Skip to content
Plinth

Privacy Policy

Last updated: 24 March 2026

1. Introduction & Scope

Plinth (“we”, “us”, “our”) is committed to protecting the privacy of individuals who interact with our platform. This Privacy Policy explains how we collect, use, disclose, and manage personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained therein.

This policy applies to all personal information collected through our website at plinth.au, our customer portal, our admin portal, our API, and any related services we provide (collectively, the “Platform”).

By using the Platform, you acknowledge that you have read and understood this policy. If you do not agree with our practices, please discontinue use of the Platform and contact us to request deletion of your data.

2. Who We Are

Plinth is an Australian company providing an AI-powered managed web development platform for Australian small businesses. We design, generate, and host websites on behalf of our customers.

If you have any questions or concerns about how we handle your personal information, please contact our privacy team:

Plinth — Privacy
Email: privacy@plinth.au
Website: plinth.au

3. Information We Collect

We collect personal information in the following categories:

Account Information

When you create an account, we collect your name and email address. If you sign up via Google OAuth, we receive your name and email from Google. We store a hashed password (we never store your password in plain text).

Business Information

During onboarding, we collect information about your business: business name, industry, target audience, contact details, branding preferences, and any other content you provide to describe your business. This information is used to generate your website.

Site Content

We store the content of websites we generate and host on your behalf, including text, images, and other media assets you upload. You retain ownership of this content at all times.

Usage Analytics

We collect privacy-friendly analytics about how visitors interact with your hosted website. These analytics are collected without cookies and without fingerprinting. No personally identifiable visitor information is retained beyond aggregated statistics.

Form Submissions

If you use Plinth’s form handling service on your generated website, we process and store form submissions on your behalf. The personal information of your customers contained in those submissions is held by Plinth as your data processor. You are responsible for obtaining appropriate consent from your customers.

Subscription and Billing Metadata

We record your subscription tier, billing cycle, and payment status. Plinth never stores credit card numbers or payment card data of any kind. All payment card data is handled exclusively by Stripe, which operates under PCI DSS Level 1 certification. We receive only non-sensitive subscription metadata from Stripe (e.g., whether a payment succeeded, your current plan).

4. How We Use Your Information

We use the personal information we collect for the following purposes:

  • Service delivery: To create, host, and maintain your website; to process revisions; to manage your account and subscription.
  • Communication: To send you transactional emails (account creation, password reset, build completion, billing notifications). We will only send marketing communications with your explicit consent and will always provide an unsubscribe mechanism in compliance with the Spam Act 2003 (Cth).
  • Analytics: To provide you with aggregated, anonymised statistics about your website’s performance.
  • Platform improvement: To understand how our platform is used so we can improve our AI generation quality and user experience. We do not use your personal information to train AI models without your explicit consent.
  • Legal compliance: To comply with applicable Australian laws and to respond to lawful requests from government authorities.
  • Security: To detect and prevent fraud, abuse, and other harmful activity on the Platform.

We will not use your personal information for any purpose that is incompatible with the primary purpose for which it was collected, except with your consent or as otherwise permitted by the APPs.

5. Third-Party Service Providers

We engage the following third-party service providers who may receive or process personal information on our behalf. Each provider has been assessed against our privacy requirements and operates under contractual obligations consistent with the APPs.

Supabase

Purpose: Database, authentication, and file storage. Supabase stores all platform data including user accounts, business information, website content, and analytics.
Regions: Australia (primary) and United States. Data may be replicated across both regions.
Privacy Policy: supabase.com/privacy

Stripe

Purpose: Payment processing and subscription management. Stripe processes all payment card transactions and manages billing cycles.
Certification: PCI DSS Level 1 Service Provider — the highest level of payment security certification. Stripe processes all payment card data independently; Plinth does not receive, store, or transmit cardholder data.
Privacy Policy: stripe.com/au/privacy

Cloudflare

Purpose: Website hosting (Cloudflare R2 + Workers), content delivery network (CDN), DNS management, and DDoS protection for generated websites.
Regions: Global edge network. Your generated website’s static assets are served from Cloudflare’s global network.
Privacy Policy: cloudflare.com/privacypolicy

Resend

Purpose: Transactional email delivery. Resend is used to send account notifications, billing receipts, and operational alerts.
Privacy Policy: resend.com/privacy

Google reCAPTCHA v3

Purpose: Spam and bot protection on forms submitted through generated websites.
Data collected by Google: Google’s reCAPTCHA service collects information about your device and interactions, including your IP address, mouse and keyboard behaviour patterns, and browsing history and cookies from the Google domain. This data is sent to and processed by Google to assess whether a form submission is likely automated.
Note: By using a generated website that includes form submission functionality, you and your website visitors are also subject to Google’s privacy policy.
Google’s Privacy Policy: policies.google.com/privacy

Vercel

Purpose: Hosting and deployment of the Plinth customer portal, admin portal, and associated platform infrastructure. Vercel may also provide platform-level analytics.
Privacy Policy: vercel.com/legal/privacy-policy

We do not sell your personal information to third parties. We do not share your personal information with third parties for their own marketing purposes.

