Punapai
Privacy Policy
Last updated: 8 May 2026

1. What This Policy Covers

This Privacy Policy explains what personal data we collect, why we collect it, and how we protect it when you use Punapai ("Service"). We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The data controller responsible for your data is GOBYTE SOFTWARE LTD, a company registered in England & Wales under company number 16769913, with registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

2. What Data We Collect

We collect only what we need to run the Service:

  • Account details: your name, email address, and password (stored encrypted — we never see your actual password). If you sign in with Google, we receive your name, email address, and profile photo from Google
  • Payment information: if you subscribe to a paid plan, our payment processor (Stripe) collects your payment method, billing address, and transaction details. We do not store your full card number — Stripe handles this securely on our behalf
  • Content you create: landing pages, text, images, and other content you build with Punapai
  • Usage information: which features you use and how you interact with the Service
  • Analytics data: we collect anonymous visitor statistics for your landing pages, including page views, referrers, and browser information. Retention periods vary by plan
  • Technical information: your IP address, browser type, device, and operating system — collected automatically when you visit
  • Visitor data from your landing pages: if you enable email collection or contact forms on your pages (available on paid plans), we store the submissions on your behalf

3. Why We Collect Your Data

We use your data for these purposes:

  • To run the Service: log you in, save your work, and display your landing pages
  • To improve Punapai: understand how the Service is used so we can make it better
  • To keep things secure: detect and prevent fraud, abuse, and technical issues
  • To communicate with you: send important account updates and respond to your questions

4. Our Legal Basis (UK GDPR)

Under UK GDPR, we must have a lawful reason to process your data. Ours are:

  • Contract: we need your data to provide the Service you signed up for
  • Legitimate interests: to improve the Service, ensure security, and prevent fraud
  • Consent: for optional things like marketing emails (you can opt out at any time)
  • Legal obligation: when the law requires us to process or retain data

5. Who We Share Your Data With

We never sell your personal data. We share it only with the following sub-processors and recipients, each under appropriate contractual safeguards:

  • Stripe (United States): payment processing, billing, and payment-method storage for paid subscriptions
  • Google (United States): Google Sign-In (if you choose to use it) and Google Analytics 4 for measuring how visitors use our marketing pages, gated behind your cookie consent
  • Hetzner Online GmbH (Germany): our hosting provider for the application servers and databases
  • S3-compatible object storage (EU region): stores landing-page assets you upload (images, videos) and the static page bundles we generate on your behalf
  • Bunny Fonts (Slovenia): serves the web fonts used on the marketing site and on landing pages; the service does not set cookies and does not log IP addresses
  • Transactional email provider: we use a third-party email-delivery service (currently Amazon SES, United States) to send account, billing, and password-related emails
  • Law enforcement: only when legally required by a valid court order or statutory request

If you require a current list of sub-processors or a Data Processing Agreement (DPA), email stefanos@gobyte.software.

6. Your Role as a Data Controller

When you use Punapai to collect personal data from visitors to your landing pages (for example, through email collection forms or contact forms), you act as the data controller for that visitor data. We act as a data processor on your behalf — we store and manage the data, but you decide what to collect and how to use it.

As a data controller, you are responsible for:

  • Ensuring you have a lawful basis (such as consent) to collect personal data from your visitors
  • Providing your visitors with appropriate privacy information about how their data will be used
  • Complying with all applicable data protection laws, including UK GDPR, regarding the data you collect
  • Responding to data subject requests from your visitors (access, deletion, etc.)

We will assist you in meeting your data protection obligations where reasonably possible. If you require a formal Data Processing Agreement (DPA), please contact us at stefanos@gobyte.software.

7. International Transfers

Some of our sub-processors are based outside the UK — specifically, Stripe, Google, and our transactional email provider (Amazon SES) operate from the United States. Where data is transferred outside the UK we rely on the UK addendum to the EU Standard Contractual Clauses, the UK International Data Transfer Agreement, or another adequate-protection mechanism recognised by the ICO.

8. How Long We Keep Your Data

Your account data: we keep it for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where we are legally required to keep it longer.

Analytics data: visitor analytics for your landing pages are retained based on your plan — 7 days on Free, 90 days on Pro, and 1 year on Business and Enterprise. After the retention period, analytics data is automatically pruned.

Visitor data collected through your landing pages: email addresses and contact form submissions collected from your visitors are stored on our servers for as long as the associated project exists. For free accounts, collected data is deleted when the project expires (30 days after publishing). It is your responsibility to export any collected data before expiration.

Payment data: Stripe retains payment and transaction records in accordance with their own privacy policy and applicable financial regulations.

Expired project data: when a free plan project expires, all associated data — including landing page content, uploaded assets (images, files), collected email addresses, and contact form submissions — is permanently deleted.

9. Your Rights

You have the following rights over your data under UK GDPR:

  • See your data: request a copy of the personal data we hold about you
  • Fix your data: ask us to correct anything that is wrong
  • Delete your data: ask us to erase your personal data
  • Limit processing: ask us to temporarily stop using your data
  • Take your data: receive your data in a portable format
  • Object: tell us to stop processing your data for a specific purpose
  • Withdraw consent: if you previously gave consent, you can take it back at any time

To exercise any of these rights, email us at stefanos@gobyte.software.

10. Cookies

We use cookies and similar storage technologies for two purposes: keeping the Service working (strictly necessary) and understanding how the marketing site is used (analytics — opt-in only). The first time you visit the marketing site we show a consent banner; you can change your choice at any time using the Cookie settings link in the footer of every public page.

10.1 Strictly necessary cookies

These cannot be disabled because the Service would not function without them.

  • cc_cookie — stores your cookie-consent preferences for this site (12 months)
  • punapai-session — the Laravel session cookie used to keep you signed in (session)
  • XSRF-TOKEN — CSRF protection for form submissions (session)
  • remember_web_* — set only if you tick "remember me" on the login form (5 years)

10.2 Analytics cookies (opt-in)

Set only after you click "Accept all" or enable the Analytics category in the Cookie settings panel. They are deleted automatically if you later withdraw consent.

  • _ga — Google Analytics 4 client ID (2 years)
  • _ga_7YZLGL53Y0 — Google Analytics 4 session identifier for this property (2 years)

Google Analytics is provided by Google Ireland Limited, with onward processing in the United States. See Google's privacy policy for details.

10.3 Cookies on landing pages built with Punapai

Landing pages our customers create on Punapai may set cookies (for example, Google Analytics or Google Tag Manager configured by the page owner). When you visit such a landing page, the page owner is the data controller for any cookies they have configured, and the page's own consent banner controls what is set on your device.

10.4 Withdrawing consent

You can withdraw consent at any time by opening Cookie settings in the footer and switching the Analytics toggle off. Existing analytics cookies are deleted from your browser when you do.

11. How We Protect Your Data

We use industry-standard security measures to protect your data, including encryption, secure servers, and access controls. No system is 100% secure, but we take reasonable steps to keep your information safe.

12. Changes to This Policy

We may update this policy from time to time. If we make significant changes, we will notify you by email or through the Service.

13. Complaints

If you are not happy with how we handle your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk.

14. Get in Touch

For any privacy questions, email us at stefanos@gobyte.software.

GOBYTE SOFTWARE LTD
Registered in England & Wales · Company No. 16769913
Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Back to registration
Back to home