// Legal
Privacy Policy
Last updated: July 4, 2026
This Privacy Policy explains how 0bricks collects, uses, shares and protects your personal data when you use the 0bricks website and platform (the "Services"), and the rights you have over your data. We handle personal data in line with the Data Protection Act, 2024 of Malawi (the "Act"). This policy works alongside our Terms of Service and Acceptable Use Policy.
0bricks is operated by 0bricks, a business registered in the Republic of Malawi. For the purposes of the Act, we are the data controller for the personal data described here, and you can reach us at support@0bricks.com.
1. About this policy
This policy applies to personal data we process when you visit 0bricks.com, create an account, build and host sites, buy Credits or hosting, register or connect a domain, or contact support. "Personal data" means information that identifies you or could reasonably be linked to you, such as your name, email address, IP address or account identifiers. By using the Services you acknowledge this policy; where the Act requires your consent, we ask for it separately.
2. Who we are
We are the data controller responsible for your personal data. The supervisory authority for data protection in Malawi is the Malawi Communications Regulatory Authority (MACRA), which acts as the Data Protection Authority under the Act. You have the right to complain to MACRA about how we handle your data (see section 14).
3. Personal data we collect
- Account data
- your name and email address and an account identifier, provided through our login provider when you sign up or sign in.
- Content you create
- the prompts, text, images, files and site content you input or generate. You choose what goes into this content; please do not include sensitive personal data (see section 3 below).
- Usage and technical data
- log data such as your IP address, device and browser information, pages and features used, timestamps, error reports, and metering of your AI and compute usage.
- Payment data
- records of your orders and their status. Card and mobile-money details are handled by our payment partner; we do not store full payment credentials.
- Support data
- the content of support tickets and emails you send us, and our replies.
- Domain registration data
- if you register a domain, the registrant contact details required by the registrar, the registry and ICANN (such as name, address, email and phone number).
Sensitive personal data
We do not ask for and you should not upload sensitive personal data — such as biometric data, health data, race or ethnic origin, religious belief, or political opinion — into the Services. If you choose to include such data in your content, you are responsible for having a lawful basis to do so.
4. How we use your data and our legal basis
Under the Act, we process your personal data on one or more of these legal bases:
- To provide the Services — performance of a contract
- creating and running your account, generating and hosting your sites, processing payments, registering and connecting domains, and giving you support.
- To keep the Services safe and improve them — legitimate interests
- securing the platform, preventing fraud and abuse, diagnosing errors, and understanding how the Services are used, in a way that does not override your rights.
- To meet our legal duties — legal obligation
- keeping billing and tax records and responding to lawful requests from authorities.
- Where you agree — consent
- for optional things such as non-essential analytics or marketing messages. You can withdraw consent at any time, and doing so does not affect processing carried out before you withdrew.
We do not use your content to train general-purpose AI models. Your prompts and related data are sent to AI providers only to generate the output you request (see section 9), and we may use anonymised or aggregated data — which no longer identifies you — for any lawful purpose.
5. How we handle your data
We follow the data-protection principles in the Act. In practice this means we:
- process your data lawfully, fairly and transparently;
- collect it for specific, stated purposes and do not use it in incompatible ways;
- limit it to what we actually need for those purposes;
- take reasonable steps to keep it accurate and up to date;
- keep it only for as long as we need it (see section 8); and
- protect it with appropriate security measures (see section 6).
6. How we protect your data
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, loss or destruction. These include encryption of data in transit, access controls, and monitoring, and we review and update these measures as risks change. No system is completely secure, so we cannot guarantee absolute security, but we work to protect your data at a level appropriate to its sensitivity.
7. Data breaches
If a personal-data breach occurs, we will notify MACRA within seventy-two (72) hours of becoming aware of it. Where the breach is likely to be of high risk to your rights, we will also notify you within seventy-two (72) hours, describing what happened, the likely consequences, and the steps we are taking to address it.
8. How long we keep your data
We keep personal data only for as long as necessary for the purposes described in this policy, or for as long as the law requires us to. When you close your account, we deactivate your sites and delete or anonymise your personal data within a reasonable period, except where we must keep certain records — for example billing and tax records — to meet a legal obligation, or where data is retained in backups for a limited time before deletion.
10. International transfers
Some of our service providers operate outside Malawi, so providing the Services involves transferring your personal data to other countries. Where we transfer your data abroad, we do so only where the recipient provides an adequate level of protection under the Act, or where a permitted condition applies — for example, the transfer is necessary to perform our contract with you, or you have consented to it after being informed of the risks. We keep a record of the basis for each such transfer, and we use contractual and technical safeguards to protect your data in transit and at rest.
12. Children
The Services are intended for people aged 18 and over. We do not knowingly collect personal data from a child (a person under 18) without the consent of a parent or legal guardian. If you are a parent or guardian and believe a child has provided us personal data without your consent, contact us and we will take reasonable steps to delete it.
13. Your rights
Under the Act, you have the following rights over your personal data:
- Access
- to be told whether we process your data and to receive a copy, in a commonly used electronic format, normally within thirty (30) days of your request.
- Portability
- to receive data you gave us in a structured, machine-readable format, or have it sent to another controller, normally within thirty (30) days.
- Rectification
- to have inaccurate data corrected or incomplete data completed, normally within fourteen (14) days.
- Erasure
- to have your data deleted where there is no lawful ground to keep it.
- Restriction
- to ask us to limit how we process your data in certain circumstances.
- Objection
- to object to processing based on our legitimate interests, and to object at any time to the use of your data for direct marketing.
- Withdraw consent
- to withdraw any consent you gave, at any time.
14. Exercising your rights and complaints
To exercise any of these rights, contact us at support@0bricks.com. We may need to verify your identity before we act on your request, and we will respond within the time limits set out above or otherwise required by the Act. Where practicable, we provide this at no cost to you.
If you are not satisfied with how we handle your data or your request, you can lodge a complaint with MACRA. A complaint should generally be made within ninety (90) days of the action or inaction you are complaining about.
15. Automated decisions
We do not make decisions that produce a legal or similarly significant effect on you based solely on automated processing of your personal data. The AI features of the Services generate content in response to your prompts; they do not make binding decisions about you.
16. Changes to this policy
We may update this policy as our Services and legal requirements change. When we do, we update the "Last updated" date above and, for material changes, give reasonable notice through the Services or by email. Your continued use of the Services after the changes take effect means you acknowledge the updated policy.
17. Contact
For any question about this policy or your personal data, contact us at support@0bricks.com.