Privacy Policy

1. Introduction

This Privacy Policy explains how Oryx Technologies LLC ("Oryx Tech," "we," "us," or "our"), doing business as Website Upgraders and Website Upgrader Pro, collects, uses, shares, and protects personal information. It applies to the websiteupgraderpro.com marketing site, the Website Upgrader Pro client dashboard, any websites we operate on behalf of our small-business clients (each a "Tenant"), and any related APIs (collectively, the "Services").

We are based in New Hampshire, USA. Our contact information is in Section 14.

We distinguish three categories of people whose data we handle:

• Account holders -- the people Oryx Tech provisions to operate a Tenant dashboard (typically a small-business owner or staff member).
• Public visitors -- anyone who visits our marketing site or submits a sales inquiry.
• End-customers of our clients -- people who interact with a Tenant's website (e.g. submit a contact form, sign up for a Tenant's newsletter, or request a booking). For this category, the Tenant is the data controller; Oryx Tech acts as a data processor under their direction.

2. Information We Collect

We collect only what we need to operate the Services. Specifically:

2.1 Account information

• Email address (used as your login identifier)
• A hashed password (we never store or see the plain-text password; we use the bcrypt-family one-way hash)
• Your display name, if you provide one
• Session metadata (IP address, browser user-agent, sign-in timestamps, last-active timestamps), used for security and impersonation auditing
• The tenant organization(s) you belong to and your role within them

2.2 Billing information

Our payment processor (Stripe) collects and stores your billing details. We receive and store only a Stripe customer ID, subscription status, last-four card digits, and invoice metadata. We never receive, store, or have access to your full card number, CVV, or bank credentials. Stripe is PCI DSS Level 1 certified.

2.3 Marketing-site interactions

• Contact-form submissions: name, email, phone (optional), company, project type, budget range, timeline, and your description of the project
• Pageview analytics: anonymized, cookieless, aggregate metrics collected by Plausible (see Section 4)
• Error and performance telemetry collected by Sentry (see Section 4)

2.4 Data we collect on behalf of Tenants

When you interact with a Tenant's website (one we host or manage), we may receive on the Tenant's behalf:

• Contact-form submissions you send to the Tenant
• Newsletter signups, including email address and double-opt-in tokens
• Booking and reservation requests
• Any other information you voluntarily submit through a form on the Tenant's website

For this category, the Tenant determines what to collect and how to use it. To exercise your rights regarding this data, contact the Tenant directly. We will assist the Tenant in honoring valid requests.

3. How We Use Information

We use personal information to:

• Provide, operate, secure, and improve the Services
• Authenticate you and protect your account against unauthorized access
• Bill you for subscriptions and process refunds
• Communicate with you about your account, billing, security incidents, and material changes to the Services or this Policy (these are transactional communications you cannot opt out of while you have an active account)
• Send you optional product updates and news -- only when you have opted in or it is permitted under applicable law. You can opt out at any time.
• Detect, prevent, and investigate fraud, abuse, and security incidents
• Comply with legal obligations and enforce our Terms of Service

4. Third-Party Services

We use a small, audited set of third-party service providers ("sub-processors") to run the Services. Each handles data only on our instructions and is contractually bound to safeguard it.

• Stripe, Inc. -- payment processing and subscription billing. PCI DSS Level 1 certified. See stripe.com/privacy.
• Resend -- transactional and newsletter email delivery. Receives the recipient email, subject, and body. See resend.com/legal/privacy-policy.
• Railway -- application hosting and our Postgres database (United States region). See railway.app/legal/privacy.
• Plausible Analytics -- privacy-friendly, cookieless web analytics. Counts pageviews and traffic sources without setting cookies, fingerprinting devices, or collecting personal data. See plausible.io/privacy-focused-web-analytics.
• Sentry -- error and performance monitoring. Receives stack traces, user agent, and an anonymized user ID for diagnostic purposes. Configured to scrub sensitive fields. See sentry.io/privacy.

We do not sell personal information. We do not share personal information with advertising networks, data brokers, or third-party trackers. We do not use Google Analytics, Facebook Pixel, or similar tracking technologies.

5. Cookies and Tracking

We use the minimum cookies necessary to operate the Services. Specifically:

• Session cookie (essential): set by BetterAuth when you sign in. Used to keep you authenticated. Expires after 30 days of inactivity. HTTP-only and Secure.
• CSRF token cookie (essential): set when you interact with authenticated forms. Used to prevent cross-site request forgery.

