Back
0bricks

// Legal

Privacy Policy

Last updated: July 4, 2026

This Privacy Policy explains how 0bricks collects, uses, shares and protects your personal data when you use the 0bricks website and platform (the "Services"), and the rights you have over your data. We handle personal data in line with the Data Protection Act, 2024 of Malawi (the "Act"). This policy works alongside our Terms of Service and Acceptable Use Policy.

0bricks is operated by 0bricks, a business registered in the Republic of Malawi. For the purposes of the Act, we are the data controller for the personal data described here, and you can reach us at support@0bricks.com.

1. About this policy

This policy applies to personal data we process when you visit 0bricks.com, create an account, build and host sites, buy Credits or hosting, register or connect a domain, or contact support. "Personal data" means information that identifies you or could reasonably be linked to you, such as your name, email address, IP address or account identifiers. By using the Services you acknowledge this policy; where the Act requires your consent, we ask for it separately.

2. Who we are

We are the data controller responsible for your personal data. The supervisory authority for data protection in Malawi is the Malawi Communications Regulatory Authority (MACRA), which acts as the Data Protection Authority under the Act. You have the right to complain to MACRA about how we handle your data (see section 14).

3. Personal data we collect

Account data
your name and email address and an account identifier, provided through our login provider when you sign up or sign in.
Content you create
the prompts, text, images, files and site content you input or generate. You choose what goes into this content; please do not include sensitive personal data (see section 3 below).
Usage and technical data
log data such as your IP address, device and browser information, pages and features used, timestamps, error reports, and metering of your AI and compute usage.
Payment data
records of your orders and their status. Card and mobile-money details are handled by our payment partner; we do not store full payment credentials.
Support data
the content of support tickets and emails you send us, and our replies.
Domain registration data
if you register a domain, the registrant contact details required by the registrar, the registry and ICANN (such as name, address, email and phone number).

Sensitive personal data

We do not ask for and you should not upload sensitive personal data — such as biometric data, health data, race or ethnic origin, religious belief, or political opinion — into the Services. If you choose to include such data in your content, you are responsible for having a lawful basis to do so.

4. How we use your data and our legal basis

Under the Act, we process your personal data on one or more of these legal bases:

To provide the Services — performance of a contract
creating and running your account, generating and hosting your sites, processing payments, registering and connecting domains, and giving you support.
To keep the Services safe and improve them — legitimate interests
securing the platform, preventing fraud and abuse, diagnosing errors, and understanding how the Services are used, in a way that does not override your rights.
To meet our legal duties — legal obligation
keeping billing and tax records and responding to lawful requests from authorities.
Where you agree — consent
for optional things such as non-essential analytics or marketing messages. You can withdraw consent at any time, and doing so does not affect processing carried out before you withdrew.

We do not use your content to train general-purpose AI models. Your prompts and related data are sent to AI providers only to generate the output you request (see section 9), and we may use anonymised or aggregated data — which no longer identifies you — for any lawful purpose.

5. How we handle your data

We follow the data-protection principles in the Act. In practice this means we:

  • process your data lawfully, fairly and transparently;
  • collect it for specific, stated purposes and do not use it in incompatible ways;
  • limit it to what we actually need for those purposes;
  • take reasonable steps to keep it accurate and up to date;
  • keep it only for as long as we need it (see section 8); and
  • protect it with appropriate security measures (see section 6).

6. How we protect your data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, loss or destruction. These include encryption of data in transit, access controls, and monitoring, and we review and update these measures as risks change. No system is completely secure, so we cannot guarantee absolute security, but we work to protect your data at a level appropriate to its sensitivity.

7. Data breaches

If a personal-data breach occurs, we will notify MACRA within seventy-two (72) hours of becoming aware of it. Where the breach is likely to be of high risk to your rights, we will also notify you within seventy-two (72) hours, describing what happened, the likely consequences, and the steps we are taking to address it.

8. How long we keep your data

We keep personal data only for as long as necessary for the purposes described in this policy, or for as long as the law requires us to. When you close your account, we deactivate your sites and delete or anonymise your personal data within a reasonable period, except where we must keep certain records — for example billing and tax records — to meet a legal obligation, or where data is retained in backups for a limited time before deletion.

