← Back

◍ Legal · effective 2 June 2026

Privacy Policy

This policy explains how we collect, use, and protect personal data when you use Vinmur. We comply with the UK GDPR and the EU GDPR.

1. Who we are

Vinmur is operated by Open Source AI Ltd, a company registered in England & Wales (“Vinmur”, “we”, “us”). We act as the data controller for personal data we collect about our customers and visitors to vinmur.uk.

Contact for privacy questions or GDPR requests:
Email: [email protected]

2. What data we collect

We collect the following categories of personal data:

2.1 Account data

  • Name and email address (via Clerk, our authentication provider)
  • Login activity and timestamps
  • Account preferences and settings

2.2 Billing data

  • Billing name, email, and address (collected and held by Stripe; we do not store full card numbers)
  • Subscription tier, payment history, and invoice records
  • VAT information where applicable

2.3 Site & customer content data

  • Site profiles, products, and content you create or upload
  • Files you upload (HTML, images, etc.)
  • Contact form messages sent to your sites by your visitors (treated as your business data; you are the controller for that data)

2.4 Technical & usage data

  • IP addresses and connection metadata (collected by our infrastructure and by Cloudflare for security and routing)
  • Browser type, device type, referrer URL
  • Dashboard usage logs (which pages you visit, which features you use)
  • Error logs and performance telemetry

2.5 Communications

3. Why we collect it (lawful bases)

Under GDPR, we rely on the following lawful bases:

  • Contract (Art 6(1)(b)): To provide the Service you’ve subscribed to — account creation, billing, hosting your sites, sending receipts.
  • Legitimate interest (Art 6(1)(f)): To secure the Service against abuse, prevent fraud, improve features, and operate our business. We balance this against your rights.
  • Legal obligation (Art 6(1)(c)): To keep accounting records (HMRC requires us to retain financial records for 6 years), respond to law-enforcement requests under valid legal process, and comply with tax law.
  • Consent (Art 6(1)(a)): Only where we explicitly ask for it (e.g. marketing emails, if we send any). You can withdraw consent at any time.

4. Who we share data with (processors & sub-processors)

We use the following processors to operate the Service. Each is bound by a Data Processing Agreement (DPA):

  • Clerk — authentication and user management (US, GDPR-compliant DPA)
  • Stripe — payment processing and billing (Ireland for EU customers, US for others)
  • Neon — managed PostgreSQL database hosting (EU region, London)
  • Cloudflare — DNS, CDN, DDoS protection (global; data subject to standard contractual clauses)
  • Resend — transactional email delivery (US, GDPR-compliant)
  • Groq — AI model inference for site generation (US; only the prompts you submit are sent)

We do not sell your personal data. We do not share it with advertisers. We do not allow processors to use it for any purpose other than providing services to us.

5. International transfers

Some of our processors are based outside the UK and EEA (notably Clerk, Stripe in some cases, Resend, and Groq). When personal data is transferred outside the UK/EEA, we rely on:

  • UK and EU Standard Contractual Clauses (SCCs) where the destination country lacks an adequacy decision
  • The UK-US Data Bridge / EU-US Data Privacy Framework where applicable
  • Additional safeguards such as encryption in transit and at rest

6. How long we keep your data

  • Account data: While your account is active, plus 30 days after closure
  • Billing records: 6 years after the relevant tax year (UK HMRC requirement)
  • Site content: Deleted within 30 days of account closure unless you export it
  • Server logs: Up to 90 days
  • Support communications: 3 years after resolution

7. Your rights under GDPR

You have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you
  • Rectification — correct inaccurate data
  • Erasure (“right to be forgotten”) — request deletion, subject to legal retention requirements
  • Restriction — limit how we process your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — where we rely on consent
  • Complaint — lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or your local EU data-protection authority

To exercise any right, email [email protected]. We respond within one month, as required by GDPR.

8. Cookies

Vinmur uses essential cookies to keep you logged in and operate the Service. We do not use third-party advertising or tracking cookies. Authentication cookies are set by Clerk.

If you visit a customer’s site hosted on Vinmur, that site may set its own cookies; we are not the controller for those.

9. Security

We take security seriously and implement the following measures:

  • TLS encryption for all data in transit (Let’s Encrypt and Cloudflare-issued certificates)
  • Encrypted storage of credentials and secrets
  • Access controls limiting which staff can access customer data (currently the founder only)
  • Regular security updates to our infrastructure
  • Bare-metal hosting in the UK, with backups stored separately

No system is 100% secure. If we discover a personal-data breach that affects you, we will notify you and the relevant supervisory authority as required by Article 33/34 GDPR (within 72 hours where feasible).

10. Children

Vinmur is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have done so, please contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email or dashboard notice. The effective date at the top reflects the latest revision.

12. Contact & complaints

Privacy questions or GDPR requests:
Open Source AI Ltd, United Kingdom
Email: [email protected]

Supervisory authority (UK):
Information Commissioner’s Office
ico.org.uk

Supervisory authority (EU):
You may also contact the data-protection authority in your EU country of residence.

This Privacy Policy was last updated on 2 June 2026.