Skip to main content
🚀 Launch Special: Use code LAUNCH2025 to Save 50% for the rest of the year!

00:00

/

00:00

Privacy Policy

Last Updated:

October 19th, 2025

OneDayWeb (trading name of Cardow & Co Pty Ltd, ABN 66 678 386 073) ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website onedayweb.io and app.onedayweb.io, and use our web design services.

By using our website and services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our services.

OneDayWeb operates from Queensland, Australia, and our services are available to customers worldwide.

1. Information We Collect

1.1 Personal Information You Provide

We collect information you voluntarily provide when using our services:

  • Account Information: Name, email address, authentication credentials (for passwordless login via email or OAuth providers)
  • Payment Information: Billing details, company name, contact information processed securely through Stripe (we do not store credit card numbers)
  • Project Configuration: Website requirements, features selected, timeline preferences, referral codes
  • Project Brief Information: Business details, industry, target audience, competitor information, brand preferences, website content, key messages, calls to action
  • Brand Assets: Logo files, brand guideline documents, photos, videos, and other media uploaded via our platform
  • Communication Data: Messages sent through our contact forms, client dashboard messaging system, email correspondence
  • Partner Program Data: Referral codes, referral tracking data, bank account/payout information via Stripe Connect

1.2 Automatically Collected Information

When you visit our website or use our application, we automatically collect certain information:

  • Device Information: IP address, browser type and version, operating system, device identifiers
  • Usage Data: Pages visited, time spent on pages, navigation patterns, click behavior, features used
  • Performance Data: Error logs, crash reports, application performance metrics (via Sentry)
  • Analytics Data: Website traffic patterns, conversion data, user behavior (via Google Analytics, PostHog, Facebook Pixel, LinkedIn Insight Tag)
  • Cookies and Tracking Technologies: See our Cookies Policy for detailed information

1.3 Information from Third Parties

We may receive information from third-party services when you:

  • Sign in with OAuth: If you authenticate using Google or other OAuth providers, we receive basic profile information (name, email, profile picture)
  • Use referral codes: We receive attribution data from partner referrals to calculate commissions and discounts
  • Make payments: Stripe provides us with payment status, transaction details, and fraud prevention data

2. How We Use Your Information

We use collected information for the following purposes:

2.1 Service Delivery

  • Build and deliver your website according to your specifications
  • Process payments and manage billing
  • Track project progress and manage timelines
  • Store and process brand assets and project materials
  • Enable real-time project status tracking in your dashboard
  • Transfer completed websites to your Webflow account

2.2 Communication

  • Send order confirmations and payment receipts
  • Deliver project updates and deadline reminders
  • Send status change notifications (brief reminders, delivery notifications)
  • Respond to customer support inquiries
  • Facilitate client-project communication through our messaging system
  • Send important service announcements and policy updates

2.3 Account Management

  • Create and maintain user accounts
  • Authenticate users via passwordless email links or OAuth providers
  • Enable multi-project access and project switching
  • Manage partner program enrollment and referral tracking
  • Link users to their projects after authentication

2.4 Business Operations

  • Process refunds in accordance with our Refund Policy
  • Calculate and distribute partner referral commissions via Stripe Connect
  • Apply promotional discounts and referral credits
  • Manage capacity planning and project scheduling
  • Maintain service quality standards
  • Prevent fraud, abuse, and unauthorized access

2.5 Analytics and Improvement

  • Analyze usage patterns to improve our platform and services
  • Track conversion rates and marketing campaign performance
  • Monitor application performance and identify technical issues
  • Conduct user experience research and A/B testing
  • Generate anonymized statistics and aggregate reports

2.6 Marketing (with consent)

  • Send promotional emails about new features, special offers, and company updates
  • Display targeted advertising on third-party platforms (Google, Facebook, LinkedIn)
  • Track advertising effectiveness and attribution

2.7 Legal Compliance

  • Comply with applicable laws and regulations
  • Respond to legal requests, court orders, and government investigations
  • Enforce our Terms & Conditions and other agreements
  • Protect our rights, property, and safety, and that of our users
  • Maintain records for tax and accounting purposes

