Privacy Policy

Last updated: April 16, 2026

WhatIMade.app ("we", "us", "our") operates the website hosting platform at whatimade.app. This policy explains what data we collect, why, and how we handle it.

What We Collect

We keep data collection to a minimum. Here is what we store:

• Account data: When you sign in with Google, we receive your name, email address, and profile picture from Google. We use this solely to identify your account.
• Site files: Files you upload are stored on Cloudflare R2 so they can be served to visitors of your site.
• Page view counts: We count page views per site using a lightweight tracking pixel. We do not use cookies for analytics, do not track visitors across sites, and do not collect IP addresses or browser fingerprints for analytics purposes.
• Server logs: Cloudflare may temporarily log request metadata (IP address, user agent, timestamps) for security and abuse prevention. These logs are not retained long-term by us.

What We Do Not Collect

• We do not use third-party analytics services (no Google Analytics, no Facebook Pixel, no trackers).
• We do not sell, rent, or share your personal data with advertisers or data brokers.
• We do not track you across websites.
• We do not read the textual content of your files for analytics, training, or any data-mining purpose.

Content Safety Scanning

For anonymous uploads only (deploys made without a signed-in account), we apply a narrow automated check against known malware signatures and phishing patterns (such as credit-card or banking-credential collection forms combined with brand-impersonation language). This check runs on upload, returns an "allow" / "flag" / "block" verdict, and discards the content after scoring. Authenticated users are trusted and their uploads are not scanned. This exists to prevent the *.whatimade.app subdomains from being used to host phishing pages.

How We Use Your Data

• Account data is used to authenticate you and associate sites with your account.
• Site files are stored to serve your website to the public (or to password-protected visitors, if you set a password).
• Page view counts are shown to you in your dashboard so you can see how your site is performing.

Cookies

We use a single session cookie (wim_session) when you sign in. This cookie is:

• HttpOnly (not accessible to JavaScript)
• Secure (only sent over HTTPS)
• SameSite=Lax (not sent in cross-site requests)
• Expires after 7 days of inactivity

We do not use advertising cookies, tracking cookies, or any third-party cookies.

Third-Party Services

• Google OAuth: Used for sign-in. Google receives confirmation that you signed into our app. See Google's Privacy Policy.
• Cloudflare: Our hosting infrastructure. All data is processed on Cloudflare's network. See Cloudflare's Privacy Policy.
• Stripe: Used for domain purchases (when applicable). Payment data is handled entirely by Stripe and never touches our servers. See Stripe's Privacy Policy.

Data Storage and Security

Your data is stored on Cloudflare's global network using their D1 (database), R2 (file storage), and KV (key-value) services. Passwords for protected sites are hashed using PBKDF2 with 100,000 iterations. API keys are hashed with SHA-256. Session tokens are cryptographically random.

Data Deletion

You can delete any site from your dashboard at any time. This permanently removes the site record and all associated files. If you want your entire account deleted, contact us at support@whatimade.app and we will remove all your data within 30 days.

Children's Privacy

WhatIMade.app is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to This Policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact

Questions about this privacy policy? Email us at support@whatimade.app.