Trust

Last updated: April 17, 2026

Your website is yours. Your data is yours. We are a thin layer between your files and your visitors. Here is exactly what that means in practice, written for humans.

Where your data lives

Your files

Stored on Cloudflare R2, their object storage service. Data centres are in the European Union for EU-originated uploads; Cloudflare routes to the nearest edge for serving.

Your account and site metadata

Stored in Cloudflare D1, a SQLite-based database. One row per site, one row per deploy, one row per page view.

Your session (when signed in)

Stored in Cloudflare KV, a key-value store. Expires after 7 days of inactivity. Deleted immediately when you sign out.

Payment details (for domain purchases)

Handled entirely by Stripe. Card numbers never touch our servers. We store only the Stripe session ID and the amount paid.

Who can see it

You, through the dashboard. Your site's visitors, when they load your site's URL (unless you have password-protected it). Us, only when investigating a specific operational issue you have reported, or a specific abuse report. Every internal access is logged and auditable.

We do not train AI models on your content. We do not sell, rent, or share your data with advertisers or data brokers. We do not allow third parties to scrape our subdomains for training datasets (our robots.txt explicitly disallows the known scraping agents).

How to delete your data

Delete one site

Dashboard → Site → Settings → Delete. The site record and all files are removed within 60 seconds. Cached copies at Cloudflare's edge are purged immediately. Your link is no longer reachable.

Delete your entire account

Email support@whatimade.app from your registered address with "Delete my account" in the subject. We confirm within 24 hours and complete deletion within 30 days, per GDPR. All sites, all files, all records.

Export your data before deleting

Every file in every site is downloadable from the dashboard file manager. Your site metadata (title, subdomain, custom domain, deploy history) is available via our API at /v1/sites with your session cookie or an API key. If you need a single bundled export, email us.

What we do with law enforcement requests

We comply with valid legal orders issued by UK or EU courts. We do not voluntarily share data without a legal order. We publish a summary of requests we receive in an annual transparency report, starting in 2027.

We will challenge overbroad requests where we have standing. We will notify the affected user unless a gag order forbids it.

What happens if we are acquired

Your data does not transfer automatically. If we were ever acquired or shut down, we commit to: (1) notifying all users at least 60 days in advance, (2) providing a one-click bulk export of all your sites, (3) honouring deletion requests during the transition. Your domain registrations transfer to you directly (they are registered in your name with Cloudflare Registrar, not in ours).

Security baseline

HTTPS everywhere. Let's Encrypt or Cloudflare-managed certificates. No HTTP.
Passwords for password-protected sites are hashed with PBKDF2, 100,000 iterations, per-site salt.
API keys are hashed with SHA-256 before storage. The full key is shown to you exactly once, at creation. If you lose it, revoke and re-create.
Sessions are HttpOnly, Secure, SameSite=Lax. Paired with a non-sensitive presence flag so the UI can know you are signed in without having to read the session token.
Stripe webhook signatures are verified on every event. Replay attacks are rejected.
All API routes require authentication. Cross-tenant isolation is tested in our integration suite.
Rate limits on every endpoint. Per-IP, per-user, and per-API-key budgets.

Content safety, limited scope

For anonymous (no-account) uploads only, we run a narrow automated check for known malware signatures and obvious phishing-form patterns, to prevent our subdomains from being used to host credential-collection pages. Authenticated users' uploads are not scanned. Details in our Privacy Policy.

Who we are

Whatimade is a trading name of G2G Advisory Ltd, registered in England & Wales. Our registered address and company number are available on request at support@whatimade.app.

Questions?

If anything on this page is unclear or you have specific concerns about how we handle your data, email support@whatimade.app. A human responds. We answer most emails within one business day.