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

3.1 Service Providers

We share data with trusted third-party services that help us operate our business. These providers are contractually obligated to protect your data and use it only for the purposes we specify:

  • Stripe: Payment processing, subscription billing, partner payout distribution via Stripe Connect
  • Convex: Database hosting, real-time data synchronization, user authentication services
  • UploadThing: Secure file storage and delivery for brand assets, logos, photos, videos, and project materials
  • Cloudflare: Website hosting, content delivery network (CDN), DDoS protection, SSL/TLS encryption
  • Microsoft Graph API: Transactional email delivery (order confirmations, deadline reminders, notifications) from noreply@onedayweb.io
  • Webflow: Website building platform, website hosting, final website delivery
  • Upstash Redis: API rate limiting and abuse prevention
  • Sentry: Error tracking, performance monitoring, application diagnostics
  • Google Analytics: Website traffic analysis and user behavior tracking
  • PostHog: Product analytics, feature usage tracking, user journey analysis
  • Facebook Pixel: Advertising attribution, conversion tracking, audience building
  • LinkedIn Insight Tag: Campaign performance tracking, professional audience insights

3.2 Business Transfers

If OneDayWeb or Cardow & Co Pty Ltd is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.

3.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal requests, including:

  • Court orders, subpoenas, or other legal processes
  • Government or regulatory investigations
  • Law enforcement requests
  • Protection of our legal rights or the rights of others
  • Prevention of fraud, abuse, or illegal activity
  • Protection of the safety of our users or the public

3.4 Partner Referral Attribution

When you use a partner referral code, we share limited attribution data with the referring partner (order date, project total, commission amount, referral status) but not your personal contact details, project specifics, or payment information.

3.5 With Your Consent

We may share information with third parties when you explicitly consent to such sharing (e.g., connecting your Webflow account for website delivery).

4. International Data Transfers

OneDayWeb operates from Australia, but our services rely on cloud infrastructure located in various countries, primarily the United States. When you use our services, your data may be transferred to, stored in, and processed in countries other than Australia, including:

  • United States: Convex (AWS), UploadThing (AWS/Cloudflare), Stripe
  • European Union: Stripe, Cloudflare (data centers)
  • Global Network: Cloudflare CDN (distributed worldwide)

These countries may have different data protection laws than Australia. When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): For transfers to countries without adequate data protection laws
  • Adequacy Decisions: Relying on jurisdictions recognized by the Australian Privacy Commissioner or European Commission
  • Data Processing Agreements: Contractual obligations with service providers to protect your data
  • Encryption: Data encrypted in transit (SSL/TLS) and at rest where applicable

For EU/UK Users: We comply with GDPR requirements for international data transfers. Our service providers are certified under relevant frameworks (e.g., EU-U.S. Data Privacy Framework where applicable) or have implemented appropriate safeguards.

5. Data Security

We implement industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, and destruction:

5.1 Technical Safeguards

  • Encryption: SSL/TLS encryption for all data transmission between your browser and our servers
  • Secure Authentication: Passwordless login via Convex Auth, OAuth 2.0 for third-party providers
  • PCI Compliance: Stripe handles all credit card processing in compliance with PCI-DSS standards
  • API Rate Limiting: Upstash Redis protects against brute force attacks and API abuse
  • Access Controls: Role-based access restrictions, admin-only features, project ownership verification
  • File Upload Security: UploadThing validates file types, enforces size limits, scans for malware
  • Database Security: Convex provides encrypted data storage, automatic backups, secure APIs

5.2 Organizational Safeguards

  • Regular security audits and penetration testing
  • Employee training on data protection best practices
  • Limited access to personal information on a need-to-know basis
  • Incident response procedures for data breaches
  • Continuous monitoring for suspicious activity

5.3 Limitations

While we implement strong security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information. You are responsible for maintaining the confidentiality of your authentication credentials and notifying us immediately if you suspect unauthorized access to your account.

