Privacy Policy

Neighborhood Website Guy LLC (“NWG,” “we,” “us,” or “our”) is a Texas limited liability company that builds custom websites and provides ongoing website management for small businesses. This Privacy Policy explains what information we collect, how we use it, and your rights regarding it. It applies to:

• The website at neighborhoodwebsiteguy.com and its subdomains
• The NWG client web app and Customer Hub features
• The Neighborhood Website Guy mobile app on iOS and Android
• All emails, support communications, and related services we provide

By using any of these services, you agree to this Privacy Policy. If you do not agree, please do not use our services.

1. Who we are

Controller (in GDPR terms) for personal information about visitors to our marketing site and our direct clients:

• Neighborhood Website Guy LLC
• Email: joseph@neighborhoodwebsiteguy.com
• State of formation: Texas, USA

For data processed on behalf of our clients(their customers' contact records, form submissions, etc., stored in the NWG Customer Hub), our client is the “controller” and we are the “processor.” See Section 9 for details.

2. Information we collect

a. Information you provide

• Account information: name, email address, phone number, business name, password (hashed via Supabase Auth — we never see your plaintext password).
• Onboarding form: business goals, industry, design preferences, uploaded files (logos, photos, content).
• Payment information: processed by Stripe; we never see or store full card numbers. We store the last 4 digits and the Stripe customer ID only.
• Support communications: messages you send through our support chat, email, or contact forms.

b. Information collected automatically

• Web analytics: page views, referrer, country, device type, browser, session duration. We use Umami Analytics, a privacy-first analytics service that does not use cookies and does not track individuals across websites.
• Web app usage: what features you use within your dashboard, error logs (via Sentry), and security audit logs.
• IP address: stored only when needed for security (rate limiting, spam protection); truncated to /24 (last octet zeroed) where used for the Customer Hub form ingestion to reduce PII exposure.
• Cookies: we use only essential cookies (authentication session, CSRF tokens). We do not use marketing or advertising cookies.

c. Information from the mobile app

• Push notification tokens:a device identifier from Apple or Google that lets us send you alerts (new contact, follow-up due, support reply). You can disable notifications in your phone's system settings at any time.
• Photo library access: if you choose to upload a profile picture, the app requests permission to read photos from your device library. We only access the specific image you select.
• Camera access: if you choose to take a new profile photo or attach a photo to a customer record (future feature), the app requests permission to use your camera. The camera is only activated when you explicitly tap “Take Photo.” We do not record video, audio, or background camera activity. We only receive the specific image you capture and choose to upload.

d. Information collected on behalf of our clients (Customer Hub)

If you are a customer of one of our clients (i.e., a small business that uses NWG Customer Hub) and you fill out a form on their website, your information is collected and stored on behalf of that business. NWG is the processor; the business is the controller. We do not use your data for our own purposes. To exercise rights regarding your data, contact the business directly. See Section 9.

3. How we use your information

We use information for these specific purposes:

• To provide and operate our website services and Customer Hub
• To process payments and manage subscriptions
• To send transactional emails (welcome, payment receipts, support replies, monthly reports)
• To send the weekly SEO blog post drafts for your review
• To monitor security, detect fraud, and prevent abuse
• To respond to support requests and maintain our service quality
• To improve our services through aggregated, non-identifying analytics
• To comply with legal obligations

We do not sell your personal information. We do not share information with advertisers. We do not perform behavioral advertising.

4. Subprocessors

We use the following third-party services (“subprocessors”) to deliver our services. Each is bound by their own privacy policies and applicable Data Processing Agreements:

We will update this list when we add or change subprocessors. Material changes are announced at least 30 days before they take effect.

5. Data retention

• Account data: retained while your account is active and for 30 days after cancellation as a courtesy data-export window
• Payment records: retained for 7 years as required by U.S. tax law
• Support communications: retained for 3 years
• Web analytics: aggregated data retained indefinitely; individual session data discarded after 12 months
• Error logs (Sentry): retained for 90 days
• Customer Hub data (data we hold on behalf of clients): retained per the client's instructions; on client cancellation, exported and then deleted within 30 days

6. Your rights

Depending on where you live, you may have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you
• Correction: request that we correct inaccurate information
• Deletion: request that we delete your information (subject to legal retention obligations such as tax records)
• Portability: receive your data in a machine-readable format (CSV or JSON)
• Objection / restriction: object to certain processing or ask us to restrict it
• Withdraw consent: for any processing based on consent
• Lodge a complaint: with your local data protection authority

To exercise any right, email joseph@neighborhoodwebsiteguy.com. We will respond within 30 days.

California residents (CCPA / CPRA): you may also request information about the categories of personal information we have collected, sold, or shared in the past 12 months. We do not sell or share personal information for cross-context behavioral advertising.

7. Security

We use industry-standard security practices to protect your information:

• HTTPS / TLS encryption for all data in transit
• Encryption at rest for stored data (via Supabase and Vercel)
• Row-Level Security (RLS) policies enforced at the database layer
• Timing-safe authentication checks; HTML output sanitization to prevent XSS
• Magic-byte file validation on uploads (no SVG or executable files)
• Regular security audits and dependency updates
• Daily database backups

No system can be 100% secure. If we discover a breach affecting your information, we will notify you and applicable authorities within 72 hours where required by law.

8. Children's privacy

Our services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

9. Customer Hub: data we hold on behalf of clients

When you (a small business) use the NWG Customer Hub, we store information about your customers (names, emails, phone numbers, form submissions, notes, etc.) on your behalf. In this relationship:

• You are the data controller. You decide what data to store and how to use it.
• NWG is the data processor. We process this data only as instructed by you and only to provide the Customer Hub service.
• You retain full ownership of all data in your Customer Hub.
• You can export your data (CSV or JSON) at any time from your dashboard, and we provide a complete export within 7 days of cancellation.
• If a customer of yours requests their data or asks you to delete it, you handle that request directly. We provide tools (search, soft-delete, hard-delete after 30 days) to help.
• We do not use Customer Hub data for our own marketing or to train AI models. AI suggestion features (e.g., reply drafts) send only the specific contact context to OpenAI for the duration of the request and do not retain training rights over your data.

For clients enabling the Customer Hub, a Data Processing Agreement (DPA) is part of your service agreement and governs this relationship in detail.

HIPAA notice: The NWG Customer Hub is not HIPAA-compliant. Healthcare clients (dental, chiropractic, vet, etc.) may not store Protected Health Information including medical records, treatment notes, diagnoses, insurance policy numbers, prescriptions, or any clinical data in the Customer Hub. Use is restricted to non-clinical contact and appointment-interest information. See Terms of Service for the full clause.

10. International transfers

We are based in the United States, and our subprocessors are also primarily based in the U.S. If you access our services from outside the U.S., your information is transferred to and processed in the U.S. We rely on Standard Contractual Clauses (SCCs) and equivalent safeguards where required by EU/UK data protection law.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email to active clients at least 30 days before they take effect, and the “Last updated” date at the top of this page will be revised. Continued use of our services after changes take effect indicates your acceptance.

12. Contact

Questions or concerns about this Privacy Policy or our handling of your information? Reach out:

• Email: joseph@neighborhoodwebsiteguy.com
• Mail: Neighborhood Website Guy LLC, Texas, USA (full address provided on request)