Aranis← Back to home

Privacy Policy

Last updated: 21 May 2026

This Privacy Policy explains what personal data Aranis collects, how we use it, who we share it with, and your rights under the Malaysian Personal Data Protection Act 2010 (PDPA). If anything here is unclear, email hello@aranis.site.

1.Who We Are

Aranis is an AI-assisted website builder operated from Malaysia. In this Policy, "Aranis", "we", and "our" refer to the entity providing the Aranis service. "You" refers to anyone using the service or visiting aranis.site.

2.What We Collect

We collect only data we need to run the service:

  • Account data — your name, email address, and a hashed password. We never see your raw password.
  • Technical data — IP address (retained in logs for ~30 days), browser user-agent, OS, and timestamps of logins and AI builds.
  • Payment data — order IDs, amounts, payment status, your customer email passed to the payment provider. Card numbers and bank credentials never touch our servers — those stay with ToyyibPay.
  • AI-prompt data — the form inputs you fill in when building a site (brand name, audience, copy framework, colour, etc.) plus the HTML our AI returns. We retain this so you can edit and re-publish, and to investigate abuse.
  • Uploaded images — when you drag-drop an image in the prompt panel, we forward it to ImgBB (third party) and store the resulting URL.
  • Site-visitor data — if you publish a site with our analytics tracker enabled (default), we log page-view events from your visitors. If you separately configure a Meta Pixel + Conversions API token, we forward server-side events to Meta on your behalf.
  • Affiliate data — if you join our affiliate program, we store your referral slug, who you referred, and a ledger of commissions earned.

3.What We Don't Collect

  • We don't sell your data to third parties.
  • We don't run third-party analytics on aranis.site marketing pages — no Google Analytics, no Facebook tracking pixel on our own site.
  • We don't collect data we don't need to run the service.
  • We don't use your content to train AI models.

4.How We Use Data

  • Authenticate you, so only you can edit your sites.
  • Process payments and grant the correct plan tier.
  • Run AI builds — we send your prompts to OpenRouter, which routes them to the AI model.
  • Serve your published sites to your visitors.
  • Investigate abuse (fake signups, prohibited content, payment fraud).
  • Send transactional emails: verification, password reset, billing receipts, important account updates.
  • We do not send marketing emails without your explicit opt-in.

5.Third Parties We Share Data With

We rely on the following providers to run Aranis. Each receives only the minimum data needed for its role.

SupabaseUSA / EU

Auth, database, file storage. Stores all account and project data.

Supabase's privacy policy →
VercelUSA

Hosting and custom-domain certificate provisioning. Receives the HTTP request stream when you use the editor or your visitors view a published site.

Vercel's privacy policy →
OpenRouterUSA

AI inference proxy. Receives your prompt text and returns generated HTML.

OpenRouter's privacy policy →
ImgBBUSA

Public image-hosting CDN. Stores images you upload in the prompt panel; the resulting URLs are publicly accessible.

ImgBB's privacy policy →
ToyyibPayMalaysia

Payment processing. Receives your billing info to process subscriptions and top-up purchases.

ToyyibPay's privacy policy →
Meta / FacebookUSA

Only if you, the site owner, configure a Pixel ID and Conversions API token on your published site. Receives server-side conversion events from your visitors.

Meta / Facebook's privacy policy →
BrevoFrance

Transactional email delivery (verification, password reset, billing receipts). Receives recipient email and email content.

Brevo's privacy policy →

6.Cookies & Local Storage

  • Auth cookies (Supabase)— keep you logged in. Strictly necessary; expire after 1 hour and are refreshed silently while you're active.
  • First-party analytics on published sites — a small JS snippet pings /api/analytics/track with page-view events. The snippet stores a random visitor ID in the visitor's own browser to deduplicate sessions; we do not perform cross-site tracking.
  • localStorage — we cache UI preferences (view mode for /account/sites, etc.) locally in your browser. No personal data.

7.Where Your Data Lives

  • The primary database (Supabase) is hosted in the Singapore region — the closest Asia-Pacific Supabase region to our Malaysian audience.
  • Database backups are retained for 30 days inside Supabase.
  • Vercel may cache rendered pages and static assets in edge points of presence (PoPs) worldwide to keep your sites fast for international visitors.
  • Uploaded images live on ImgBB's CDN, which has global presence.

8.How Long We Keep Data

  • Active accounts — as long as you have an account.
  • Deleted accounts — 30 days in a soft-delete state (so you can recover if you change your mind), then permanently deleted.
  • Logs — 30 days.
  • Payment records — 7 years (Malaysian tax law and audit requirements).
  • Affiliate commission records — 7 years (same reason).

9.Your Rights Under PDPA

Under Malaysia's Personal Data Protection Act 2010, you have the right to:

  • Access the personal data we hold about you — email hello@aranis.site and we'll send a copy within 21 days.
  • Correct inaccurate data — most fields are editable at /account/profile; for others, email us.
  • Withdraw consent — you can delete your account at any time from /account/profile, which removes all personal data subject to the retention rules in section 8.
  • Limit processing — you can disable the analytics tracker on individual sites at /account/sites.
  • Lodge a complaint with the Personal Data Protection Department (JPDP): www.pdp.gov.my.

10.Security Measures

  • Encryption in transit — TLS 1.2+ on all connections (Vercel-managed certificates).
  • Encryption at rest — Supabase encrypts the database disk. We additionally encrypt sensitive user-side credentials (payment-provider API keys uploaded by users) with an AES-256 key before storing.
  • Row-Level Security (RLS)— enforced on every user-data table. Users cannot read each other's data even if a query is malformed.
  • Service-role access — limited to server-side code that needs cross-user reads (admin tools, billing reconciliation, public site rendering).
  • Passwords— we don't store raw passwords. Supabase hashes them with bcrypt-equivalent before storage.

11.Children

Aranis is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe we have, email us at hello@aranis.site and we'll delete it.

12.Changes to This Policy

We may update this Policy. Material changes will be notified via email to all active account holders at least 14 days before the effective date. The "Last updated" date at the top of this page reflects the most recent revision.

13.Contact

For any privacy questions, email hello@aranis.site.