Legal
Privacy
Last updated: June 12, 2026
1. Who We Are
This Privacy Policy explains how Paragraph CMS ("Paragraph", "we", "us", or "our") collects, uses, discloses, and protects personal data when you use:
paragraphcms.comapp.paragraphcms.comapi.paragraphcms.comcdn.paragraphcms.comrelated product, support, billing, and documentation pages that we control
Data controller:
Legal name:
BUGSPACE GRZEGORZ PIECHNIKBusiness form: sole proprietor registered in Poland
NIP:
5170424581REGON:
521697638Business address:
ul. Aleksandra Dworskiego 40/5A, 37-700 Przemyśl, Podkarpackie, PolandContact email:
[email protected]Privacy contact:
[email protected]
If you are using Paragraph CMS through an organization, company, client, employer, or other workspace owner, that organization may separately control some of the personal data stored in the workspace. Section 2 explains this role split.
2. Scope and Roles
Paragraph CMS is a multi-tenant SaaS CMS. Because of that, our privacy role depends on the type of data involved.
Paragraph acts as a controller for:
account creation and authentication data
organization membership and access-control data
billing and subscription administration data
support communications sent to us
service security, abuse prevention, audit, and operational logs
product preference data such as UI state, selected theme, and similar service settings
Paragraph generally acts as a processor or service provider for customer workspace content, meaning data a customer chooses to store, upload, edit, publish, or expose through Paragraph CMS, including:
page content
structured fields
media uploads
labels, statuses, and workflow metadata
content history and collaboration records
personal data that a customer includes inside CMS content
Customers remain responsible for determining whether they have a lawful basis to collect, upload, use, and publish personal data through Paragraph CMS and for providing any notices required to their own users, employees, contractors, or site visitors.
If you are a person mentioned in content stored by one of our customers, you should contact that customer first. We may need to forward your request to the relevant customer or act only on their instructions, unless law requires otherwise.
3. Categories of Personal Data We Process
3.1 Account and authentication data
We process:
email address
name
profile image or avatar, if provided
email verification status
one-time login code verification records
session identifiers and session expiry data
active organization and active team selections
IP address and user agent associated with sessions
Paragraph currently uses email-based one-time passcode authentication. We do not operate a password-based login flow in the current application code.
3.2 Organization and workspace administration data
We process:
organization name
organization slug
organization logo
organization plan, billing cycle, locale settings, trial status, and subscription status
membership records
team assignments
custom roles and permissions
invitation records, including invitee email, inviter, role, team, status, and expiry
3.3 Content and media data
We process data that users or customers choose to store in the CMS, including:
page titles
page body content
structured content fields
SEO metadata
language and translation records
publish dates
author and reviewer assignments
labels and statuses
uploaded images
media file names, alt text, MIME type, file size, dimensions, and related metadata
page history and activity log entries, including actor and change details
If you store personal data inside CMS content, structured fields, or media, that data will be processed as part of operating the service.
3.4 API and developer access data
We process:
API key metadata such as name, creation time, rate-limit configuration, request counters, and last request time
API key material necessary to authenticate API requests
request metadata needed to operate and protect the public API
3.5 Billing and subscription data
We process billing-related metadata such as:
customer ID
subscription ID
product or plan information
billing cycle
subscription state
number of paid locales
trial end date
We do not store full payment card details in the current Paragraph CMS codebase. Checkout and billing portal flows are handled by Polar and its payment partners.
3.6 Support and service communication data
We process:
support request type
support request description
your email address
your user ID
your name, if available
transactional emails such as login codes and organization invitations
onboarding follow-up emails sent after signup
3.7 AI and AI-provider data
If you use AI features, we may process:
prompts
selected text
page title and content context
translation text
SEO generation inputs
chosen AI model
provider API keys that you configure for your organization
Custom AI provider keys are stored in encrypted form in the current application code.
3.8 Technical, device, and usage data
We and our infrastructure providers may process technical and operational data such as:
IP address
user agent
timestamps
request path and method
error logs
service diagnostics
security and abuse-prevention signals
3.9 Browser storage, cookies, and similar technologies
The current application uses cookies and browser storage mainly for service operation and preferences, including:
authentication cookies
a sidebar state cookie
local storage for theme preference
local storage for onboarding dialog dismissal state
local storage for dismissed in-app news items
local storage for selected AI model
session storage for scroll restoration
We do not describe any advertising cookie program here because the current application code does not implement third-party behavioral advertising cookies.