6. Cookies and Tracking

Plinth uses cookies sparingly and only for functional purposes. We do not use advertising cookies, tracking pixels, or cross-site tracking of any kind.

Authentication Cookies

Supabase Auth sets a httpOnly cookie to maintain your login session. This cookie is strictly necessary for the Platform to function and cannot be disabled without affecting your ability to use the service. The cookie contains a JWT access token and refresh token and does not contain any personal information in readable form.

reCAPTCHA

Google reCAPTCHA v3 may set cookies as part of its spam detection process. These cookies are set by Google and are subject to Google’s cookie policy. They are used solely for the purpose of distinguishing human from automated form submissions.

No Tracking Cookies or Fingerprinting

Plinth’s built-in website analytics do not use cookies and do not perform browser fingerprinting. We collect anonymised page view data only, without any mechanism to identify or track individual visitors across sessions.

7. Data Retention

We retain personal information for as long as necessary to provide the Platform and comply with our legal obligations:

  • Account and business data: Retained for the duration of your active account, plus 30 days following account closure to allow for recovery. After 30 days, personal data is permanently deleted from our systems.
  • Generated website content: Retained for the duration of your active subscription and for 30 days following cancellation. You may export your website source code at any time during this period.
  • Form submissions: Retained until you delete them or close your account, subject to the 30-day grace period above.
  • Raw analytics data: Retained for 90 days. Aggregated, anonymised analytics summaries may be retained indefinitely.
  • Billing records: Retained for 7 years in accordance with Australian taxation law requirements.

Following the expiry of applicable retention periods, personal information is securely deleted or de-identified.

8. Your Rights Under the Privacy Act 1988

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the following rights in relation to your personal information:

Access (APP 12)

You have the right to request access to the personal information we hold about you. We will respond to access requests within 30 days. In most cases, you can access your personal information directly through your account settings in the portal.

Correction (APP 13)

You have the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. You can correct most of your information directly in the portal. For corrections we cannot process automatically, contact us at privacy@plinth.au.

Deletion

You may request deletion of your personal information by closing your account or by contacting us directly. Deletion will occur within 30 days of your request, subject to our obligation to retain certain records for legal compliance purposes (e.g., billing records).

Portability (Data Export)

You can export the source code of any website we have generated for you at any time through the portal. This export includes all HTML, CSS, and asset files required to host your website independently.

Complaints

If you believe we have mishandled your personal information, please contact us first so we can attempt to resolve the matter. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner
Website: oaic.gov.au
Phone: 1300 363 992

9. International Data Transfers

In accordance with Australian Privacy Principle 8 (APP 8), we disclose that some of your personal information may be transferred to, stored in, or processed in countries outside Australia.

Specifically:

  • Supabase: Your data may be stored in the United States in addition to Australian data centres.
  • Cloudflare: Your website’s static assets are distributed globally via Cloudflare’s edge network. Cloudflare processes request data in data centres worldwide.
  • Stripe: Payment processing occurs on Stripe’s global infrastructure, which includes data centres in the United States and other countries.

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information, consistent with APP 8.1. Where applicable, we rely on contractual protections, the overseas recipient’s certification under recognised frameworks, or your consent.

By using the Platform, you acknowledge and consent to the international transfer of your personal information as described in this section.

10. Children’s Privacy

The Plinth Platform is not directed at persons under the age of 18. We do not knowingly collect personal information from children under 18. If you are under 18, please do not use the Platform or provide any personal information to us.

If we become aware that we have inadvertently collected personal information from a person under 18 without appropriate parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 18, please contact us at privacy@plinth.au.

11. Data Breach Notification

Plinth complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). In the event of an eligible data breach — being an unauthorised access to, disclosure of, or loss of personal information that is likely to result in serious harm to one or more individuals — we will:

  • Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable, and in any case within 30 days of becoming aware of the eligible data breach.
  • Notify affected individuals as soon as practicable, either directly (where contact details are available) or by publishing a statement on our website.
  • Take immediate steps to contain the breach and prevent further unauthorised access.

We maintain an incident response plan and conduct regular security reviews to minimise the risk of data breaches.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by:

  • Sending an email notification to your registered email address at least 30 days before the changes take effect; and
  • Posting the updated policy on this page with a revised “Last updated” date.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the updated policy, you should discontinue use of the Platform and contact us to close your account.

13. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal information, please contact our privacy team:

Plinth — Privacy Enquiries
Email: privacy@plinth.au
Response time: We aim to respond to all privacy enquiries within 5 business days.

We take all privacy enquiries seriously and will work with you to resolve any concerns promptly and fairly.

Ready to build your website?

Custom websites from $29/mo. No lock-in.

Build my websiteTry free first

Free preview — no signup, no payment