9. Sharing and third parties

We do not sell your personal data. We share it only with service providers who process it on our behalf under a written contract, or where we are required to by law. These providers include:

Cloud infrastructure and hosting
to run the platform, store data, and host the sites you build.
Artificial-intelligence providers
to generate the code and content you request; your prompts are sent to them on a pass-through basis to produce your output.
Our payment partner
to process payments and settle your orders securely.
Our domain registrar partner
to register and manage domains; registrant data is shared with the registrar, the registry and ICANN as required to provide the domain.
Support and communication tools
to send you emails and to run our support operations.

We may also disclose personal data to authorities where we are legally required to, or to protect our rights, users or the public.

10. International transfers

Some of our service providers operate outside Malawi, so providing the Services involves transferring your personal data to other countries. Where we transfer your data abroad, we do so only where the recipient provides an adequate level of protection under the Act, or where a permitted condition applies — for example, the transfer is necessary to perform our contract with you, or you have consented to it after being informed of the risks. We keep a record of the basis for each such transfer, and we use contractual and technical safeguards to protect your data in transit and at rest.

11. Cookies and similar technologies

We use cookies and similar technologies that are strictly necessary to run the Services — for example to keep you signed in, route sessions, and protect against bots and abuse. These do not require your consent. Where we use optional analytics or similar technologies, we ask for your consent first and you can withdraw it at any time through your browser settings or our cookie controls.

We use the following third-party technologies to run, secure and improve the Services:

Sentry — error tracking, performance tracing and session replay
We use Sentry to capture errors, performance traces and logs so we can diagnose and fix problems. Sentry's Session Replay feature records a reconstruction of your interactions with the app — such as the pages you view and the actions you take — to help us debug issues, and our configuration may send data that includes personal data such as your account identifier and IP address. Replays are sampled, are used only to operate and improve the Services, and are subject to Sentry's own processing terms.
Cloudflare Turnstile — bot protection
We use Cloudflare Turnstile to distinguish humans from automated bots before you enter the build flow. It processes device and network signals to run this check and does not use tracking cookies to profile you across sites.
Cloudflare Web Analytics — privacy-first analytics
We use Cloudflare Web Analytics to understand aggregate traffic and performance. It is cookieless, does not fingerprint visitors, and does not track you across other websites.

12. Children

The Services are intended for people aged 18 and over. We do not knowingly collect personal data from a child (a person under 18) without the consent of a parent or legal guardian. If you are a parent or guardian and believe a child has provided us personal data without your consent, contact us and we will take reasonable steps to delete it.

13. Your rights

Under the Act, you have the following rights over your personal data:

Access
to be told whether we process your data and to receive a copy, in a commonly used electronic format, normally within thirty (30) days of your request.
Portability
to receive data you gave us in a structured, machine-readable format, or have it sent to another controller, normally within thirty (30) days.
Rectification
to have inaccurate data corrected or incomplete data completed, normally within fourteen (14) days.
Erasure
to have your data deleted where there is no lawful ground to keep it.
Restriction
to ask us to limit how we process your data in certain circumstances.
Objection
to object to processing based on our legitimate interests, and to object at any time to the use of your data for direct marketing.
Withdraw consent
to withdraw any consent you gave, at any time.

14. Exercising your rights and complaints

To exercise any of these rights, contact us at support@0bricks.com. We may need to verify your identity before we act on your request, and we will respond within the time limits set out above or otherwise required by the Act. Where practicable, we provide this at no cost to you.

If you are not satisfied with how we handle your data or your request, you can lodge a complaint with MACRA. A complaint should generally be made within ninety (90) days of the action or inaction you are complaining about.

15. Automated decisions

We do not make decisions that produce a legal or similarly significant effect on you based solely on automated processing of your personal data. The AI features of the Services generate content in response to your prompts; they do not make binding decisions about you.

16. Changes to this policy

We may update this policy as our Services and legal requirements change. When we do, we update the "Last updated" date above and, for material changes, give reasonable notice through the Services or by email. Your continued use of the Services after the changes take effect means you acknowledge the updated policy.

17. Contact

For any question about this policy or your personal data, contact us at support@0bricks.com.