4. Sources of Personal Data
We collect personal data:
directly from you when you sign in, create or edit a profile, upload content, use AI tools, submit support requests, or manage a workspace
from other users in your organization, for example when they invite you to join a workspace
automatically from your device and browser when you access the service
from billing providers when a subscription, checkout, refund, or customer portal event is processed
from AI providers when necessary to return generated output or usage metadata
5. How We Use Personal Data and Our Legal Bases
Where the GDPR or similar laws apply, we rely on one or more of the following legal bases: performance of a contract, legitimate interests, legal obligation, and, where required, consent.
We use personal data for the following purposes:
| Purpose | Examples of data used | Legal basis | | --- | --- | --- | | Provide the service | account data, organization data, content, media, API keys, session data | performance of a contract | | Authenticate users and manage access | email, OTP records, sessions, IP address, user agent, memberships, roles | performance of a contract; legitimate interests in security | | Enable collaboration features | invites, member records, author/reviewer assignments, activity logs | performance of a contract; legitimate interests | | Host, store, transform, and deliver content and media | page content, media uploads, metadata, CDN delivery data | performance of a contract | | Process billing and subscription administration | customer IDs, subscription status, plan, billing cycle, locale count | performance of a contract; legal obligation; legitimate interests | | Operate AI features | prompts, text selections, page context, model choice, provider key configuration | performance of a contract; legitimate interests in delivering requested features | | Meter built-in AI usage and enforce plan limits | organization ID, customer ID, model, token usage, cost metrics | performance of a contract; legitimate interests | | Send transactional and service messages | login codes, invitations, support replies, onboarding follow-up | performance of a contract; legitimate interests | | Maintain security, prevent abuse, and debug incidents | IP address, user agent, logs, error events, session data | legitimate interests; legal obligation where applicable | | Comply with law, enforce terms, and resolve disputes | any relevant records | legal obligation; legitimate interests |
Some personal data is required so that we can create your account, authenticate you, provide organization access, process support requests, or deliver paid features. If you do not provide required data, we may be unable to provide some or all of the service. Other data, such as profile images, certain workspace content, or optional support details, is provided at your discretion.
We do not use your account data for third-party behavioral advertising.
6. AI-Specific Disclosures
Paragraph CMS includes AI-assisted features for:
full page content generation
editor text improvement
SEO title and meta description generation
translation and re-translation
organization-level AI provider key management
6.1 Customer-configured AI providers
Customers may configure their own AI provider keys for one or more of the following providers:
OpenAI
Anthropic
Google AI
xAI
Groq
DeepSeek
If you use a customer-configured AI model, the content you submit to that feature may be sent to the selected provider to generate the requested output.
6.2 Built-in Paragraph AI
Paragraph also includes built-in AI functionality that, in the current codebase, uses OpenAI for certain Paragraph-managed flows. If you use those features, relevant prompts, text, and content context may be sent to OpenAI.
6.3 Web search inside page-content generation
In the current implementation, full page content generation requires an OpenAI model and has web browsing enabled by design. That means the system may use your prompt and page context to search the public web before producing a draft. If you use that feature, you should not submit confidential third-party material unless you are comfortable with it being used in that AI workflow.
6.4 AI usage metering
For Paragraph-managed AI usage, the system currently sends token, model, provider, and cost-related usage metadata to Polar to meter AI credit consumption and billing-related usage events.
6.5 Sensitive data warning
Unless you have independently assessed the legal and operational risk, do not use Paragraph CMS AI features for special categories of personal data, health data, biometric data, government IDs, financial account secrets, or other highly sensitive information.
7. When Data May Become Public
Paragraph CMS is designed to help customers publish content. As a result:
page content may be exposed through the API
media may be served through public CDN URLs
published assets may be cached at the edge
metadata such as titles, slugs, and alt text may become public if customers publish or expose them
Customers are responsible for deciding what content they publish. If you are a customer, do not place personal data into public fields or public media unless you intend that information to be public.
8. How We Share Personal Data
We may share personal data with the following categories of recipients:
hosting and infrastructure providers
database and storage providers
CDN and edge delivery providers
email delivery providers
billing, subscription, and customer-portal providers
AI model providers selected by Paragraph or by the customer
security, compliance, legal, and professional advisers where necessary
authorities, courts, regulators, or law enforcement where required by law or needed to protect rights and safety
a buyer, investor, or successor in connection with a merger, acquisition, financing, or asset sale, subject to appropriate confidentiality and lawful-transfer requirements
Based on the current product implementation, the key service providers involved may include:
Cloudflare, including Workers, R2 or compatible object storage, email delivery bindings, and CDN or edge delivery
Polar for checkout, subscriptions, billing portal access, subscription webhooks, and built-in AI usage metering
OpenAI for Paragraph-managed AI features
other AI providers configured by customers, such as Anthropic, Google AI, xAI, Groq, and DeepSeek
We share data only to the extent reasonably necessary to operate the service, comply with law, or protect the service and its users.
