← Back

Privacy Policy

Last updated: 2026-04-17

1. Who We Are

ZiaMade LLC ("ZiaMade," "we," "us," or "our") is a New Mexico limited liability company that provides web design subscription services for small businesses. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our website at ziamade.com, our client websites, and our related services.

For questions about this policy or your data, contact us at:

Email: alex@ziamade.com

Phone: (505) 596-0251

Location: Albuquerque, New Mexico

2. Information We Collect

2.1 Information You Provide Directly

When you interact with our services, you may provide:

  • Account and contact information: Your name, email address, phone number, and business name (collected when you submit our intake form, checkout, or contact us).
  • Business information: Your business address, industry, services offered, website URL, hours of operation, and any other details you share to help us build your site.
  • Payment information: Your payment method details are collected and processed by Stripe, Inc. We do not see, store, or have access to your full credit card number, expiration date, or security code.
  • Communications: Messages you send us via email, text, or the contact form on your website.

2.2 Information We Collect from Public Sources (Clients)

To build your website, we gather publicly available information about your business, including:

  • Google Business Profile: Business name, address, phone number, hours, photos, and customer reviews from Google.
  • Public web presence: Information from your existing website (if any), social media profiles, and business directory listings.
  • Public reviews: Customer reviews from platforms like Google and Yelp, displayed with attribution to the original platform and reviewer.

We only gather information that is already publicly accessible. We do not purchase personal data from data brokers or scrape private information.

2.3 Information About Prospective Clients

When we identify a business that may benefit from our services, we collect publicly available business information including: business name, address, phone number, website URL, industry, Google rating and review count, hours of operation, and social media profile URLs. This information is gathered from Google Business Profile, public web searches, and publicly accessible business directories.

We use this information to (a) assess whether the business may benefit from a professional website, (b) build a speculative preview website, and (c) send a physical mailer introducing our service.

We do not collect personal information about business owners (such as home addresses, personal email, or personal phone numbers) from public sources. Business contact information (business phone, business address) is collected as it appears on public listings.

2.4 Information Collected Automatically

When you visit ziamade.com or a client website we host:

  • Server logs: Your IP address is temporarily processed by Cloudflare for security, rate limiting, and abuse prevention. We do not persistently log IP addresses in our own database.
  • Analytics: We use Cloudflare Web Analytics, a privacy-focused analytics service that does not use cookies, does not track individual visitors, and does not collect personal information. It provides only aggregate data (total page views, visitor counts, performance metrics).
  • Security cookies: Cloudflare may set essential cookies for bot detection and security (such as the __cf_bm cookie). These are strictly necessary for website operation and are not used for tracking or advertising.

3. How We Use Your Information

We use the information we collect for the following purposes:

Purpose Data Used
Building your website Business name, address, industry, services, photos, reviews, hours
Processing payments Email, name, payment method (via Stripe)
Sending transactional emails Email, name, business name (confirmations, status updates, billing notices)
AI content generation Business name, industry, services, public info (sent to Google Gemini to generate website copy and images)
Forwarding customer inquiries Inquiry sender's name, email, phone, message (forwarded to the business owner)
Security and abuse prevention IP address (for rate limiting), CAPTCHA verification
Improving our service Aggregate analytics (page views, visitor counts, no personal data)

We do not sell your personal information. We do not use your data for advertising. We do not build profiles for behavioral targeting.

4. AI Processing

We use AI tools (currently Google Gemini) to assist in generating website content for your business. This includes text copy, descriptions, and sometimes images. When we use these tools:

  • We send your business information (name, industry, services, publicly available details) to Google's AI services to generate content.
  • We do not send your personal contact information (email, phone, payment details) to AI services.
  • Google's AI services process this data under Google's API Terms of Service. Data sent through the Gemini API is not used to train Google's models.
  • All AI-generated content is reviewed before publication and you have the opportunity to review and request corrections before your site goes live.

5. Third-Party Service Providers

We share your information with the following service providers, solely to operate and deliver our service. Each provider processes data under their own privacy policies and data processing agreements:

Provider Purpose Data Shared
Stripe Payment processing Name, email, payment method. Stripe may also collect your IP address and device information for fraud prevention.
Cloudflare Website hosting, CDN, DNS, analytics, security IP address, page requests (processed for security and aggregate analytics, not stored by us).
Resend Transactional email delivery Recipient email address, email content.
Google Business data enrichment (Places API), AI content generation (Gemini) Business name, location, industry (public business data only, not personal contact info for Gemini).
GitHub Website source code hosting Website content files (text, images, configuration). No personal contact information is stored in repositories.
Lob Physical mail delivery Business name, business address (USPS-standardized). No personal information.

We do not share your personal information with any other third parties for marketing, advertising, or data brokerage purposes.

6. Cookies and Tracking

We take a minimal approach to cookies and tracking:

  • No advertising cookies. We do not use Google Analytics, Facebook Pixel, or any advertising or retargeting trackers.
  • No analytics cookies. Cloudflare Web Analytics is cookie-free and does not track individual users.
  • Essential security cookies only. Cloudflare may set cookies (such as __cf_bm) strictly for bot detection and DDoS protection. These expire after 30 minutes of inactivity and cannot be used to identify you personally.
  • Payment security. When you make a payment, Stripe may set cookies and collect device information for fraud detection. This is governed by Stripe's Privacy Policy.

We do not honor "Do Not Track" browser signals because we do not track you in the first place. There is no tracking to disable.