6. Data Retention

We retain your information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements:

6.1 Active Accounts

  • Account Data: Retained while your account is active
  • Project Data: Retained for the duration of your account and for 12 months after project completion
  • Brand Assets & Files: Stored indefinitely via UploadThing unless you request deletion
  • Communication History: Retained for reference and support purposes while your account is active

6.2 After Account Deletion

When you request account deletion or close your account:

  • Personal Information: Deleted within 30 days, except where retention is required by law
  • Project Files & Assets: Deleted within 30 days unless you've downloaded them or requested extended retention
  • Transaction Records: Retained for 7 years to comply with Australian taxation laws (ATO requirements)
  • Anonymized Data: May be retained indefinitely for analytics and reporting (all personally identifiable information removed)

6.3 Legal Retention Requirements

  • Tax Records: 7 years (Australian Taxation Office requirements)
  • Payment Data: Stripe retains payment records according to payment card industry regulations
  • Dispute Resolution: Information may be retained longer if involved in legal proceedings or disputes

6.4 Early Deletion Requests

You may request earlier deletion of your data by contacting us at privacy@onedayweb.io. We will honor such requests where legally permissible and technically feasible.

7. Your Privacy Rights

Depending on your location, you have various rights regarding your personal information:

7.1 Universal Rights (All Users)

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate, incomplete, or outdated data
  • Deletion: Request deletion of your personal information (subject to legal retention requirements)
  • Portability: Request a copy of your data in a structured, machine-readable format (JSON/CSV)
  • Objection: Object to processing of your data for certain purposes (e.g., marketing)
  • Restriction: Request restriction of processing in certain circumstances
  • Withdrawal of Consent: Withdraw consent for data processing where consent was the legal basis

7.2 Australian Privacy Principles (APP) Rights

As an Australian company, we comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. You have the right to:

  • Know why we collect personal information and how we use it
  • Access your personal information held by us
  • Correct inaccurate or incomplete information
  • Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Privacy Act

7.3 GDPR Rights (EU/UK Users)

If you are located in the European Union or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to be Informed: Clear information about how we collect and use your data
  • Right to Erasure: "Right to be forgotten" in certain circumstances
  • Right to Restrict Processing: Limit how we use your data while you contest its accuracy or lawfulness
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to direct marketing and automated decision-making
  • Rights Related to Automated Decision-Making: We do not make solely automated decisions with legal or significant effects
  • Right to Lodge a Complaint: Contact your local data protection authority (supervisory authority)

7.4 CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request disclosure of what personal information is collected, used, shared, and sold
  • Right to Delete: Request deletion of personal information (with exceptions)
  • Right to Opt-Out of Sale: We do not sell personal information, so this right does not apply
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • Authorized Agent: You may designate an authorized agent to make requests on your behalf

7.5 How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: privacy@onedayweb.io
Mail: Cardow & Co Pty Ltd, PO Box 299, Unit 1/12 Blackall St, Woombye QLD 4559, Australia

We will respond to your request within:

  • Australia (APP): 30 days
  • EU/UK (GDPR): 30 days (may extend to 60 days for complex requests)
  • California (CCPA): 45 days (may extend to 90 days for complex requests)

We may require verification of your identity before processing requests to protect your privacy and security.

8. Legal Basis for Processing (GDPR Compliance)

For users in the European Union and United Kingdom, we process your data under the following legal bases:

  • Contractual Necessity: Processing required to deliver our services, process payments, and fulfill our contractual obligations to you
  • Consent: Where you have provided explicit consent (e.g., marketing emails, analytics cookies, OAuth authentication)
  • Legitimate Interests: Business operations, fraud prevention, service improvement, internal analytics, protecting our legal rights (balanced against your privacy rights)
  • Legal Obligation: Compliance with applicable laws (taxation, financial reporting, legal requests)

You have the right to withdraw consent at any time where consent is the legal basis for processing. This will not affect the lawfulness of processing prior to withdrawal.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide, improve, and secure our services. For detailed information about the cookies we use and your choices, please see our Cookies Policy.