We do not use advertising, profiling, or analytics cookies on our marketing site. Plausible Analytics is cookieless by design. You can disable cookies in your browser, but doing so will prevent you from signing in to the dashboard.

6. Your Privacy Rights

Depending on where you live, you may have the following rights regarding your personal information:

• Right to know -- request a copy of the personal information we hold about you
• Right to correct -- ask us to fix inaccurate information
• Right to delete -- ask us to delete your personal information, subject to legal exceptions (e.g. billing records we are required to retain)
• Right to opt out -- opt out of marketing communications at any time
• Right to non-discrimination -- we will not deny service, charge a different price, or provide a different level of quality because you exercised a privacy right
• Right to portability -- request a copy of your data in a machine-readable format. Tenant administrators can also export their organization's data directly through the dashboard.

These rights are afforded under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and the New Hampshire SB 255 / RSA 507-H consumer-data-privacy framework. To exercise any of these rights, email us at oryxtechnologiesllc@gmail.com with the request and enough information to verify your identity (typically the email address associated with your account). We will respond within 45 days, or sooner where required by law.

7. Data Retention

We retain personal information only as long as needed to provide the Services and comply with our legal obligations.

• Account data: retained while your account is active and for up to 90 days after account closure, then deleted, unless we have a legal reason to keep it longer.
• Billing records: retained for at least 7 years to comply with U.S. tax and accounting requirements.
• Marketing-site inquiries: retained for up to 24 months from last contact, then deleted.
• Tenant end-customer data: retained per the Tenant's instructions. When a Tenant's subscription terminates, their customer-facing data is deleted within 30 days unless the Tenant has requested an export.
• Server and security logs: retained for up to 90 days.

8. Children

The Services are not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us personal information, contact us and we will delete it. This complies with the Children's Online Privacy Protection Act (COPPA).

9. International Transfers

Our infrastructure is operated in the United States. If you access the Services from outside the U.S., your information will be transferred to and processed in the U.S., which may have different data-protection laws than your jurisdiction. For transfers from the European Economic Area, United Kingdom, or Switzerland to the U.S., we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK International Data Transfer Addendum. Contact us if you would like a copy of the transfer mechanism we use.

10. Security

We protect personal information with administrative, technical, and physical safeguards appropriate to its sensitivity. These include:

• TLS 1.2+ encryption for all data in transit
• One-way password hashing (bcrypt-family); we never store plain-text passwords
• Database-backed sessions with 30-day expiry and forced refresh
• SHA-256 hashed API keys; we never store the raw key after generation
• Role-based access control; cross-tenant access blocked at the application layer
• Stripe handles all card data. Stripe is PCI DSS Level 1 certified. We never see, store, or have access to your full card details.
• Structured logging with automatic redaction of sensitive fields (passwords, tokens, API keys)
• Automatic database backups with point-in-time recovery

No internet-connected system is perfectly secure. We continually review and improve our practices, and we are committed to disclosing incidents in accordance with the breach-notification section below.

11. Data Breach Notification

Under New Hampshire RSA 359-C:20 we will notify affected New Hampshire residents without unreasonable delay following confirmation of a security breach that has compromised personal information. Where required by other state or federal laws, we will provide notice to those residents and the relevant regulators on the timeline those laws require. Notice will be provided by email, by posting on our website, or both, depending on the circumstances.

12. Do Not Track and Global Privacy Control

Because we do not use behavioral-advertising trackers, we treat "Do Not Track" signals and Global Privacy Control (GPC) signals from your browser as a valid opt-out of any sale or sharing of personal information for cross-context behavioral advertising. We do not currently engage in such sale or sharing.

13. Changes to This Policy

We may update this Policy from time to time. If we make material changes we will notify you by email (to the address associated with your account) and, where required, post a notice on our website at least 30 days before the changes take effect. The "Effective" date at the top of this page reflects the most recent revision. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

14. Contact Us

Questions, requests, or complaints? Reach our privacy team:

• Email: oryxtechnologiesllc@gmail.com
• Postal: Oryx Technologies LLC (doing business as Website Upgraders), 33 Clementi Ln, Methuen, MA 01844, USA

See also our Terms of Service and DMCA Policy.