1. Who We Are
Episode Ltd. ("Episode," "we," "us," or "our") is a company registered in England and Wales. We operate the Episode platform at www.useepisode.com, including our landing page builder, A/B testing engine, AI generation tools, rendering service, and all related services (collectively, the "Service").
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), Episode Ltd. is the data controller for personal data we collect directly from you as a user of our platform.
This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service, visit our website, or interact with us in any way. It is designed to comply with the UK GDPR, EU GDPR, the Data Protection Act 2018, and the California Consumer Privacy Act (CCPA/CPRA).
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Identity data: First name, last name
- Contact data: Email address
- Credentials: Password (stored using industry-standard hashing β we never store plaintext passwords)
- Subscription data: Plan type (Free, Basic, or Pro), billing cycle, subscription status
2.2 Payment Information
We use Stripe as our payment processor. When you subscribe to a paid plan or purchase AI credits, Stripe collects and processes your payment information (credit card number, billing address). We store only your Stripe customer ID and payment intent references β we never store full credit card numbers on our servers.
2.3 Content You Create
When you use Episode to build and publish websites, we store:
- Website data: Website names, page titles, descriptions, section content (code/markup), design configurations, SEO settings, and theme/branding preferences
- Form configurations: Form field structures, validation rules, delivery routes (email addresses, webhook URLs), and CRM field mappings you configure
- AI conversation history: Prompts and responses from your interactions with our AI builder to generate page content
- Domain settings: Custom domain names and subdomain preferences you configure
2.4 Data Collected Through Your Published Websites
When visitors interact with websites you publish through Episode, we collect data on your behalf to power our analytics and A/B testing features:
- Analytics data: Page views, unique visitors, time on page, conversion events, and section-level engagement metrics
- A/B testing data: Which variant a visitor sees, conversion outcomes, and statistical performance metrics
- Form submissions: Data that visitors submit through forms on your published pages β this is stored and delivered to you according to your form configuration (email, webhook, or CRM integration)
- UTM parameters: Campaign tracking parameters passed through URLs
Important: As a website publisher using Episode, you are the data controller for any personal data collected from your website visitors. You are responsible for ensuring your own compliance with applicable privacy laws, including providing your visitors with appropriate privacy notices.
2.5 Third-Party Integration Data
If you connect CRM, marketing, or design integrations, we store:
- OAuth tokens: For HubSpot, Salesforce, Mailchimp, Zoho, Freshworks, Brevo, Google Sheets, Notion, and Figma integrations (encrypted at rest)
- Webhook configurations: URLs and HMAC signing secrets for webhook delivery
- Google Analytics & Facebook Pixel IDs: Tracking identifiers you choose to add to your websites
- Figma design data: When you paste a Figma frame URL, we call the Figma REST API to retrieve metadata for that single file (
GET /v1/files/{key}), the design tree for the specific frame you selected (GET /v1/files/{key}/nodes?ids=...), and PNG renders of image fills within that frame (GET /v1/images/{key}). We do not enumerate your Figma projects or teams, do not bulk-export files, and do not index Figma content for search or AI model training. The simplified design tree, raw node data, and exported image URLs are used only during the active conversion job; once the job completes (typically under 60 seconds), these fields are purged from our job record. The generated React/Tailwind code is stored in your website as editable sections. Exported images use temporary Figma-hosted URLs that expire after approximately 14 days - Notion content data: When you import a Notion page, we read only the page you select (and its block children) via the Notion API. Notion-hosted images and files in that page are downloaded and rehosted to our S3 because Notion's asset URLs expire after about one hour; external/CDN URLs are kept as-is. The same Notion connection serves both content imports and form-submission deliveries
2.6 Automatically Collected Technical Data
When you use our Service, we automatically collect:
- Log data: IP address, browser type, operating system, referring URLs, pages viewed, and timestamps
- Performance data: Core Web Vitals metrics, page load times, and client-side error reports for published websites
- Usage data: Features used, AI credits consumed, number of websites created, and actions performed within the builder
2.7 Vision Analysis Data
If you use our Vision Analysis feature, you may provide a URL or upload a document. We process this data to extract brand information (colors, fonts, tone, page structure) to help generate brand-matched pages. Uploaded documents are processed temporarily and are not permanently stored after analysis is complete.
