ANTHONY.EST. 2026 · CNY(315) 281-9639Client PortalFREEAudit
Legal

Privacy Policy

Version 1.0 · Effective 2026-05-16

Who we are

Designed by Anthony (“ANTHONY”, “we”, “us”) is a sole proprietorship operated by Anthony Jones in Rome, NY, USA. We design and host websites for small businesses across North America and provide a free SEO audit tool at designedbyanthony.com.

For privacy-related questions, contact anthony@designedbyanthony.com. We respond personally within one business day.

Geographic scope

ANTHONY serves clients in the United States and Canada. Visitors from the European Union, United Kingdom, European Economic Area, and Switzerland are blocked at the Cloudflare edge and do not reach our application or have data collected. If you reached this page despite that, please let us know — it’s a misconfiguration on our end.

What this policy covers

This policy describes what personal information we collect when you:

  • Visit designedbyanthony.com or any subdomain
  • Submit a contact, audit, or vault form
  • Sign a contract through our e-signing flow
  • Use a paid tool on designedbyanthony.online
  • Receive an email from us

It does not cover sites we link out to. It does not cover what your own browser or operating system sends to others — that’s between you and your software vendor.

What we collect, why, and how long we keep it

| Category | Examples | Why | Retention | |---|---|---|---| | Contact submissions | Name, email, phone, message | Respond to your message, track follow-up | 24 months | | Free audit requests | URL audited, email, business name, place ID | Generate the Lighthouse report, email PDF | 90 days — automatically purged from D1 + R2 after that | | Contract / signing data | Legal name, email, business name, signature image, IP, user-agent, timestamps, geo (country/region) | Comply with ESIGN Act audit-trail requirements | 7 years (NY contract statute of limitations + 1-year buffer) | | Payment metadata | Stripe customer ID, subscription ID, plan, last 4 of card (from Stripe) | Process payments, handle refunds, reconcile webhooks | 7 years (matches tax retention) | | Account profile (paid tools) | Better Auth account ID, email, plan | Authenticate you, gate features by tier | Until account deletion + 30-day grace | | Page views | URL, referrer, country, IP hash (not raw IP), timestamp | Aggregate dashboard metrics | Raw rows purged after 30 days; daily aggregates kept | | Browser cookies | See Cookie Policy | Various | See cookie policy |

These retention windows are enforced by scheduled cleanup jobs in our api Worker — not just a policy promise.

We do not collect:

  • Government identifiers (SSN, drivers license, passport)
  • Health, biometric, or genetic data
  • Children’s data — our services are not directed at users under 18
  • Precise geolocation beyond country/region (derived from IP, never GPS)

Where data is stored

All data is stored in US data centers operated by the following vendors:

  • Cloudflare — Workers (compute), Hyperdrive (database connection layer), R2 (file storage), Workers KV (short-lived cache), D1 (free-audit data), Access (admin auth), Turnstile (anti-spam)
  • Neon — primary Postgres database (accounts, leads, contracts, CRM records), reached over Cloudflare Hyperdrive
  • Sanity.io — CMS content for client sites
  • Sentry — error stack traces and crash reports (no PII; aggressive scrubbing)
  • Resend — transactional email delivery
  • Stripe — payment records
  • Anthropic — your audit URL + page content sent to Claude to generate AI recommendations; Anthropic does not train models on API requests
  • Better Auth — self-hosted login (passkeys + magic links); your account and session records live in our own Neon database above, not a third-party identity vendor
  • VertaFlow pixel — our own first-party, cookieless analytics for page views and conversion events; we run no third-party ad or analytics trackers (no Google Analytics, no Meta pixel)

If you require a Data Processing Agreement (DPA) for a B2B engagement, email anthony@designedbyanthony.com.

How we use it

We use the data above to:

  • Deliver the service you asked for (the audit, the PDF, the call back)
  • Operate the business (invoice, send receipts, debug errors)
  • Improve the site (anonymized analytics — declinable via the cookie banner)
  • Comply with legal obligations (tax records, ESIGN audit trails)

We do not:

  • Sell your data
  • Share your data with brokers
  • Run programmatic advertising profiles on you
  • Use your data to train AI models we deploy elsewhere

Your rights

Everyone, always:

  • Request a copy of what we hold about you
  • Request correction of inaccurate data
  • Request deletion (subject to legal retention windows above — we cannot delete a signed contract before its 7-year window expires)

California residents (voluntary CCPA/CPRA compliance): ANTHONY is below the CCPA revenue and visitor thresholds, but we voluntarily honor the same rights — right to know, delete, correct, and opt-out of any sale of personal information (we don’t sell any).

To exercise any right, email anthony@designedbyanthony.com. We respond within 30 days. Identity verification may be required for deletion requests.

Cookies

See Cookie Policy for the full vendor and cookie inventory.

Privacy signals (GPP & GPC)

We honor the IAB Global Privacy Platform (GPP) and the browser-level Global Privacy Control (GPC) signal on the trackers we run.

  • Global Privacy Control (GPC): If your browser sends a GPC signal (Sec-GPC: 1 / navigator.globalPrivacyControl), we treat it as a do-not-sell/share request and suppress our analytics pixel for that request. We do not block a form you choose to submit, but we record the GPC signal alongside the submission so it is honored downstream.
  • Global Privacy Platform (GPP): On customer sites running a Consent Management Platform, our analytics pixel and lead-capture embed read the GPP consent string (window.__gpp) before firing. An explicit US “do not sell / share” opt-out suppresses the tracker entirely; if no consent platform is present we fall back to the site owner’s existing legal basis.

Customer-site pixel & lead-capture embeds

For sites we build and host, we may install a first-party analytics pixel and an optional lead-capture form embed. These send page views, clicks, and submitted form fields to our infrastructure on the site owner’s behalf — no third-party advertising cookies and no cross-site tracking. Both respect the GPP and GPC signals described above.

Security

  • All data in transit uses HTTPS / TLS 1.3
  • Database access is restricted to the api Worker — no public exposure
  • Admin access is gated by Cloudflare Access (verified email + one-time PIN)
  • Secrets are managed in Infisical; no secret values are ever committed to source control
  • Errors reported to Sentry are scrubbed of PII before transmission

No system is 100% secure. If we discover a breach affecting your personal data, we notify affected users by email as soon as practicable and no later than 72 hours after discovery.

We may link to third-party sites (Google, GitHub, vendor docs). We are not responsible for their privacy practices. Read their policies.

Children

Our services are not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided data, email us and we will delete it.

Changes to this policy

Material changes are announced via the cookie banner on next visit and an email to active customers if the change affects them. The effectiveDate and version at the top of this page are the source of truth.

Contact

anthony@designedbyanthony.com Designed by Anthony · Rome, NY · USA