Privacy Policy

This Privacy Policy explains how Edvard Zeke Julius Witasp Gruvelgard, doing business as Efficio (“Efficio,” “we,” “us,” or “our”), collects, uses, shares, and protects personal data through the Efficio platform, public platform website, owner dashboard, lead capture tools, generated business websites, and related services (the “Platform”).

The Platform helps business owners create and operate public business websites that are optimized for search, AI-search visibility, and conversion. This means we process data about business owners and team members, people who visit Efficio’s public website, support contacts, people who visit websites created with Efficio, and people who submit or trigger leads on those websites.

For account, dashboard, billing, security, support, legal, product improvement, platform website, and business operations data, Efficio acts as the controller, business, or equivalent decision-maker.

For personal data about Visitors to a business owner’s Published Site that is captured as leads, appointment requests, chat messages, direct CTA Interactions, and related metadata, the business owner is the controller, business, or equivalent decision-maker. Efficio processes that data as the owner’s processor, service provider, contractor, or equivalent role, except where we process it for our own security, billing, fraud prevention, abuse prevention, legal compliance, service improvement, or other independent purposes described in this Policy.

If you are a Visitor to a Published Site and have a privacy request about your lead, appointment, message, or business relationship with that site, you should contact the business owner first. If you contact Efficio, we may forward the request to the owner or assist the owner in responding where required.

We collect data that business owners, admins, editors, viewers, invitees, and support contacts provide or create, including:

• name, email address, password credentials or authentication data, role, organization, invitations, and consent version;
• business name, business type, public phone number, public email, location, service area, opening hours, team, reviews, pricing, services, menus, projects, FAQs, blog posts, and other business profile data;
• website content, SEO titles and descriptions, language settings, style choices, color choices, CTAs, booking settings, order links, availability slots, custom domains, DNS verification records, and publication status;
• uploaded images, pasted image URLs, imported source-site images, image alt text, logos, source URLs, content hashes, and platform storage URLs;
• support messages, feedback, admin actions, spam reports, billing requests, and communications with us;
• billing identifiers, subscription status, Stripe customer and subscription references, invoice and meter-event records, free-trial settings, lead pricing, and payment portal activity. We do not store full card numbers; Stripe processes payment details; and
• technical data such as session cookies, device/browser signals, IP-derived security signals, logs, error reports, user agent, request headers, and rate-limit hashes.

When someone visits Efficio’s public platform website, legal pages, help pages, sign-in pages, onboarding pages, or related public pages, we may collect contact information submitted through forms, account signup data, authentication state, cookies, device information, IP address or hashed IP signals, user agent, referrer, approximate location from infrastructure headers, page and request information, error information, and security and rate-limit data.

Published Sites are designed to capture conversions. Depending on the site configuration and Visitor action, we may process:

• form details such as name, first name, last name, email, phone, contact field, message, and honeypot anti-spam field;
• appointment request details such as requested slot, reserved slot, location ID, team member ID, name, contact field, and message;
• chat details such as question, contact field, and widget metadata;
• quick-contact details such as phone number or email address;
• CTA Interaction metadata for call, email, booking, and order clicks, including CTA ID, module ID, placement, provenance, route archetype, action, link kind, clicked href, page path, and current URL;
• UTM parameters, referrer, document referrer, browser language, timezone, screen size, user agent, forwarded host, and infrastructure-provided geolocation headers such as country, region, city, latitude, and longitude where available;
• hashed IP signals used for rate limiting, abuse prevention, and click-source deduplication; and
• lead status, billing status, spam-review status, timestamps, and dashboard handling history.

Direct CTA Interactions may be captured and billed as leads even when the Visitor does not submit contact details. Lead notification emails sent to owners are designed not to include lead contact details; owners view those details in the dashboard.

If an owner provides an existing website URL, Efficio may crawl publicly reachable pages on that site, discover sitemap URLs, fetch rendered or static content, extract titles, descriptions, canonical URLs, robots meta directives, structured data, headings, text blocks, snippets, emails, phone numbers, addresses, links, social URLs, image URLs, alt text, and diagnostics. If the crawl is unavailable or thin, Efficio may generate a draft from onboarding answers instead.

We may send onboarding data, source-site extracts, business facts, media candidates, generated drafts, validation errors, and optimization context to OpenAI or another configured AI provider to create website drafts or action recommendations. We may store the resulting drafts, reports, token usage, model/provider identifiers, and job status for review, support, billing, quality, and audit purposes.

At draft release or during owner upload, Efficio may fetch external images, process them, strip metadata, convert them, store them in Supabase Storage or another storage provider, record source URLs and hashes, and serve them publicly as part of the Published Site.

We use cookies and similar technologies for authentication, session management, password reset and sign-in flows, maintenance bypass where configured, security, preferences, and product operation. Published Sites may use browser storage, such as session storage, to remember that a Visitor has seen or dismissed an on-site chat greeting during the current browser session.

You can control cookies through your browser settings. Some Platform features, including sign-in, dashboard access, security checks, and lead submission, may not work correctly without required cookies or storage.

