saas-starter

Legal · Privacy

Privacy policy

How the operator of this service collects, uses, retains, and protects personal data about you.

Last updated: placeholder

Placeholder content

Replace with your reviewed privacy policy before going live. The structure is scaffolded; the body copy inside each section is the part a lawyer fills in.

01Who we are

This policy describes how the operator of this service ("we") processes personal data relating to you ("you"). Contact details for privacy questions live at the bottom of this page.

02What data we collect

  • Account data — email, name, password hash, authentication factors (2FA, OAuth identifiers).
  • Billing data (if you subscribe) — Stripe customer id, plan, invoice metadata.
  • Usage data — audit log entries for security-sensitive actions you take.
  • Telemetry — pseudonymous traces and metrics scrubbed of identifying attributes before export.

03Why we process it

  • To provide the service you signed up for (contract).
  • To meet legal obligations such as tax-law invoice retention.
  • With your consent, to send marketing emails — revocable at any time without affecting transactional messages.
  • For our legitimate interest in keeping the service secure and operable (audit log, telemetry).

04Who we share it with

Personal data may flow to the subprocessors we use to operate the service — for example our payment processor and our email provider. The current list and the safeguards in place for international transfers are published as part of our subprocessor register.

05How long we keep it

Different categories have different retention. Active account data is kept while your account exists; billing records are retained for tax-law periods after closure; the audit log is retained for two years; transient artefacts (verification links, password resets, marketing-list pre-launch entries) are kept only as long as needed.

06Your rights

You can access, rectify, export, restrict, or erase your personal data, and you can object to processing based on legitimate interest. Submit a request from your account settings or by emailing the contact below; we respond within one month.

07Cookies and similar technologies

We use strictly necessary cookies to keep you signed in and remember your preferences (locale, theme). Analytics and marketing cookies fire only after you grant consent in the cookie banner.

08Security

We encrypt data in transit (TLS) and at rest, isolate tenants in the application layer, and follow a documented incident-response runbook with a 72-hour notification clock.

09Contact

For privacy questions or to exercise a right above, contact privacy@example.com. If you believe we've mishandled your data you can complain to your local supervisory authority.

Last updated: replace with the date this policy is reviewed before publishing.