3. How We Use Your Information
We use your information for the following purposes:
- Provide and operate the Service: Creating your account, building and publishing your websites, running A/B tests, delivering form submissions, and processing payments
- AI-powered features: Generating landing page content based on your prompts, analyzing brand assets through Vision Analysis, and improving AI output quality
- Analytics and optimization: Providing you with website analytics dashboards, A/B test results, and conversion metrics
- CRM integrations: Syncing form submission data to your connected CRM platforms (HubSpot, Salesforce, Brevo, etc.)
- Billing and account management: Processing subscription payments, managing AI credit balances, and sending billing-related communications
- Service improvement: Understanding how users interact with our platform to improve features, fix bugs, and optimize performance
- Security: Detecting and preventing fraud, abuse, and unauthorized access
- Communication: Sending transactional emails (account verification, password resets, billing receipts), performance alerts, and A/B test notifications
- Legal compliance: Meeting our legal obligations, resolving disputes, and enforcing our agreements
4. Legal Bases for Processing (UK GDPR & EU GDPR)
As a UK-registered company, we process all personal data in accordance with the UK GDPR and the Data Protection Act 2018. For users in the European Economic Area, we also comply with the EU GDPR. We rely on the following legal bases for processing:
- Contract performance (Article 6(1)(b)): Processing necessary to provide the Service you subscribed to β including account management, website building, publishing, analytics, A/B testing, and form delivery
- Legitimate interests (Article 6(1)(f)): Service improvement, security, fraud prevention, and aggregate analytics β where these interests are not overridden by your data protection rights. You have the right to object to processing based on legitimate interests at any time
- Consent (Article 6(1)(a)): Where required, such as for marketing communications or non-essential cookies β you may withdraw consent at any time without affecting the lawfulness of prior processing
- Legal obligation (Article 6(1)(c)): Where processing is required to comply with UK, EU, or other applicable law (e.g., financial record-keeping, responding to lawful data requests)
4.1 Data Processing Roles
When you use Episode as a platform user: Episode Ltd. is the data controller. We determine the purposes and means of processing your account data, usage data, and billing data.
When your website visitors submit data through your published sites: You are the data controller and Episode acts as a data processor on your behalf. We process visitor form submissions, analytics events, and A/B test data solely to provide the Service to you. If you require a Data Processing Agreement (DPA), please contact us at support@useepisode.com.
5. How We Share Your Information
We do not sell your personal data. We share information only in these circumstances:
- Payment processing: Stripe receives payment information to process transactions
- Email delivery: Amazon Simple Email Service (SES) processes transactional emails on our behalf
- CRM integrations: When you connect a CRM integration, form submission data is sent to your chosen provider (HubSpot, Salesforce, Brevo, etc.) according to your field mappings
- Webhooks: When you configure webhook delivery, form data is sent to your specified endpoints
- Cloud infrastructure: Our Service runs on Google Cloud (Google Cloud Run for compute and Google Cloud Pub/Sub for job orchestration) and Amazon Web Services (AWS S3 for storage and AWS SES for email). These providers may process data as part of hosting
- Content delivery and custom domains: Cloudflare provides DNS, TLS certificate provisioning, and edge routing for custom domains you connect to your published websites
- AI providers: Prompts and generated content are processed by third-party AI model providers (OpenAI, Anthropic, and Google β via the Gemini API on a paid tier) to power our AI generation, brand extraction, and design import features. These providers process data under their commercial API terms and, on the tiers we use, do not use your prompts or outputs to train their models
- Stock imagery: When AI generation requires illustrative imagery, we query the Pexels API. Only the search query is sent β no account or visitor data
- Figma: When you connect your Figma account, we access your Figma files via the Figma API to retrieve design data for import. We do not store your Figma credentials beyond the encrypted OAuth tokens needed for the connection
- Notion: When you connect your Notion workspace, we access only the pages and databases you explicitly grant the Episode integration via Notion's OAuth consent flow. The same connection powers both Notion form-submission delivery and Notion page imports β disconnecting affects both. We do not store your Notion credentials beyond the encrypted OAuth tokens needed for the connection
- Analytics scripts you add: If you add Google Analytics or Facebook Pixel tracking IDs to your websites, those third parties will collect data from your website visitors according to their own privacy policies
- Legal requirements: We may disclose information if required by law, legal process, or government request
- Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction
6. Data Retention
We aim to retain personal data only for as long as necessary for the purposes described in this policy. Indicative retention periods are:
- Account data: Retained while your account is active, plus up to 30 days after deletion to allow for account recovery
- Website content: Retained while your account is active. Published websites are taken offline when your account is deactivated or deleted
- Form submissions: Retained according to your account plan limits, or until you manually delete them
- Analytics data: We aim to retain visitor-level analytics for up to 24 months, after which records are aggregated or deleted
- AI conversation history: We aim to retain prompt and response history for up to 12 months to support ongoing builder sessions
- Payment records: Retained as required by financial and tax regulations (typically up to 7 years)
- Log data: We aim to retain server and application logs for up to 90 days for security and debugging purposes
Where retention is governed by automated processes, those processes may run on a periodic schedule, which can result in records being removed shortly after the indicative period above. Where you exercise your right to erasure (Section 9), we will act within the statutory time limits regardless of the periods above.
