Skip to main content

Privacy Policy

Effective Date: [Effective Date]
Last Updated: [Last Updated Date]

This Privacy Policy explains how Giant Conglomerate, LLC d/b/a Bistu ("Bistu," "we," "us," or "our") collects, uses, shares, and protects information about you when you use our website builder platform and related services (collectively, the "Service"). It also describes your rights with respect to your personal data and how to exercise them.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please discontinue use of the Service.

1. Who We Are

Bistu operates a website builder platform designed for small businesses. We act as the data controller for the personal information we collect from our customers (the individuals and businesses who subscribe to the Service).

When our customers use the Service to publish a website, that website is hosted on our infrastructure at a path under Bistu's primary domain (e.g., bistu.io/businessname). While customers are responsible for the content and operation of their websites, Bistu controls the underlying infrastructure and domain, and incidentally receives technical data from all visitors to those websites as a result. The respective responsibilities of Bistu and our customers with respect to those websites and their visitors are described in Section 6.

If you have questions about this policy or our data practices, contact us at:

Giant Conglomerate, LLC d/b/a Bistu
bistu.io
contact@bistu.io

2. Information We Collect

We collect information in three ways: information you provide directly, information generated through your use of the Service, and information from third-party services.

2.1 Account and Registration Information

When you sign up for the Service, we collect:

  • Name and email address
  • Business name and contact details
  • Password (stored in hashed form using bcrypt through our authentication provider, Supabase — we never store your password in plain text)
  • Billing address and subscription plan details

2.2 Business Content You Provide

To build your website, you provide us with content about your business, which may include:

  • Business name, description, address, and contact information
  • Photos, logos, and other media
  • Product or service listings, pricing, and descriptions
  • Any other content you choose to add to your website

This content is used solely to generate and host your website and is not used for advertising or sold to third parties.

2.3 Payment Information

We use Stripe to process subscription payments. When you enter payment details, that information is transmitted directly to Stripe and is subject to Stripe's Privacy Policy. We do not receive or store your full credit card number. We retain only non-sensitive billing details such as the last four digits of your card, card type, and billing address for account management purposes.

2.4 Usage and Analytics Data

We use PostHog to understand how users interact with our platform. This may include:

  • Pages visited and features used
  • Time spent in the application
  • Device type, browser, operating system, and approximate location (country/region level)
  • Referring URLs and session data
  • Click patterns, scrolls, and other interaction events

PostHog analytics data is used to improve the Service. PostHog is a cloud-hosted analytics platform; for more information on how PostHog handles data, see PostHog's Privacy Policy.

2.5 Communications Data

We use Brevo to send transactional and product-related emails, such as account confirmations, billing notifications, product updates, and support responses. When you communicate with us, we retain records of those communications.

2.6 Technical and Log Data

Our servers and cloud infrastructure automatically collect certain technical information, including:

  • IP address
  • Browser type and version
  • Timestamps and access logs
  • Error reports and diagnostic data

This data is used for security monitoring, troubleshooting, and maintaining the reliability of the Service.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide and operate the Service — creating and hosting your website, managing your account, and processing payments
  • To communicate with you — sending transactional emails, billing notices, product updates, and responding to support requests
  • To improve the Service — analyzing usage patterns, fixing bugs, and developing new features
  • To ensure security — detecting and preventing fraud, unauthorized access, and abuse
  • To comply with legal obligations — responding to legal requests and enforcing our Terms of Service
  • To send marketing communications — with your consent where required, we may send you information about new features or offers; you can unsubscribe at any time

4. Legal Basis for Processing (For EEA, UK, and Swiss Users)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data under the following legal bases:

Processing PurposeLegal Basis
Providing the Service and managing your accountPerformance of a contract (Art. 6(1)(b) GDPR)
Processing paymentsPerformance of a contract (Art. 6(1)(b) GDPR)
Sending transactional emailsPerformance of a contract (Art. 6(1)(b) GDPR)
Analytics and product improvementLegitimate interests (Art. 6(1)(f) GDPR)
Security and fraud preventionLegitimate interests (Art. 6(1)(f) GDPR)
Marketing communicationsConsent (Art. 6(1)(a) GDPR)
Legal complianceLegal obligation (Art. 6(1)(c) GDPR)

5. How We Share Your Information

We do not sell your personal data. We share information only in the following circumstances:

5.1 Service Providers

We share data with trusted third-party vendors who help us operate the Service. These providers are contractually bound to use your data only for the services they perform on our behalf:

ProviderPurposePrivacy Policy
StripePayment processingstripe.com/privacy
PostHogProduct analytics (platform and customer websites)posthog.com/privacy
BrevoTransactional and marketing emailbrevo.com/legal/privacypolicy
SupabaseDatabase hosting and authenticationsupabase.com/privacy
VercelApplication hosting and content deliveryvercel.com/legal/privacy-policy

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to a valid request from a government authority (e.g., a court order or subpoena). We will notify you of such requests where legally permitted to do so.

