Skip to main content

Privacy Policy

Last updated: 29 March 2026

1. Introduction

Welcome to Smoothly (smoothly.dev), an AI-powered application and website builder. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our platform and services.

Smoothly is operated by Fredrik Ankarskold, based in Sweden. By using our services you agree to the collection and use of information in accordance with this policy. If you do not agree with any part of this policy, please do not use our services.

2. Data Controller

The data controller responsible for your personal data is:

Fredrik Ankarskold

Smoothly

Sweden

Contact: privacy@smoothly.dev

3. Data We Collect

3.1 Account Data

When you create an account we collect your email address and display name. If you sign in via GitHub OAuth, we receive your GitHub username, email address, and profile avatar from GitHub. Account authentication is handled by Supabase.

3.2 Usage Data

We collect information about how you interact with our platform, including pages visited, features used, projects created, AI prompts submitted, and actions taken within the builder interface.

3.3 Payment Data

Payment processing is handled entirely by Stripe. We do not store your credit card numbers or full payment details on our servers. We retain only the information necessary for billing administration, such as your Stripe customer ID, subscription status, and transaction history.

3.4 Generated Content

When you use Smoothly to build websites and applications, we store the generated source code, assets, and configuration files associated with your projects. This content is stored in your account and is necessary for the delivery of our service.

3.5 Technical Data

We automatically collect technical information including your IP address, browser type and version, device type, operating system, referral source, and session duration. This data is used for security, diagnostics, and to improve our service.

3.6 Analytics Data

We use third-party analytics services to understand how our platform is used. These include PostHog (EU-hosted), RudderStack, and Google Analytics. These services may collect data such as page views, click events, and session recordings (with sensitive fields masked). See Section 9 for details on cookies and tracking.

4. How We Use Your Data

We use the personal data we collect for the following purposes:

  • Service delivery — to provide, maintain, and improve the Smoothly platform, including AI-powered code generation and project hosting.
  • Billing and payments — to process subscriptions, manage credits, and handle invoicing through Stripe.
  • AI improvement — to improve the quality of our AI models using anonymised and aggregated usage patterns. We do not use your individual project content to train third-party AI models.
  • Customer support — to respond to your inquiries and resolve technical issues.
  • Communications — to send transactional emails (e.g. account verification, payment receipts) and, where you have opted in, marketing communications about new features and product updates.
  • Security and fraud prevention — to detect, prevent, and respond to security incidents and abuse.
  • Analytics — to understand how the platform is used and to make data-driven product decisions.

5. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR) — processing necessary to provide you with our services, manage your account, and fulfil our subscription agreement.
  • Legitimate interests (Art. 6(1)(f) GDPR) — processing necessary for our legitimate interests, such as improving our platform, ensuring security, preventing fraud, and conducting analytics. We balance these interests against your rights and freedoms.
  • Consent (Art. 6(1)(a) GDPR) — where we send marketing communications or use non-essential cookies, we rely on your consent, which you may withdraw at any time.
  • Legal obligation (Art. 6(1)(c) GDPR) — where processing is necessary to comply with a legal obligation, such as tax and accounting requirements.

6. Data Sharing and Third-Party Processors

We do not sell your personal data. We share data with the following third-party service providers, who act as data processors on our behalf:

ProviderPurposeLocation
VercelHosting and edge deliveryUS (with EU transfers)
SupabaseAuthentication and databaseEU
StripePayment processingUS / EU
CloudflareCDN and R2 object storageGlobal
ModalSandbox code executionUS
PostHogProduct analyticsEU
SentryError trackingEU
Customer.ioLifecycle emailEU
RudderStackAnalytics pipelineUS
Google Analytics, Meta, TikTok, LinkedInAdvertising measurementUS

Each processor is contractually bound to process data only on our instructions and in compliance with applicable data protection laws. Where processors are located outside the EU/EEA, we ensure appropriate safeguards are in place (see Section 10).

7. Data Retention

  • Account data is retained for as long as your account remains active.
  • Project content (generated websites and apps) is retained while your account is active and for 30 days after account deletion to allow for recovery.
  • Backups containing personal data are purged within 90 days of account deletion.
  • Payment records may be retained for up to 7 years to comply with Swedish and EU accounting and tax obligations.
  • Analytics data is retained in aggregated or anonymised form and is not subject to deletion requests.

8. Your Rights Under GDPR

As a data subject in the European Economic Area, you have the following rights:

  • Right of access — you may request a copy of the personal data we hold about you.
  • Right to rectification — you may request correction of inaccurate or incomplete personal data.
  • Right to erasure — you may request deletion of your personal data, subject to legal retention obligations.
  • Right to data portability — you may request your data in a structured, commonly used, machine-readable format.
  • Right to restriction — you may request that we restrict the processing of your personal data in certain circumstances.
  • Right to object — you may object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@smoothly.dev. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).

9. Cookies and Tracking Technologies

We use the following categories of cookies and tracking technologies:

Essential Cookies

Required for the platform to function. These include session cookies, authentication tokens, and CSRF protection. You cannot decline essential cookies.

Analytics Cookies

Used to understand how visitors interact with our platform. We use PostHog (EU-hosted) and Google Analytics (GA4). These cookies help us measure feature adoption, identify issues, and improve the user experience. Session replay in PostHog masks all sensitive input fields by default.

Marketing Pixels

We use measurement pixels from Meta, TikTok, LinkedIn, and Google for advertising attribution and conversion tracking. These are loaded via RudderStack and can be declined through the cookie consent banner. When declined, no marketing tracking scripts are loaded.

10. International Data Transfers

Some of our third-party processors are located outside the EU/EEA, primarily in the United States. Where personal data is transferred outside the EU/EEA, we ensure adequate protection through one or more of the following mechanisms: EU Commission adequacy decisions, Standard Contractual Clauses (SCCs) as approved by the European Commission, or the EU-U.S. Data Privacy Framework where the recipient is certified. We regularly review these safeguards to ensure ongoing compliance.

11. Children

Smoothly is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that a child under 16 has provided us with personal data, please contact us at privacy@smoothly.dev and we will take steps to delete such data promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice by email or by a prominent notice on our website before the changes take effect. We encourage you to review this page periodically. Your continued use of the platform after the effective date of any changes constitutes acceptance of the updated policy.

13. Contact

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:

Smoothly — Privacy Inquiries

Fredrik Ankarskold

Email: privacy@smoothly.dev

We aim to respond to all privacy-related inquiries within 30 days.