Legal

What we collect. What we don't.

Last updated: May 30, 2026

Drafted by the founder with AI assistance, not by a licensed attorney. Legal-counsel review is pending; if a data-rights decision matters to you (GDPR/CCPA request, breach notification, subpoena response), consult a lawyer in your jurisdiction — don't rely on this document alone. If you spot something off, email hello@carbonandchrome.org.

The short version: we collect what we need to build your site and run your account, we don't sell it, we don't train AI on it, and you can get all of it back — or deleted — with one email.

01Who we are

C&C Themes is a product of Carbon & Chrome Holdings LLC, a limited liability company registered in the Commonwealth of Virginia, USA. We build and host professional websites for automotive businesses at themes.carbonandchrome.io.

For privacy purposes, Carbon & Chrome Holdings LLC is the data controller of the information described below. The fastest way to reach us about anything in this policy is hello@carbonandchrome.org.

02What we collect

• Email address. When you sign up, log in, or join the waitlist, so we can give you an account and reach you about it.
• Account password. Stored as a salted scrypt hash. We never see your plaintext password and we cannot recover it for you — only reset it.
• Shop URL. When you use the builder, you give us your existing website address so our engine can scan it.
• Extracted business data. Our engine pulls publicly available information from your existing website — business name, phone, address, services, hours, photos. This is content already visible on the public internet; we just structure it into your generated site.
• Order & billing data. Lemon Squeezy handles checkout. They pass us your name, the plan you bought, transaction ID, and country for tax reporting. We never see your full card number.
• Analytics events. Pageviews, builder-stage progression, and clicks. Each event carries a session ID, a SHA-256 hash of your IP (salted, so it can't be reversed to your real IP), and a two-letter country code derived from Cloudflare. Raw IP addresses are never stored.
• Cookies. A small set of first-party cookies, all listed in section 05. No third-party tracking pixels.

03Why we collect it

Each item we collect maps to a specific reason and a legal basis under data-protection law:

• Generate your website. Your shop URL and extracted business data power the site we build for you. Legal basis: contract performance — we literally can't deliver the product without it.
• Run your account. Email, password hash, and order data let you log in, get billed correctly, and recover access. Legal basis: contract performance.
• Send you updates. Account-related transactional email (receipts, password resets, downtime notices) is contract performance. Marketing email — newsletters, product news — only goes to people who opted in, and every send has a one-click unsubscribe. Legal basis: consent.
• Improve the platform & catch abuse. Hashed IPs, session IDs, and analytics events help us rate-limit scrapers, debug the builder, and see which flows work. Legal basis: legitimate interest in operating and protecting the service.

We don't sell your data. We don't share it with advertisers. We don't hand it to “partners.” We don't use customer data to train AI models.

04Who we share it with

We use a small number of vendors (sub-processors) to run the platform. Each one only sees the data they need for their job:

• Railway (US) — hosts the app and the Postgres database. Your account, shop data, and generated site content live here.
• Cloudflare (US) — DNS, TLS, and the country-code header we use for analytics.
• Lemon Squeezy (US) — merchant of record for checkout. They handle PCI-compliant card processing and tax. They get your name, email, billing address, and the plan you bought.
• Resend (US) — sends our transactional and (opt-in) marketing email from carbonandchrome.org. They get the recipient email and message body.

International transfers.All four vendors are based in the United States. If you're in the UK, EU, or EEA, your data is transferred to the US under the Standard Contractual Clauses (SCCs) each vendor publishes. We'll add new sub-processors only when needed and will update this list before they receive any data.

05Cookies

A small set of first-party cookies. No third-party tracking pixels, no advertising cookies, no remarketing tags.

You can clear or block any of these in your browser settings. The site still works without cc-sid; the dashboard won't work without cc-session(you wouldn't be logged in).

06Retention

We keep what we need for as long as we need it:

• Account & site data — kept while your subscription is active. After your subscription ends we keep it for about 90 days (so you can reactivate without losing work), then a scheduled job permanently deletes the account and everything attached to it. You can also delete your account yourself at any time from your settings — that wipes it immediately.
• Newsletter email — kept until you unsubscribe. Every email has a one-click unsubscribe link that removes you from the list.
• Analytics events — each event carries only a salted IP hash, a session ID, and a country code (no name or email). Individual events are deleted 90 days after they're recorded.
• Server access logs — our host (Railway) keeps standard platform access logs on its own retention schedule; we don't maintain a separate long-term copy.
• Billing records — held by Lemon Squeezy (our merchant of record) for as long as tax and accounting law requires (typically up to 7 years).

07Your rights

Wherever you live, you can:

• Access what we have on you.
• Export it in a portable format (JSON for account data, plain HTML/CSS for your generated site).
• Correct anything inaccurate.
• Delete your account and everything in it.
• Opt out of marketing email (one-click in any send) or withdraw any consent you've given.
• Object to processing based on legitimate interest, or restrict it.
• Complain to your local data-protection authority. (UK: ICO. EU: your member-state regulator. California: California AG.)

One email covers all of it: hello@carbonandchrome.org. We respond within 7 days, fulfill within 30 days under CCPA/GDPR — usually much faster. No runaround, no verification gauntlet beyond confirming you control the account email.

08Children

C&C Themes is a B2B service for business owners. The service is not directed at anyone under 16, and we don't knowingly collect data from children. If you believe a child signed up, email hello@carbonandchrome.org and we'll delete the account.

09Security

Passwords are stored as salted scrypt hashes. All traffic is served over HTTPS. Database connections require TLS. Admin and Neodis-write actions are gated by separate tokens with constant-time comparison and audit logging. We're a small team; if there's a breach affecting you, we'll tell you and the relevant regulator within 72 hours.

10Changes to this policy

We may update this page as the platform evolves. If we change anything material — what we collect, who can see it, how long we keep it — we'll email active customers and give 14 days' notice before the change takes effect. Minor wording cleanups update the date at the top quietly.

11Contact