9. International Data Transfers
Because Paragraph CMS uses cloud infrastructure and third-party providers, personal data may be processed outside the country where you are located, including outside the EEA, UK, or Switzerland.
When required by law, we rely on appropriate safeguards for international transfers, which may include:
adequacy decisions
standard contractual clauses
additional contractual, technical, or organizational safeguards
Depending on the provider, destination country, and transfer path, we may also rely on another lawful transfer mechanism available under applicable law at the relevant time.
10. Data Retention
We retain personal data for as long as necessary for the purposes described in this policy, including to provide the service, comply with law, resolve disputes, and enforce agreements.
In the current product implementation:
account records are retained while the account is active and afterward as needed for legal, security, and recordkeeping purposes
session records are retained at least until session expiry and may be retained longer where needed for security or auditing
invitation links expire after 7 days; invitation records may remain until accepted, rejected, canceled, removed, or no longer needed
support requests are currently sent by email and may be retained in support mailboxes as long as needed to handle the issue and keep appropriate records
transactional email records may be retained as long as needed for delivery, security, and audit purposes
page deletions first move content to trash
in the current backend plan configuration, trashed pages are automatically and permanently deleted after 14 days on the Free plan and 60 days on the Scale plan
media does not have a separate trash flow; if media is deleted, deletion is intended to remove it promptly from the library, storage workflow, and page references, although cached CDN copies may persist for a limited time until cache expiry or purge propagation completes
billing and subscription records may be retained for accounting, tax, fraud-prevention, and legal compliance periods
AI provider keys remain stored until a customer replaces or deletes them
Retention may be longer where required by law, needed to preserve evidence, or necessary to establish, exercise, or defend legal claims. Limited backup copies may also persist for a reasonable period until they are overwritten or expire under normal backup cycles.
11. Cookies and Similar Technologies
We use cookies and browser-side storage primarily to:
keep you signed in
maintain secure session state
remember UI preferences
preserve application state such as sidebar position or theme
support smooth app behavior such as scroll restoration
Some of these technologies are cookies, while others rely on browser local storage or session storage. In the current product, they are used primarily for authentication, security, essential product functionality, and user preferences rather than advertising.
If we later add analytics, marketing, or non-essential cookies, we will update this policy and, where required, obtain consent before using them.
12. Security
We use technical and organizational measures designed to protect personal data. In the current product design, those measures include:
authenticated access controls
organization, role, and permission boundaries
secure cookies in production environments
encrypted storage of customer-configured AI provider keys
infrastructure-layer controls for storage and content delivery
logging and error handling for operational and security monitoring
No system is perfectly secure, and we cannot guarantee absolute security.
You are responsible for:
keeping access to your email account secure
limiting workspace access to authorized users
using care when creating API keys
deciding what content and personal data you upload or publish
13. Your Rights
Depending on your location and applicable law, you may have the right to:
access the personal data we hold about you
correct inaccurate or incomplete personal data
delete personal data
restrict certain processing
object to certain processing
receive a portable copy of certain data
withdraw consent where processing is based on consent
complain to a supervisory authority or regulator
Paragraph CMS does not currently use solely automated decision-making that produces legal effects or similarly significant effects about you within the meaning of the GDPR.
If Paragraph processes data as a controller, you can send requests to [email protected].
If Paragraph processes data on behalf of one of our customers as a processor or service provider, we may direct your request to that customer or ask you to contact them directly.
We may need to verify your identity before completing a request.
14. Children
Paragraph CMS is primarily designed for business and professional use, but it may also be used by individual consumers. It is not directed to children, and we do not knowingly collect personal data from children in violation of applicable law.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in the service, our providers, our legal obligations, or our data practices.
If we make a material change, we will update the "Last updated" date and, where required, provide additional notice.
16. Contact Us
For privacy questions or requests, contact:
General support:
[email protected]Privacy contact:
[email protected]Controller name:
BUGSPACE GRZEGORZ PIECHNIKNIP:
5170424581REGON:
521697638Business address:
ul. Aleksandra Dworskiego 40/5A, 37-700 Przemyśl, Podkarpackie, Poland
If you are in the EEA, UK, or another jurisdiction with a data protection regulator, you may also have the right to lodge a complaint with your local supervisory authority. If you are in Poland, you may complain to the President of the Personal Data Protection Office (UODO).