Legal

Privacy

Last updated: June 12, 2026

1. Who We Are

This Privacy Policy explains how Paragraph CMS ("Paragraph", "we", "us", or "our") collects, uses, discloses, and protects personal data when you use:

  • paragraphcms.com

  • app.paragraphcms.com

  • api.paragraphcms.com

  • cdn.paragraphcms.com

  • related product, support, billing, and documentation pages that we control

Data controller:

  • Legal name: BUGSPACE GRZEGORZ PIECHNIK

  • Business form: sole proprietor registered in Poland

  • NIP: 5170424581

  • REGON: 521697638

  • Business address: ul. Aleksandra Dworskiego 40/5A, 37-700 Przemyśl, Podkarpackie, Poland

  • Contact email: [email protected]

  • Privacy contact: [email protected]

If you are using Paragraph CMS through an organization, company, client, employer, or other workspace owner, that organization may separately control some of the personal data stored in the workspace. Section 2 explains this role split.

2. Scope and Roles

Paragraph CMS is a multi-tenant SaaS CMS. Because of that, our privacy role depends on the type of data involved.

Paragraph acts as a controller for:

  • account creation and authentication data

  • organization membership and access-control data

  • billing and subscription administration data

  • support communications sent to us

  • service security, abuse prevention, audit, and operational logs

  • product preference data such as UI state, selected theme, and similar service settings

Paragraph generally acts as a processor or service provider for customer workspace content, meaning data a customer chooses to store, upload, edit, publish, or expose through Paragraph CMS, including:

  • page content

  • structured fields

  • media uploads

  • labels, statuses, and workflow metadata

  • content history and collaboration records

  • personal data that a customer includes inside CMS content

Customers remain responsible for determining whether they have a lawful basis to collect, upload, use, and publish personal data through Paragraph CMS and for providing any notices required to their own users, employees, contractors, or site visitors.

If you are a person mentioned in content stored by one of our customers, you should contact that customer first. We may need to forward your request to the relevant customer or act only on their instructions, unless law requires otherwise.

3. Categories of Personal Data We Process

3.1 Account and authentication data

We process:

  • email address

  • name

  • profile image or avatar, if provided

  • email verification status

  • one-time login code verification records

  • session identifiers and session expiry data

  • active organization and active team selections

  • IP address and user agent associated with sessions

Paragraph currently uses email-based one-time passcode authentication. We do not operate a password-based login flow in the current application code.

3.2 Organization and workspace administration data

We process:

  • organization name

  • organization slug

  • organization logo

  • organization plan, billing cycle, locale settings, trial status, and subscription status

  • membership records

  • team assignments

  • custom roles and permissions

  • invitation records, including invitee email, inviter, role, team, status, and expiry

3.3 Content and media data

We process data that users or customers choose to store in the CMS, including:

  • page titles

  • page body content

  • structured content fields

  • SEO metadata

  • language and translation records

  • publish dates

  • author and reviewer assignments

  • labels and statuses

  • uploaded images

  • media file names, alt text, MIME type, file size, dimensions, and related metadata

  • page history and activity log entries, including actor and change details

If you store personal data inside CMS content, structured fields, or media, that data will be processed as part of operating the service.

3.4 API and developer access data

We process:

  • API key metadata such as name, creation time, rate-limit configuration, request counters, and last request time

  • API key material necessary to authenticate API requests

  • request metadata needed to operate and protect the public API

3.5 Billing and subscription data

We process billing-related metadata such as:

  • customer ID

  • subscription ID

  • product or plan information

  • billing cycle

  • subscription state

  • number of paid locales

  • trial end date

We do not store full payment card details in the current Paragraph CMS codebase. Checkout and billing portal flows are handled by Polar and its payment partners.

3.6 Support and service communication data

We process:

  • support request type

  • support request description

  • your email address

  • your user ID

  • your name, if available

  • transactional emails such as login codes and organization invitations

  • onboarding follow-up emails sent after signup

3.7 AI and AI-provider data

If you use AI features, we may process:

  • prompts

  • selected text

  • page title and content context

  • translation text

  • SEO generation inputs

  • chosen AI model

  • provider API keys that you configure for your organization

Custom AI provider keys are stored in encrypted form in the current application code.

3.8 Technical, device, and usage data

We and our infrastructure providers may process technical and operational data such as:

  • IP address

  • user agent

  • timestamps

  • request path and method

  • error logs

  • service diagnostics

  • security and abuse-prevention signals

3.9 Browser storage, cookies, and similar technologies

The current application uses cookies and browser storage mainly for service operation and preferences, including:

  • authentication cookies

  • a sidebar state cookie

  • local storage for theme preference

  • local storage for onboarding dialog dismissal state

  • local storage for dismissed in-app news items

  • local storage for selected AI model

  • session storage for scroll restoration

We do not describe any advertising cookie program here because the current application code does not implement third-party behavioral advertising cookies.