7. Data Security
We implement industry-standard security measures to protect your data:
- All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
- Passwords are hashed using bcrypt before storage
- API keys, OAuth tokens, and integration credentials are encrypted at rest
- Webhook payloads are signed with HMAC to ensure authenticity
- Custom domains use automatic SSL certificate provisioning
- We conduct regular security reviews of our codebase and infrastructure
While we take reasonable measures to protect your information, no method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security.
8. International Data Transfers
Episode Ltd. is based in the United Kingdom. Some of the third-party services we use (such as Google Cloud, AWS, Cloudflare, Stripe, OpenAI, Anthropic, and Google) may process data in the United States or other countries outside the UK and EEA.
When personal data is transferred outside the UK, we ensure adequate protection through one or more of the following safeguards in accordance with UK GDPR Article 46:
- UK International Data Transfer Agreement (IDTA): The UK equivalent of Standard Contractual Clauses, approved by the ICO
- EU Standard Contractual Clauses (SCCs): For transfers originating from the EEA, we use SCCs approved by the European Commission, supplemented with the UK Addendum where applicable
- Adequacy decisions: Where the UK Secretary of State or the European Commission has determined that the destination country provides adequate data protection
You may request a copy of the relevant safeguards by contacting us at support@useepisode.com.
9. Your Rights
9.1 Rights for All Users
Regardless of your location, you can:
- Access your data: View and export your account information and website content through your dashboard
- Correct your data: Update your name, email, and other account details through your account settings
- Delete your account: Request complete deletion of your account and associated data by contacting us
- Disconnect integrations: Remove CRM connections and revoke API access at any time through integration settings
9.2 Your Rights Under UK GDPR & EU GDPR
As a UK-registered data controller, we uphold the following rights for all users under the UK GDPR. These rights also apply under the EU GDPR for users in the EEA:
- Right of access (Article 15): Request a copy of all personal data we hold about you
- Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data
- Right to erasure (Article 17): Request deletion of your personal data where there is no compelling reason for continued processing
- Right to data portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format
- Right to restrict processing (Article 18): Request that we limit processing of your data in certain circumstances
- Right to object (Article 21): Object to processing based on legitimate interests, including profiling. We will stop processing unless we demonstrate compelling legitimate grounds
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
- Right to lodge a complaint: You have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk, or to your local EEA supervisory authority if you are based in the EEA
To exercise any of these rights, contact us at support@useepisode.com. We will respond to your request within one month, as required by law. We may extend this period by a further two months for complex or numerous requests, and will inform you if this is the case.
9.3 California Privacy Rights (CCPA/CPRA)
California residents have additional rights under the CCPA/CPRA:
- Right to know: What personal information we collect, use, and disclose
- Right to delete: Request deletion of your personal information
- Right to opt-out of sale: We do not sell personal information
- Non-discrimination: We will not discriminate against you for exercising your rights
10. Children's Privacy
Our Service is not intended for anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will promptly delete that information. If you believe a child under 16 has provided us with personal data, please contact us at support@useepisode.com.
11. Third-Party Links and Scripts
Our Service allows you to add third-party tracking scripts (Google Analytics, Facebook Pixel) and custom scripts to your published websites. We are not responsible for the privacy practices of these third parties. When you add such scripts, you are responsible for informing your website visitors about the data collection those scripts perform.
Our website and Service may also contain links to third-party websites. This Privacy Policy does not apply to those websites, and we encourage you to review their privacy policies independently.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice on our website prior to the changes taking effect. We encourage you to review this policy periodically.
Your continued use of the Service after the updated policy takes effect constitutes acceptance of the revised Privacy Policy.
13. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
UK supervisory authority: You may also lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
EEA supervisory authorities: If you are based in the EEA, you may contact your local data protection authority. A list of EEA supervisory authorities is available on the European Data Protection Board website.