cross-session and cross-device data persistence.

Cookies

We use only essential and functional cookies:

• deplixo_sessionid — session management (authenticated users only)
• deplixo_csrftoken — CSRF protection
• bw_visitor_id — functional cookie for app visitor identity
• tz — timezone detection at signup

We use self-hosted Umami v2 for analytics, which operates in cookie-free mode. We do not use third-party advertising or tracking cookies.

2. Legal Basis for Processing

We process your personal information on the following legal bases:

• Contract performance: To provide the Service you have requested, including hosting and serving your deployed apps
• Legitimate interest: To operate, maintain, and improve the Service, detect abuse, and ensure security
• Consent: Where required by applicable law, such as for optional communications

3. How We Use Your Information

• To host and serve the apps you deploy
• To provide persistent storage for your deployed apps
• To authenticate your identity and manage your account (if you have one)
• To communicate with you about the Service (e.g., security alerts, updates)
• To respond to support requests
• To detect and prevent fraud, abuse, or security incidents

4. Data Sharing

We do not sell your personal information. We may share information only in the following circumstances:

• Public apps: Code you deploy to the Service is publicly accessible by design. Anyone with the URL can view your deployed app, and if forking is enabled, they can view its source code.
• Service providers: We use third-party service providers to operate the Service. These providers only access data as necessary to perform their functions and are bound by contractual obligations to protect it. Data Processing Agreements (DPAs) are in place with all third-party processors. Our service providers include:
  • Stripe (payment processing) — DPA incorporated by reference
  • Postmark (transactional email delivery) — DPA incorporated by reference
  • GlitchTip (error monitoring) — self-hosted on our own infrastructure, no third-party data transfer
  • Cloud hosting and infrastructure (server hosting, CDN)
• Legal requirements: We may disclose information if required by law, subpoena, or other legal process.
• Business transfers: If Brightwing Systems, LLC is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

5. Data Retention

Apps deployed without an account are retained for up to 1 hour. Saved apps (saved to a user's dashboard) are retained for 3 days unless kept. Kept apps (one-time purchase) are retained for as long as the account is active. If you delete your account, we will remove your personal information and associated apps within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes).

6. International Data Transfers

Our servers are located in Europe (Germany). If you access the Service from outside this region, your information may be transferred to, stored, and processed in a country other than your own. By using the Service, you consent to the transfer of your information as described in this policy. We take appropriate measures to ensure that your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

7. Data Security

We implement industry-standard security measures to protect your information, including encryption in transit (TLS), secure password hashing, and regular backups. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

8. Your Rights

All account holders may:

• Access and update your account information at any time through your account settings
• Download a copy of your data using the "Download My Data" button on your profile page (JSON export of your account, apps, and credits)
• Delete your account and associated data (30-day grace period, then permanent deletion)
• Request deletion of specific deployed apps
• Opt out of non-essential communications

App visitors (non-account-holders)

Delete your visitor data from any app using the deplixo.deleteMyData() SDK method, which removes all your collection entries, history, and visitor records from that app's database and clears your visitor cookie.

California Residents (CCPA)

If you are a California resident, you have the right to: know what personal information we collect, use, and disclose; request deletion of your personal information; and opt out of the sale of your personal information. We do not sell your personal information. You can exercise your right to know via the "Download My Data" feature. To exercise other rights, contact us at deplixo@brightwingsystems.com. We will not discriminate against you for exercising any of these rights.

European Economic Area, UK, and Swiss Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the right to: access your personal data (Art. 15 — via "Download My Data"); rectify inaccurate data; request erasure of your data (Art. 17 — via account deletion or visitor data deletion); restrict or object to processing; request data portability; and lodge a complaint with your local data protection supervisory authority. To exercise these rights, contact us at deplixo@brightwingsystems.com.

9. Children's Privacy

The Service is intended for users aged 13 and older. All apps deployed on Deplixo inherit this 13+ age restriction. Apps may not be directed at or primarily intended for children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at deplixo@brightwingsystems.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the revised policy.