7. Data Retention

We retain your data only as long as necessary for the purposes described in this policy. Most data has automated retention limits enforced daily:

Data Type Retention Period
Active subscriber data (name, email, business info) Retained while subscription is active.
Client data (after cancellation) Personal info (name, phone, address) scrubbed 12 months after subscription ends. Email retained in suppression list per CAN-SPAM.
Contact form inquiries (visitor name, email, phone, message) All personal information (including the message body) is scrubbed after 90 days. Anonymous record retained for 180 days for analytics.
Prospective leads (not subscribed) Data deleted 12 months after last contact attempt. Email preserved in suppression list per CAN-SPAM.
Event and audit logs Email addresses in event details scrubbed after 90 days. Full records deleted after 180 days.
Email delivery events (Resend webhook records: recipient, delivery status) 180 days, then automatically deleted.
Social media connections (OAuth tokens) Tokens deleted immediately on subscription cancellation.
Internal operational records Personal identifiers removed after 12 months.
Email suppression list Retained indefinitely (CAN-SPAM compliance).
Payment records Retained by Stripe per their retention policies and applicable tax law (typically 7 years).
IP addresses (rate limiting) In-memory only, cleared within minutes. Not stored in any database.
Preview site data (deployed, never subscribed) 60 days from deployment, then auto-archived and data purged within 30 days.
Postcard campaign records 2 years (for cost tracking and tax compliance).
QR scan logs 180 days. IP addresses are salted hashes, not reversible.

8. Your Rights

Regardless of where you are located, we offer the following rights to all users:

  • Access: You can request a copy of the personal information we hold about you.
  • Correction: You can ask us to correct inaccurate information.
  • Deletion: You can ask us to delete your personal information. We will comply unless we are required to retain it by law (such as tax records).
  • Data portability: You can request an export of your data in a standard, machine-readable format.
  • Objection: You can object to specific uses of your data. If we have no overriding legitimate interest, we will stop.

To exercise any of these rights, email us at alex@ziamade.com with the subject line "Privacy Request." We will respond within 30 days. We may ask you to verify your identity before processing the request.

If you are a prospective client who has not subscribed, you may request deletion of all data we hold about your business by emailing us at alex@ziamade.com. We will process your request within 30 days.

We will never charge you a fee for exercising your privacy rights.

9. Data Security

We implement reasonable technical and organizational measures to protect your personal information:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
  • Encryption at rest: Your data is stored on Cloudflare's infrastructure, which encrypts data at rest.
  • Access controls: Database access is restricted to server-side API routes using secure, scoped credentials. No client-side code can access the database directly.
  • Payment security: Credit card data is handled entirely by Stripe (PCI DSS Level 1 certified). We never see, process, or store your card details.
  • CAPTCHA protection: Forms are protected by Cloudflare Turnstile to prevent automated abuse.
  • Rate limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks.

No system is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security. If we discover a data breach that affects your personal information, we will notify you and the appropriate authorities in accordance with applicable law, including New Mexico's Data Breach Notification Act (within 45 calendar days of discovery).

10. Children's Privacy

Our services are intended for business owners and are not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at alex@ziamade.com and we will promptly delete that information.

11. Information About Client Website Visitors

If you are a visitor to a website we built and host for a client (not a ZiaMade subscriber yourself), this section applies to you:

  • Contact form submissions: If you submit a contact form on a client's website, your name, email, phone number, and message are forwarded to the business owner via email. Your personal information is stored in our database for up to 90 days, after which it is automatically scrubbed (deleted). The anonymous record (without your personal details) is retained for up to 180 days for the business owner's analytics.
  • No tracking: Client websites use the same privacy-focused Cloudflare Web Analytics (no cookies, no personal data collection).
  • No advertising: We do not place ads on client websites or use visitor data for advertising.

The business whose website you visited is a separate entity from ZiaMade. Their use of your inquiry information (after we forward it) is governed by their own practices, not this policy.

Direct Mail

We may send physical mail (such as postcards) to your business address to introduce our services. Your business address is obtained from public sources such as Google Business Profile.

If you do not wish to receive mail from us, contact us at alex@ziamade.com or use the removal link on any preview site. We will add your business to our suppression list within 10 business days.

We do not share your business address with third parties for their marketing purposes. Physical mail is sent through Lob, Inc., a USPS-certified mail provider, solely on our behalf.

12. Email Communications

We send the following types of emails:

Transactional emails (you cannot opt out of these while subscribed)

  • Intake form confirmation ("we received your request")
  • Site preview and approval notifications
  • "Your site is live" confirmation
  • Payment failure and billing update reminders
  • Subscription cancellation confirmation
  • Contact form inquiry forwarding (for business owners)

Marketing emails (if applicable in the future)

We do not currently send marketing emails. If we do in the future, they will include an unsubscribe link in every message, our physical mailing address, and we will honor opt-out requests within 10 business days as required by the CAN-SPAM Act.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes:

  • We will update the "Last updated" date at the top of this page.
  • For material changes that affect how we handle your data, we will notify active subscribers by email at least 30 days before the changes take effect.
  • Your continued use of our services after the effective date constitutes acceptance of the updated policy.

14. Additional State Disclosures

While most comprehensive state privacy laws (CCPA, CPRA, TDPSA, etc.) do not apply to ZiaMade based on current revenue and data volume thresholds, we voluntarily provide the following disclosures:

  • Sale of personal information: We do not sell your personal information, and we have never sold personal information.
  • Sharing for targeted advertising: We do not share your personal information with third parties for targeted advertising purposes.
  • Sensitive personal information: We do not collect sensitive personal information as defined by state privacy laws (Social Security numbers, financial account credentials, precise geolocation, biometrics, health data, etc.).
  • Automated decision-making: We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

As our business grows, we will reassess our obligations under applicable state and federal privacy laws and update this policy accordingly.

15. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:

ZiaMade LLC

Albuquerque, New Mexico

Email: alex@ziamade.com

Phone: (505) 596-0251

For privacy requests, use the subject line "Privacy Request" so we can route your inquiry promptly.