Security & Access Policy
Effective February 23, 2026 — Last updated March 2, 2026
1. Domain Access
Domain registration is handled in one of two ways: (a) Prompt & Pixel purchases and registers the domain on behalf of the Client as part of the project setup, with the domain cost quoted separately based on the Client's choice of domain name; or (b) the Client provides a domain they already own. Where Prompt & Pixel manages the domain, it is held under Prompt & Pixel's account for the duration of the service. If the Client requests full ownership transfer at any time, Prompt & Pixel will initiate the domain transfer and provide all necessary credentials. We will never withhold a domain that has been fully paid for. Where the Client owns their domain, they retain full control of the domain registrar account. Prompt & Pixel will provide the necessary DNS records to connect the domain to the hosted website, and the Client is responsible for applying those records and maintaining their domain registration.
2. Credential Handling
Prompt & Pixel manages all technical accounts — including hosting (Vercel), deployment, and email delivery (Resend) — under its own infrastructure. A dedicated Resend account is created and managed by Prompt & Pixel for each Client project to enable features such as contact forms, with domain verification configured so emails send from the Client's own domain. API keys, environment variables, and service credentials required to operate the Client's website are stored securely within Prompt & Pixel's hosting platform and are never shared publicly. The Client is not required to manage any technical credentials. If the Client requests full ownership transfer, Prompt & Pixel will transfer all relevant credentials and accounts — including the Resend account and Vercel project — to the Client.
3. Third-Party Account Setup — Base Build
Prompt & Pixel creates and manages all accounts required for the base project under its own infrastructure. This includes hosting via Vercel, email delivery via Resend, and domain registration where applicable. The Client does not need to create or manage any technical accounts for the base build. Upon full ownership transfer, all credentials and configurations — including Resend, Vercel, and analytics — are handed off to the Client at no additional charge. See Section 4 for enhancement-specific account requirements.
4. Enhancement-Specific Account Requirements
Certain optional enhancements require the Client to create and own their own third-party account. These accounts belong to the Client and cannot legally or practically be held by Prompt & Pixel. Affected enhancements: Booking Integration — Client creates and owns the booking platform account (e.g. Calendly, Acuity); Email Setup — Client owns the business email account (e.g. Google Workspace, Zoho Mail); Google Business Profile Setup — Client owns the Google account linked to their Business Profile; Analytics & Tracking — Client may optionally provide a Google account for long-term ownership, or Prompt & Pixel manages it and transfers access on request. Prompt & Pixel guides the Client through account creation for any of the above and handles all technical configuration thereafter. Prompt & Pixel is not responsible for subscription costs, terms changes, or platform downtime for Client-owned accounts.
5. Billing & Payment Information
No billing information, credit card numbers, or banking details are accessed, stored, or processed by Prompt & Pixel directly. All payments are handled through third-party payment processors with their own security and compliance standards.
6. Client Files & Assets
Client files and assets are stored securely and used only for the project they were provided for. For Clients with an active hosting plan, project files are retained for the duration of the hosting period. For Clients no longer on an active hosting plan, project files are removed from our systems within ninety (90) days, unless otherwise agreed upon in writing.
7. Data Transfer & Encryption
We use industry-standard encryption (SSL/TLS) for all data transfers. All websites built by Prompt & Pixel are deployed with HTTPS enabled by default.
8. Hosting & Deployment
Client websites are hosted on Prompt & Pixel's Vercel account. Where Prompt & Pixel manages the domain, it is purchased, registered, and renewed by Prompt & Pixel on behalf of the Client. Where the Client owns their domain, the Client is responsible for domain renewal and DNS configuration. Prompt & Pixel manages deployments, environment variables, and hosting infrastructure. A yearly hosting fee applies to keep the website live. Where Prompt & Pixel manages the domain, it will not allow the domain to expire without first notifying the Client and providing reasonable opportunity to transfer it. The Client does not need a Vercel account or any technical knowledge to maintain their site. If the Client requests full ownership transfer, Prompt & Pixel will provide the complete source code, assist with domain transfer (where applicable), and support redeployment to the Client's own hosting environment.
9. Third-Party Tools
Prompt & Pixel uses third-party services including Vercel (hosting and deployment), Resend (email delivery), Supabase (database infrastructure), and Google Analytics / Google Search Console (optional analytics, where requested). All third-party tools are vetted for security and compliance. Prompt & Pixel is not liable for the security practices of third-party platforms.
10. Client Rights
The Client may at any time: request a full list of what data Prompt & Pixel holds (including any phone number on file); request deletion of all files and data after project completion; revoke any access permissions with no questions asked; or request that any access-related steps be completed together over a screen-share call.
11. Breach Notification
In the event of a breach of security safeguards involving personal information under our control, Prompt & Pixel will notify affected individuals and, where required, the Information and Privacy Commissioner of Alberta, without unreasonable delay and in accordance with PIPA. Notification will include a description of the breach, the type of personal information involved, and steps being taken to mitigate the risk.
12. Governing Law
This Security & Access Policy is governed by the laws of Alberta, Canada, including the Personal Information Protection Act (PIPA).
13. Changes
Prompt & Pixel may update this policy periodically. The updated version will be posted on our website with a revised effective date.
14. Contact
For any security or access-related concerns, contact Prompt & Pixel at hello@promptandpixel.ca. If you ever feel unsure about any step, we can complete the setup together so you remain fully in control.