saaspolicy· Saaspolicy Demo Privacy Policyv3.7

?📡 Subscribe RSSSign latest

v3.02025-03-18

OLDER

# Privacy Policy _Last updated: March 18, 2025_ Saaspolicy ("we", "us") provides privacy policy hosting for SaaS operators. Notice published under GDPR Arts 13-14, CCPA §1798.130, and the 19 US state comprehensive privacy laws tracked by IAPP (CA, CO, CT, VA, UT, TX, OR, MT, IA, IN, TN, FL, DE, NJ, NH, MN, MD, RI, KY). ## 1. Controller Saaspolicy Ltd., Delaware. EU rep: PrivacyRep BV, Amsterdam. ## 2. Categories of personal data (a) account identifiers, (b) workspace metadata, (c) usage telemetry (IP /24, UA), (d) strictly-necessary cookies, (e) AI-assist prompts (opt-in). ## 3. AI / model training Customer text is **never** used to train third-party LLMs. AI assist runs on Anthropic Claude under a zero-retention DPA; prompts purged within 24 hours. ## 4. Purposes and legal basis - Service provision — Art 6(1)(b) - Security — Art 6(1)(f) - Billing — Art 6(1)(c) - AI assist — Art 6(1)(a) explicit consent ## 5. Sub-processors Live list at /subprocessors with 30-day change notice. Core: Stripe, AWS us-east-1, Sentry, Postmark, Anthropic. ## 6. International transfers EU-US DPF + 2021 SCCs + AES-256-GCM. ## 7. Retention Account: lifetime + 30 days. Logs: 12 months. AI prompts: 24 hours. Backups: 35 days. ## 8. DSAR (Data Subject Access Request) portal Submit access, deletion, correction, opt-out, and limit-sensitive-PI requests at https://saaspolicy.com/privacy/dsar. We respond within 30 days (EEA) / 45 days (US states), as required by law. ## 9. State-specific rights - California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Indiana (INCDPA), Tennessee (TIPA), Florida (FDBR), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire (NHPA), Minnesota (MCDPA), Maryland (MODPA), Rhode Island (RIDTPPA), Kentucky (KCDPA). - Each grants rights of access, deletion, correction, and opt-out of targeted advertising / sale / profiling. We do not sell or share personal information for cross-context behavioral advertising. ## 10. Children Not directed at users under 16. Florida and Maryland minor-specific rules: no profiling of known minors. ## 11. Changes RSS + email + banner, 14 days minimum; 30 days for material changes affecting US state-law rights.

v3.72026-05-06

NEWER

# Privacy Policy _Last updated: May 6, 2026_ Saaspolicy ("we", "us") provides privacy policy hosting for SaaS operators. Published under GDPR Arts 13-14, CCPA §1798.130, and 19 US state comprehensive privacy laws (IAPP tracker, May 2026). ## 1. Controller Saaspolicy Ltd., Delaware C-corp (file 7421988). EU rep under GDPR Art 27: PrivacyRep BV, Herengracht 282, Amsterdam (privacy-rep@saaspolicy.com). ## 2. Categories of personal data (a) account identifiers (email, hashed password, OAuth subject), (b) workspace metadata (org name, plan, seats), (c) usage telemetry (feature events, IP /24, UA, language), (d) strictly-necessary cookies, (e) AI-assist prompts (opt-in). ## 3. AI / model training Customer policy text is **never** used to train third-party LLMs. AI assist runs on Anthropic Claude under a zero-retention DPA (purge within 24 hours). We do not deploy fingerprinting, behavioral scoring, or automated decision-making with legal effects. ## 4. Purposes and legal basis - Service provision — Art 6(1)(b) - Security and fraud prevention — Art 6(1)(f); see breach SLA in §10 - Billing — Art 6(1)(c) - AI assist — Art 6(1)(a) consent, revocable in /settings/ai ## 5. Sub-processors Live list at /subprocessors with 30-day change notice and RSS feed. Core: Stripe (payments, US), AWS us-east-1 (hosting, US), Sentry (errors, US), Postmark (transactional email, US), Anthropic (AI assist, US, opt-in). ## 6. International transfers EU-US DPF (active certification of Stripe, AWS, Sentry, Postmark, Anthropic verified May 2026) + 2021 SCCs Module 2/3 + AES-256-GCM at rest and TLS 1.3 in transit. Transfer impact assessments are refreshed annually post-Schrems II. ## 7. Retention Account data: lifetime + 30 days. Audit logs: 12 months. AI prompt bodies: 24 hours. Backups: 35 days rolling. Anonymized aggregates: indefinite. ## 8. DSAR portal https://saaspolicy.com/privacy/dsar — access, deletion, correction, opt-out, limit-sensitive-PI, automated-decision review. SLA: 30 days EEA / 45 days US states / can be extended once by 45 days where law permits. ## 9. State-specific rights (19 US states, IAPP May 2026) CA, CO, CT, VA, UT, TX, OR, MT, IA, IN, TN, FL, DE, NJ, NH, MN, MD, RI, KY — each grants access/delete/correct/opt-out. We do not sell, share for cross-context advertising, or engage in targeted-ad profiling. ## 10. Security & breach SLA We follow ISO 27001 controls and SOC 2 Type II audit (annual). Confirmed personal-data breaches are notified to supervisory authorities within 72 hours (GDPR Art 33) and to affected users without undue delay where high risk arises (Art 34). 2025 baseline: zero breaches notifiable under Art 33 (DLA Piper GDPR Fines Survey 2025 benchmarks consulted). ## 11. Children Not directed at users under 16. No profiling of known minors per Florida HB 3 (2024) and Maryland MODPA. ## 12. Changes RSS + email + banner, 14 days minimum; 30 days for material changes that reduce user rights. ## 13. Contact privacy@saaspolicy.com — DPO: dpo@saaspolicy.com — California requests: california@saaspolicy.com.

+1406 chars·−612 chars·13 sections · scroll 0px