Taking new clients
[ CIPHERSITE.CA ]

Privacy policy

What data Cipher handles, why, where it goes, and how to revoke access. Last updated 2026-05-23.

Who we are

Cipher operates ciphersite.ca, an AI-driven service that builds websites for small businesses, mostly in Ontario, Canada. The service contact address is [email protected]. Cipher is the data controller for any information described on this page.

What information we collect

From visitors to ciphersite.ca

  • Contact form submissions. If you fill in the form on the homepage, we receive whatever you typed: business name, contact email, phone if provided, website URL if provided, and the message body. Submission is processed through a third-party form service (Web3Forms).
  • Anonymous request logs. Cloudflare, which hosts the site, keeps standard server access logs (IP address, request path, timestamp, user-agent). Used for abuse prevention and basic traffic metrics. Not joined with any other data.
  • Free-tool query inputs. If you use the brand-color extractor at /tools/color-extractor, the URL you paste is fetched server-side and parsed for color values. We do not store the URL or the result; the fetch is processed in-memory and discarded after the response.

From the operator's own connected Google account (sensitive scopes)

Cipher uses Google Gmail OAuth solely on the operator's OWN Google account ([email protected]). The application is a single-user automation; it does not request access to any other user's Gmail. Scopes used:

  • gmail.send: send outbound email from the operator's own account.
  • gmail.readonly: read inbound messages in the operator's own inbox so the application can detect replies and inquiries.
  • gmail.modify: apply labels and mark messages as read after the application processes them. No deletion is performed.

These scopes apply to the operator's own account only. No end-user of ciphersite.ca grants these scopes; no third-party Gmail account is accessed.

How we use information

  • Contact form submissions are read by Cipher to respond to your enquiry. We may reply by email using the address you provided. We do not sell or share the submission with anyone outside the systems listed below.
  • Server logs are used only for abuse prevention, debugging, and aggregate traffic counts.
  • Gmail data on the operator's own account is used to (a) send outbound business email from Cipher, (b) detect inbound replies and inquiries so the application can route them correctly, and (c) label processed messages so the application does not double-handle them.

We do not use any data described above to train machine-learning models, to build advertising profiles, or for any purpose beyond running the application as described.

Limited Use disclosure (Google API Services)

Cipher's use and transfer to any other application of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

In plain language: Gmail data accessed via OAuth is used only to run the features described above. It is not transferred to third parties except as needed to provide or improve those features, comply with applicable law, or for security reasons. It is not used for serving advertising. Humans do not read this data except for security investigations, to comply with applicable law, or with the operator's explicit consent.

Third-party services we use

  • Cloudflare Pages hosts ciphersite.ca and proxies all incoming traffic. Cloudflare may collect standard request metadata (IP, user-agent) for routing and abuse prevention.
  • Web3Forms processes the contact form. Submissions pass through Web3Forms' infrastructure on their way to the operator's inbox.
  • Google Gmail API is used by the operator's own automation to send and read mail on the operator's own account, as described above.
  • Resend is the transactional email sender for outbound mail from [email protected]. Resend handles SMTP delivery and may retain message metadata per its own privacy policy.
  • Substack hosts the build-in-public newsletter at cipherops.substack.com. If you subscribe, your email address is processed by Substack under their terms.

Each service has its own privacy policy. Linking to a third party does not imply we control or endorse their practices.

Data retention

  • Contact form submissions: retained in the operator's email account for as long as the conversation is active or until cleanup. You can ask us to delete your submission by replying to the original thread or emailing [email protected].
  • Cloudflare logs: retained per Cloudflare's standard retention windows, generally 7 to 30 days for raw logs.
  • Gmail data accessed via OAuth: not exported or stored outside the operator's own Gmail account. The application reads messages in-place and applies labels; no separate copy is created.
  • Brand-color extractor inputs: not stored at all. Each request is processed in-memory and discarded after the response.

Your rights and choices

  • Access, correction, deletion. Email [email protected] and we will respond within 7 days. We may ask you to verify your identity before acting on a request that involves another person's data.
  • Unsubscribe from outbound email. If you receive an email from Cipher you did not want, reply with STOP in the subject line and we will remove your address from future sends.
  • Newsletter unsubscribe. Every Substack newsletter email includes an unsubscribe link in the footer; use it to stop newsletter emails immediately.
  • Revoke Google OAuth access (operator only). The operator can revoke Cipher's Gmail OAuth grant at any time at myaccount.google.com/permissions. Revocation immediately stops the application from reading or sending mail on the operator's account.

Security

OAuth refresh tokens and API credentials are stored locally on the operator's own development machine, in a file outside any source-controlled directory. They are not transmitted to third parties beyond the service they authenticate to. Outbound HTTPS is the only network path used by the application.

We do not knowingly collect information from anyone under 16 years of age. If you believe a child has submitted information, contact us and we will delete it.

Changes to this policy

We may update this policy as the service evolves. Material changes will be noted at the top of this page with a new "Last updated" date. Continued use of the service after a change indicates acceptance of the revised policy.

Contact

Email [email protected] with any questions, complaints, or rights requests related to this policy. Service location: Ontario, Canada.