We use personal data to:

• create accounts, authenticate users, manage organizations, permissions, invitations, and sessions;
• create, generate, host, edit, publish, suspend, and delete business websites;
• capture, validate, display, notify, review, deduplicate, bill for, void, waive, and sync leads;
• process payments, subscriptions, invoices, usage records, taxes, refunds, credits, and free allowances;
• provide support, respond to requests, send service messages, and manage feedback;
• operate crawlers, AI drafting, action reports, recommendations, image imports, custom domains, revalidation, and automation jobs;
• secure the Platform, detect abuse, enforce rate limits, prevent fraud, investigate spam reports, and protect rights and safety;
• improve, test, troubleshoot, monitor, and measure the Platform, including through logs and error reporting;
• comply with legal, tax, accounting, payment, dispute, and regulatory obligations; and
• enforce our Terms, Content Policy, and agreements.

Where EU or UK data protection law applies, our legal bases may include performance of a contract, legitimate interests, consent, legal obligation, and, rarely, protection of vital interests. Our legitimate interests include operating and securing the Platform, supporting business owners, preventing abuse, measuring and improving services, billing for services, enforcing agreements, and protecting Efficio, owners, Visitors, and others.

Where we act as a processor for a business owner, the owner determines the lawful basis for processing Visitor lead data. Owners are responsible for providing any required notices and obtaining any required consents from their Visitors.

We may share personal data with:

• business owners and authorized organization users, so they can view and respond to leads, manage websites, and operate their business;
• Vercel or other hosting and infrastructure providers that serve the Platform, Published Sites, edge functions, cron jobs, and geolocation headers;
• Supabase for authentication, database, storage, row-level access controls, and related backend services;
• Stripe for checkout, subscriptions, billing portal, invoices, payment methods, meter events, tax, fraud, and payment compliance;
• Supabase Auth email service for authentication emails, invitations, and password resets; Resend for inbound email forwarding, lead notifications, and operational email handling;
• OpenAI or other AI providers where configured for website drafts, action reports, validation, and optimization suggestions;
• Sentry or other logging, monitoring, and error-reporting providers where configured;
• DNS, domain, browser rendering, image processing, and storage providers used to operate custom domains, crawls, and media features;
• professional advisers, insurers, auditors, legal counsel, payment partners, and security consultants;
• law enforcement, regulators, courts, dispute bodies, or others where we believe disclosure is required or appropriate; and
• successors or counterparties in a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction.

We do not sell personal information or share it for cross-context behavioral advertising as those terms are commonly used under California privacy law. If our practices change, we will update this Policy and provide any required opt-out mechanism.

Efficio and its service providers may process personal data in the United States, the European Economic Area, the United Kingdom, and other countries where we or our providers operate. Those countries may have data protection laws different from the laws where you live. Where required, we use appropriate transfer mechanisms, such as standard contractual clauses, data processing terms, or other safeguards.

We keep personal data for as long as needed to provide the Platform, maintain accounts and Published Sites, support owners, process billing, handle leads, administer spam review, maintain security, troubleshoot errors, satisfy legal, tax, accounting, audit, and dispute obligations, enforce agreements, and maintain backups. Because retention depends on account status, site status, billing records, backups, legal obligations, and operational needs, we do not promise a fixed deletion period unless a separate written agreement says otherwise.

Some records may be deleted when a platform admin deletes a site or organization. Other records may remain in backups, logs, invoices, payment-provider systems, security records, or legal archives until they expire or are no longer needed. Rate-limit event records are intended to be short-lived and may be pruned separately.

We use administrative, technical, and organizational safeguards designed to protect personal data, including authentication, role-based access controls, row-level data restrictions where supported, HTTPS, service-role separation, rate limiting, input validation, logging, monitoring, and provider security controls. No method of transmission or storage is perfectly secure. You are responsible for strong passwords, account access, invited users, domain configuration, and promptly reporting suspected compromise.

Depending on where you live and how we process your data, you may have rights to request access, correction, deletion, portability, restriction, objection, withdrawal of consent, information about processing, or non-discrimination for exercising privacy rights. California residents may also have rights to know categories and specific pieces of personal information, request deletion or correction, opt out of sale or sharing, and limit certain sensitive personal information uses where applicable.

To exercise rights for Efficio-controlled data, contact privacy@effic.io. We may need to verify your identity and authority before responding. For Visitor lead data controlled by a business owner, contact that owner first; we may assist the owner as its processor or service provider.

EU/UK individuals may also have the right to complain to a data protection authority. You may contact us at privacy@effic.io with questions about our EU/UK representative or data protection contact, if one is required.

The Platform is intended for business users who are at least 18 years old. It is not directed to children, and we do not knowingly collect personal data from children through the Platform. Business owners must not use the Platform to target children or collect children’s personal data unless they have confirmed with counsel that their use is lawful and Efficio has agreed in writing where required.

Efficio uses automated systems and AI providers to draft website content, classify lead sources, validate click leads, deduplicate certain CTA clicks, recommend actions, detect abuse, and support billing workflows. These systems do not replace owner review, and they are not intended to make legally significant decisions about Visitors without human involvement. Platform admins may make final decisions on spam reports and billing adjustments.

We may update this Privacy Policy from time to time. The “Last updated” date shows the current version. Material changes may be announced through the Platform, by email, or by other reasonable notice. Your continued use of the Platform after an update becomes effective means you accept the updated Policy.

Privacy requests and questions may be sent to privacy@effic.io. Legal notices may be sent to legal@effic.io and 6708 Main street, Cincinnati, OH 45244, United States. General support requests may be sent to legal@effic.io.