4. Sources of Personal Data

We collect personal data:

  • directly from you when you sign in, create or edit a profile, upload content, use AI tools, submit support requests, or manage a workspace

  • from other users in your organization, for example when they invite you to join a workspace

  • automatically from your device and browser when you access the service

  • from billing providers when a subscription, checkout, refund, or customer portal event is processed

  • from AI providers when necessary to return generated output or usage metadata

5. How We Use Personal Data and Our Legal Bases

Where the GDPR or similar laws apply, we rely on one or more of the following legal bases: performance of a contract, legitimate interests, legal obligation, and, where required, consent.

We use personal data for the following purposes:

| Purpose | Examples of data used | Legal basis | | --- | --- | --- | | Provide the service | account data, organization data, content, media, API keys, session data | performance of a contract | | Authenticate users and manage access | email, OTP records, sessions, IP address, user agent, memberships, roles | performance of a contract; legitimate interests in security | | Enable collaboration features | invites, member records, author/reviewer assignments, activity logs | performance of a contract; legitimate interests | | Host, store, transform, and deliver content and media | page content, media uploads, metadata, CDN delivery data | performance of a contract | | Process billing and subscription administration | customer IDs, subscription status, plan, billing cycle, locale count | performance of a contract; legal obligation; legitimate interests | | Operate AI features | prompts, text selections, page context, model choice, provider key configuration | performance of a contract; legitimate interests in delivering requested features | | Meter built-in AI usage and enforce plan limits | organization ID, customer ID, model, token usage, cost metrics | performance of a contract; legitimate interests | | Send transactional and service messages | login codes, invitations, support replies, onboarding follow-up | performance of a contract; legitimate interests | | Maintain security, prevent abuse, and debug incidents | IP address, user agent, logs, error events, session data | legitimate interests; legal obligation where applicable | | Comply with law, enforce terms, and resolve disputes | any relevant records | legal obligation; legitimate interests |

Some personal data is required so that we can create your account, authenticate you, provide organization access, process support requests, or deliver paid features. If you do not provide required data, we may be unable to provide some or all of the service. Other data, such as profile images, certain workspace content, or optional support details, is provided at your discretion.

We do not use your account data for third-party behavioral advertising.

6. AI-Specific Disclosures

Paragraph CMS includes AI-assisted features for:

  • full page content generation

  • editor text improvement

  • SEO title and meta description generation

  • translation and re-translation

  • organization-level AI provider key management

6.1 Customer-configured AI providers

Customers may configure their own AI provider keys for one or more of the following providers:

  • OpenAI

  • Anthropic

  • Google AI

  • xAI

  • Groq

  • DeepSeek

If you use a customer-configured AI model, the content you submit to that feature may be sent to the selected provider to generate the requested output.

6.2 Built-in Paragraph AI

Paragraph also includes built-in AI functionality that, in the current codebase, uses OpenAI for certain Paragraph-managed flows. If you use those features, relevant prompts, text, and content context may be sent to OpenAI.

6.3 Web search inside page-content generation

In the current implementation, full page content generation requires an OpenAI model and has web browsing enabled by design. That means the system may use your prompt and page context to search the public web before producing a draft. If you use that feature, you should not submit confidential third-party material unless you are comfortable with it being used in that AI workflow.

6.4 AI usage metering

For Paragraph-managed AI usage, the system currently sends token, model, provider, and cost-related usage metadata to Polar to meter AI credit consumption and billing-related usage events.

6.5 Sensitive data warning

Unless you have independently assessed the legal and operational risk, do not use Paragraph CMS AI features for special categories of personal data, health data, biometric data, government IDs, financial account secrets, or other highly sensitive information.

7. When Data May Become Public

Paragraph CMS is designed to help customers publish content. As a result:

  • page content may be exposed through the API

  • media may be served through public CDN URLs

  • published assets may be cached at the edge

  • metadata such as titles, slugs, and alt text may become public if customers publish or expose them

Customers are responsible for deciding what content they publish. If you are a customer, do not place personal data into public fields or public media unless you intend that information to be public.

8. How We Share Personal Data

We may share personal data with the following categories of recipients:

  • hosting and infrastructure providers

  • database and storage providers

  • CDN and edge delivery providers

  • email delivery providers

  • billing, subscription, and customer-portal providers

  • AI model providers selected by Paragraph or by the customer

  • security, compliance, legal, and professional advisers where necessary

  • authorities, courts, regulators, or law enforcement where required by law or needed to protect rights and safety

  • a buyer, investor, or successor in connection with a merger, acquisition, financing, or asset sale, subject to appropriate confidentiality and lawful-transfer requirements

Based on the current product implementation, the key service providers involved may include:

  • Cloudflare, including Workers, R2 or compatible object storage, email delivery bindings, and CDN or edge delivery

  • Polar for checkout, subscriptions, billing portal access, subscription webhooks, and built-in AI usage metering

  • OpenAI for Paragraph-managed AI features

  • other AI providers configured by customers, such as Anthropic, Google AI, xAI, Groq, and DeepSeek

We share data only to the extent reasonably necessary to operate the service, comply with law, or protect the service and its users.