5.3 Business Transfers

If Bistu is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

5.4 With Your Consent

We may share your information with third parties for other purposes if you give us your explicit consent to do so.

6. Websites We Generate on Your Behalf

This section is specific to how we handle your published website and the visitors who interact with it.

6.1 Data Controller Responsibilities for Your Published Website

Your published website is hosted at a path under Bistu's primary domain and served from our infrastructure. Because of this, Bistu and our customers share responsibilities for how visitor data is handled — though in different ways.

You, as the website owner, are responsible for:

  • The content on your website and any personal data actively collected from visitors (e.g., contact forms, booking widgets, newsletter sign-ups)
  • Enabling or disabling analytics tracking on your website
  • Ensuring your business contact information in the Service is kept accurate, as it is used in the privacy notice Bistu generates for your website (see Section 6.4)
  • Ensuring that the cookie consent mechanism on your Generated Website (whether provided by Bistu or supplemented by you) meets the requirements of applicable law, including GDPR if your visitors are in the EU/EEA
  • Complying with all applicable privacy laws with respect to your website visitors

Bistu is responsible for:

  • The technical infrastructure used to deliver your website, including servers and the domain under which your website is hosted
  • Server-level technical data collected from all visitors to websites on our platform, as described in Section 6.3
  • Providing a default cookie consent mechanism that is displayed to first-time visitors of your website
  • Any cookies or tracking technologies set by Bistu on your published website (see Section 9.2)

To the extent that Bistu and you both receive or determine the use of personal data from your website visitors (for example, where we both receive server log data), we may be considered joint controllers under applicable privacy law. In such cases, Bistu's responsibilities are limited to the server-level processing described in this policy; all other processing is your responsibility as the website operator.

6.2 Analytics on Your Published Website

If you enable PostHog analytics (or any other third-party analytics tool) on your generated website, you become the data controller for the visitor data collected through that tool. Bistu does not use analytics data collected from your website visitors for its own purposes unrelated to providing the Service to you.

As the data controller for your website's analytics, you are responsible for:

  • Ensuring cookie consent compliance — Bistu provides a default cookie consent mechanism for first-time visitors to your website. However, you are responsible for ensuring that this mechanism, together with any additional measures you may implement, satisfies the requirements of all applicable laws in the jurisdictions where your visitors are located.
  • Configuring data retention and anonymization settings for analytics data in accordance with applicable law.

Bistu will automatically update your website's generated privacy notice to disclose the use of analytics when you enable it (see Section 6.4), but you remain responsible for ensuring that visitor consent is obtained where required by law before analytics tracking begins.

6.3 Data Bistu Collects From Your Website Visitors

Because your website is hosted on our servers under our domain, our infrastructure automatically collects certain technical data every time a visitor loads your website. This includes:

  • IP addressof the visitor's device
  • Browser type, version, and operating system
  • Pages and resources requested (URLs, file paths)
  • Timestamps of each request
  • HTTP referrer (the page the visitor came from)
  • Error reports and diagnostic data

This data is collected at the server level regardless of what content is on your website, and is used by Bistu solely for:

  • Security monitoring, DDoS mitigation, and abuse prevention across our platform
  • Diagnosing technical issues with website delivery and uptime
  • Maintaining and improving our hosting infrastructure

Bistu does not use this data for advertising, does not share it with website owners, and does not combine it with the business content you have uploaded. It is subject to the same security and retention standards described in the rest of this policy. Visitors to customer websites are not individually profiled or targeted by Bistu based on this data.

6.4 Privacy Notices on Your Published Website

Because your website is accessible to the public under our domain, and because visitor data is collected at the server level as described in Section 6.3, Bistu automatically generates and publishes a privacy notice on every customer website as part of the Service. You do not need to create or maintain this notice yourself.

The generated privacy notice is created using the business information you provide during setup and covers, at minimum:

  • The identity and contact information of the business operating the website
  • That the website is hosted by Bistu on its infrastructure, and that Bistu automatically collects server-level technical data (such as IP addresses and access logs) as described in this policy
  • Any analytics tools enabled on the website and what visitor data they collect
  • How visitors can contact the business with privacy-related questions

When you enable analytics or other third-party tracking tools on your website, Bistu will automatically update your generated privacy notice to reflect this. You are responsible for ensuring that the business contact information you provide to us is accurate, as it will appear in your website's privacy notice. You may not remove or override the generated privacy notice, as it contains disclosures that Bistu is required to make to visitors of websites hosted on its infrastructure.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data is retained for the duration of your subscription and for up to 7 years after account closure, in order to comply with tax, legal, and accounting obligations
  • Business content (your website content) is deleted within 30 days of account closure, unless you request earlier deletion
  • Payment records are retained as required by applicable financial regulations (typically 7 years)
  • Analytics datais retained in accordance with PostHog's data retention settings and our configured retention policies
  • Support communications are retained for 3 years after the last interaction

When data is no longer required, we securely delete or anonymize it.