9.1 Types of Cookies We Use

  • Essential Cookies: Required for authentication (Convex Auth), session management, security features
  • Preference Cookies: Remember your settings, language preferences, theme choices
  • Analytics Cookies: Google Analytics, PostHog (track usage patterns, measure performance)
  • Marketing Cookies: Facebook Pixel, LinkedIn Insight Tag (advertising attribution, retargeting)
  • Webflow Cookies: If you visit our marketing site at onedayweb.io, Webflow may set cookies for site functionality

9.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of our service.

10. Marketing Communications

10.1 Types of Communications

We may send you:

  • Transactional Emails: Order confirmations, payment receipts, project updates, deadline reminders, status notifications (you cannot opt out of these as they are essential to the service)
  • Marketing Emails: Promotional offers, new features, company updates, industry insights (you can opt out at any time)

10.2 Opt-Out Options

You can opt out of marketing communications by:

  • Clicking "Unsubscribe" in any marketing email
  • Updating your email preferences in your account settings
  • Contacting us at info@onedayweb.io

Even if you opt out of marketing emails, we will still send transactional emails related to your projects and account.

11. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child under 18, please contact us immediately at privacy@onedayweb.io and we will delete the information as soon as possible.

12. Third-Party Links

Our website and application may contain links to third-party websites, services, and integrations (e.g., Webflow, Stripe, Google). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

Third-party services we link to or integrate with:

  • Webflow (website delivery platform)
  • Stripe (payment processing and partner payouts)
  • Google OAuth (authentication)
  • Social media platforms (if sharing or logging in via social accounts)

13. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable laws:

  • Australia (Notifiable Data Breaches Scheme): Notify the OAIC and affected individuals within a reasonable time if serious harm is likely
  • EU/UK (GDPR): Notify supervisory authorities within 72 hours and affected individuals without undue delay
  • California (CCPA): Notify affected individuals in accordance with California Civil Code § 1798.82

Notifications will include the nature of the breach, the data affected, steps we are taking to address the breach, and actions you can take to protect yourself.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make changes:

  • We will update the "Last Updated" date at the top of this policy
  • Material changes will be communicated via email or prominent notice on our website
  • Continued use of our services after changes constitutes acceptance of the updated policy
  • Previous versions of this policy will be archived and available upon request

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

OneDayWeb
(Trading name of Cardow & Co Pty Ltd)
ABN: 66 678 386 073

Email: privacy@onedayweb.io
General Inquiries: info@onedayweb.io
Contact Form: onedayweb.io/contact

Mailing Address:
PO Box 299
Unit 1/12 Blackall St
Woombye QLD 4559
Australia

16. Regulatory Complaints

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with the relevant regulatory authority:

16.1 Australia

Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au

16.2 European Union/United Kingdom

Contact your local data protection authority (supervisory authority). A list of EU data protection authorities is available at: edpb.europa.eu/about-edpb/board/members_en

16.3 California

California Attorney General's Office
Website: oag.ca.gov/contact

17. Additional Information for Specific Jurisdictions

17.1 Australian Users

We comply with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth). Our practices align with the principles of transparency, consent, security, and individual access to information.

17.2 European Union/United Kingdom Users

We comply with the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018. Our data controller details are listed in Section 15 (Contact Us). We have implemented appropriate technical and organizational measures to ensure GDPR compliance, including data processing agreements with all service providers handling EU/UK data.

17.3 California Users

Under the California Consumer Privacy Act (CCPA), we provide the following disclosures:

  • Categories of Personal Information Collected: Identifiers, commercial information, internet activity, professional information (see Section 1)
  • Sources of Information: Directly from you, automatically from your device, from third parties (OAuth providers, payment processors)
  • Business Purposes: Service delivery, communication, analytics, fraud prevention (see Section 2)
  • Third Parties We Share With: Service providers only (see Section 3) - we do not sell personal information
  • No Sale of Personal Information: We have not sold personal information in the past 12 months and do not sell it

This Privacy Policy is effective as of the "Last Updated" date shown above. By using OneDayWeb services, you acknowledge that you have read and understood this Privacy Policy.