9. International Data Transfers

Because Paragraph CMS uses cloud infrastructure and third-party providers, personal data may be processed outside the country where you are located, including outside the EEA, UK, or Switzerland.

When required by law, we rely on appropriate safeguards for international transfers, which may include:

  • adequacy decisions

  • standard contractual clauses

  • additional contractual, technical, or organizational safeguards

Depending on the provider, destination country, and transfer path, we may also rely on another lawful transfer mechanism available under applicable law at the relevant time.

10. Data Retention

We retain personal data for as long as necessary for the purposes described in this policy, including to provide the service, comply with law, resolve disputes, and enforce agreements.

In the current product implementation:

  • account records are retained while the account is active and afterward as needed for legal, security, and recordkeeping purposes

  • session records are retained at least until session expiry and may be retained longer where needed for security or auditing

  • invitation links expire after 7 days; invitation records may remain until accepted, rejected, canceled, removed, or no longer needed

  • support requests are currently sent by email and may be retained in support mailboxes as long as needed to handle the issue and keep appropriate records

  • transactional email records may be retained as long as needed for delivery, security, and audit purposes

  • page deletions first move content to trash

  • in the current backend plan configuration, trashed pages are automatically and permanently deleted after 14 days on the Free plan and 60 days on the Scale plan

  • media does not have a separate trash flow; if media is deleted, deletion is intended to remove it promptly from the library, storage workflow, and page references, although cached CDN copies may persist for a limited time until cache expiry or purge propagation completes

  • billing and subscription records may be retained for accounting, tax, fraud-prevention, and legal compliance periods

  • AI provider keys remain stored until a customer replaces or deletes them

Retention may be longer where required by law, needed to preserve evidence, or necessary to establish, exercise, or defend legal claims. Limited backup copies may also persist for a reasonable period until they are overwritten or expire under normal backup cycles.

11. Cookies and Similar Technologies

We use cookies and browser-side storage primarily to:

  • keep you signed in

  • maintain secure session state

  • remember UI preferences

  • preserve application state such as sidebar position or theme

  • support smooth app behavior such as scroll restoration

Some of these technologies are cookies, while others rely on browser local storage or session storage. In the current product, they are used primarily for authentication, security, essential product functionality, and user preferences rather than advertising.

If we later add analytics, marketing, or non-essential cookies, we will update this policy and, where required, obtain consent before using them.

12. Security

We use technical and organizational measures designed to protect personal data. In the current product design, those measures include:

  • authenticated access controls

  • organization, role, and permission boundaries

  • secure cookies in production environments

  • encrypted storage of customer-configured AI provider keys

  • infrastructure-layer controls for storage and content delivery

  • logging and error handling for operational and security monitoring

No system is perfectly secure, and we cannot guarantee absolute security.

You are responsible for:

  • keeping access to your email account secure

  • limiting workspace access to authorized users

  • using care when creating API keys

  • deciding what content and personal data you upload or publish

13. Your Rights

Depending on your location and applicable law, you may have the right to:

  • access the personal data we hold about you

  • correct inaccurate or incomplete personal data

  • delete personal data

  • restrict certain processing

  • object to certain processing

  • receive a portable copy of certain data

  • withdraw consent where processing is based on consent

  • complain to a supervisory authority or regulator

Paragraph CMS does not currently use solely automated decision-making that produces legal effects or similarly significant effects about you within the meaning of the GDPR.

If Paragraph processes data as a controller, you can send requests to [email protected].

If Paragraph processes data on behalf of one of our customers as a processor or service provider, we may direct your request to that customer or ask you to contact them directly.

We may need to verify your identity before completing a request.

14. Children

Paragraph CMS is primarily designed for business and professional use, but it may also be used by individual consumers. It is not directed to children, and we do not knowingly collect personal data from children in violation of applicable law.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the service, our providers, our legal obligations, or our data practices.

If we make a material change, we will update the "Last updated" date and, where required, provide additional notice.

16. Contact Us

For privacy questions or requests, contact:

  • General support: [email protected]

  • Privacy contact: [email protected]

  • Controller name: BUGSPACE GRZEGORZ PIECHNIK

  • NIP: 5170424581

  • REGON: 521697638

  • Business address: ul. Aleksandra Dworskiego 40/5A, 37-700 Przemyśl, Podkarpackie, Poland

If you are in the EEA, UK, or another jurisdiction with a data protection regulator, you may also have the right to lodge a complaint with your local supervisory authority. If you are in Poland, you may complain to the President of the Personal Data Protection Office (UODO).