Privacy Policy
Effective date: 24 March 2026
1. Who We Are
CMS One (“we”, “us”, or “our”) operates a multi-tenant SaaS content management platform (“the Service”). This Privacy Policy describes how we collect, use, store, and protect personal information when you use the Service.
If you have any questions about this policy or how your personal data is handled, please contact us at privacy@cmsone.app.
2. What Is CMS One?
CMS One is a multi-tenant SaaS platform designed for individuals and teams who want to build and manage blogs, portfolios, and websites. Each registered user receives a personal workspace where they can manage multiple sites, invite collaborators, and publish content.
The Service is publicly accessible to anyone who registers. Workspace owners (admins) have full control over their workspace data, team members, and configuration.
3. Personal Data We Collect
We collect and process the following categories of personal data when you use the Service:
Account & Identity Data
Your name, email address, and profile picture. Collected when you register directly or sign in via an OAuth provider (Google, GitHub, or Microsoft).
Authentication & Session Data
Encrypted session tokens, login timestamps, and IP address. Used to maintain your authenticated session and protect against unauthorised access.
Workspace & Content Data
Blog posts, portfolio entries, media files, categories, tags, and other content you create or upload within your workspace. This data belongs to you.
Usage & Activity Logs
Records of actions taken within the Service, such as publishing content, managing team members, and configuring settings. Retained for security and operational purposes.
Team & Collaboration Data
Email addresses and role assignments for team members you invite to your workspace. Invited users are notified and must accept the invitation before gaining access.
API & Integration Data
API key usage logs and webhook event records generated when you use the CMS One API or configure third-party integrations.
4. How We Use Your Data
We use the data we collect to:
- Create and manage your account and workspace
- Authenticate your identity and maintain secure sessions
- Store and deliver your content across your websites and domains
- Enable team collaboration within your workspace
- Send transactional emails (account verification, password reset, team invitations)
- Process and deliver webhook events to your configured endpoints
- Provide API access to your workspace content
- Detect and respond to security incidents or misuse of the Service
- Improve the reliability, performance, and features of the Service
5. Legal Bases for Processing
We process your personal data on the following legal bases:
Performance of a Contract
Processing your account and workspace data is necessary to provide the Service you have signed up for.
Legitimate Interests
We process activity logs, security events, and usage data to maintain platform security, prevent abuse, and improve the Service. We balance this against your privacy rights.
Consent
Where we send optional communications (such as product updates or newsletters), we do so only with your consent, which you may withdraw at any time.
Legal Obligation
We may retain certain data to comply with applicable laws, regulations, or lawful requests from competent authorities.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data (name, email) | While your account is active + 30 days after deletion |
| Session tokens | Access token: 15 minutes; Refresh token: 7 days |
| Workspace content (posts, media) | Retained until you delete it or close your account |
| Activity & security logs | Rolling 90 days |
| Billing & payment records | 7 years (legal requirement) |
| Webhook & API logs | 30 days |
7. Who We Share Your Data With
We do not sell or share your personal data with third parties for marketing or advertising purposes. We may share data with:
- OAuth providers (Google, GitHub, Microsoft) solely to authenticate your identity — governed by their respective privacy policies
- Cloud infrastructure and hosting providers acting as data processors under signed data processing agreements
- Email delivery services used to send transactional emails (account verification, invitations, password resets)
- Payment processors to handle subscription billing — we do not store payment card details
- Law enforcement or regulatory authorities where we are legally required to disclose information
8. International Data Transfers
Your data may be stored and processed in data centres located in the United States, the European Union, or other regions depending on your selected infrastructure. Where data is transferred internationally, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses) to protect your data in accordance with applicable privacy law.
9. Security
We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These include:
- Encrypted data transmission using TLS (HTTPS) for all Service communications
- Encrypted storage at rest for sensitive account and content data
- Role-based access control (RBAC) limiting data access within workspaces
- Short-lived authentication tokens (access tokens expire in 15 minutes)
- Bcrypt password hashing with a minimum of 10 rounds
- Comprehensive security logging and monitoring
10. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
Right of Access
You may request a copy of the personal data we hold about you. Contact us at privacy@cmsone.app.
Right to Rectification
You may update or correct your account information at any time from your profile settings.
Right to Erasure
You may delete your account and workspace data at any time from your account settings. Residual copies in backups are removed within 30 days.
Right to Restriction of Processing
You may ask us to pause processing your personal data in certain circumstances.
Right to Data Portability
You may export your workspace content (posts, media, settings) at any time from your workspace settings.
Right to Object
You may object to processing based on our legitimate interests. We will assess your objection and respond promptly.
Right to Withdraw Consent
Where processing is based on your consent (e.g. marketing emails), you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at privacy@cmsone.app. We will respond within 30 days of receiving a valid request.
11. Cookies & Session Storage
CMS One uses session cookies and browser storage exclusively for authentication and security purposes (session tokens). We do not use advertising, analytical, or third-party tracking cookies.
Session tokens expire automatically: access tokens after 15 minutes and refresh tokens after 7 days. You can end your session at any time by signing out of the Service.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The “Effective date” at the top of this page indicates when the current version was last updated. We will notify you of material changes via email or through the Service before they take effect.
13. Contact
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us at:
CMS One — Privacy
Email: privacy@cmsone.app
This policy should be read alongside our Terms of Service.