8. Security

We implement industry-standard technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Password hashing using bcrypt through our authentication provider
  • Access controls limiting employee access to personal data on a need-to-know basis
  • Regular security reviews and vulnerability assessments

No method of transmission over the internet or electronic storage is 100% secure. While we take data security seriously, we cannot guarantee absolute security. If you become aware of any security vulnerability related to our Service, please contact us at contact@bistu.io.

In the event of a data breach that affects your rights and freedoms, we will notify you and applicable regulatory authorities as required by law.

9. Cookies and Tracking Technologies

9.1 Cookies on Our Platform

We use cookies and similar tracking technologies to operate and improve the Service. Cookies are small text files stored on your device.

Types of cookies we use:

  • Strictly necessary cookies — required for the Service to function (e.g., authentication sessions)
  • Analytics cookies — used by PostHog to understand how the Service is used
  • Preference cookies — used to remember your settings and preferences

You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the Service. For more information on managing cookies, visit allaboutcookies.org.

9.2 Cookies on Your Published Website

Because customer websites are hosted at paths under Bistu's primary domain (bistu.io), cookies set on the root domain may be accessible across the platform and published websites. Specifically:

  • Cookies scoped to the root domain (e.g., .bistu.io) may be readable across both our platform and all customer website paths. Bistu limits such cookies to technically necessary purposes and does not use root-domain cookies to track visitors across unrelated customer websites.
  • Cookies scoped to a specific pathare isolated to that customer's website context where supported by the browser.

Bistu provides a cookie consent mechanism that is displayed to first-time visitors of every customer website. Bistu may also set technically necessary cookies on published websites (for example, to support security functions and the cookie consent mechanism itself). We do not set advertising or behavioral tracking cookies on customer websites without the website owner's explicit configuration.

Any analytics or third-party cookies enabled by you on your published website (such as PostHog) are set under your responsibility as the website operator. As noted in Section 6.2, you are responsible for ensuring that the cookie consent mechanism on your website meets the requirements of applicable law before analytics tracking begins.

10. International Data Transfers

Bistu is based in the United States, and your data is processed and stored in the United States by our infrastructure and service providers. If you are located outside the United States, your data will be transferred to and processed in the United States, which may have different data protection laws than your home country.

Where we transfer personal data from the EEA, UK, or Switzerland to countries not recognized as providing adequate data protection, we use appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreements (IDTAs) for UK transfers

By using the Service, you acknowledge that your data may be transferred internationally as described here.

11. Your Rights

Depending on your location, you may have the following rights regarding your personal data.

11.1 Rights for EEA, UK, and Swiss Residents (GDPR)

  • Right of Access — Request a copy of the personal data we hold about you
  • Right to Rectification — Request correction of inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten") — Request deletion of your personal data, subject to certain legal exceptions
  • Right to Restriction — Request that we limit the processing of your data
  • Right to Data Portability — Request your data in a structured, machine-readable format
  • Right to Object — Object to processing based on legitimate interests, including direct marketing
  • Right to Withdraw Consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
  • Right to Lodge a Complaint — You have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK or your national supervisory authority in the EU)
Note for visitors of customer-operated websites: Websites built using our platform are operated by our customers (small businesses) and are hosted on our infrastructure at paths under our primary domain. If you wish to exercise rights regarding personal data collected by the business whose website you visited (such as data submitted through a contact form), please contact that business directly using the contact information on their website. If your request relates to server-level technical data that Bistu collects as part of hosting (such as IP addresses in server logs), you may contact us at contact@bistu.io.

11.2 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights:

  • Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months
  • Right to Delete — Request deletion of your personal information, subject to certain exceptions
  • Right to Correct — Request correction of inaccurate personal information
  • Right to Opt Out of Sale or Sharing — We do not sell or share your personal information for cross-context behavioral advertising
  • Right to Non-Discrimination — We will not discriminate against you for exercising your privacy rights

To submit a request, contact us at contact@bistu.io. We will respond within 30 days (or 45 days for complex requests).

11.3 Exercising Your Rights

To exercise any of the rights listed above, please contact us at contact@bistu.io with:

  • Your name and account email address
  • A description of your request
  • Proof of identity if required (to protect against unauthorized requests)

We will respond within the timeframe required by applicable law.

12. Children's Privacy

The Service is intended for use by adults and businesses. We do not knowingly collect personal information from individuals under the age of 16. If you believe we have inadvertently collected information from a minor, please contact us at contact@bistu.io and we will promptly delete it.

13. Third-Party Links

Our platform may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies before providing any personal information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Notify you by email or a prominent notice within the Service

Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree, please discontinue use of the Service and contact us to close your account.

15. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

Giant Conglomerate, LLC d/b/a Bistu
Email: contact@bistu.io
Website: bistu.io

For EEA or UK residents, you also have the right to contact your local data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu. The UK supervisory authority is the Information Commissioner's Office (ICO) at ico.org.uk.

This document was last reviewed on [Last Updated Date].