Privacy Policy
Last updated: March 21, 2026
Introduction
DataSaaS is a privacy-conscious web analytics platform that helps website owners understand their traffic and revenue without compromising visitor privacy. This Privacy Policy explains how we collect, use, and protect data for two distinct groups:
- Dashboard users — customers who sign up for a DataSaaS account to track their websites.
- Tracked website visitors — people who visit websites that use the DataSaaS tracking script.
We believe in minimal data collection, transparency, and giving you full control over your data. We never sell your data — never have, never will.
Data We Collect: Dashboard Users
When you create a DataSaaS account, we collect the following information to operate the Service:
- Account information — your email address and name, managed via Supabase Authentication.
- Billing information — payment details are handled securely by Stripe. We store your plan type and subscription status but never your full card number.
- Usage data — which dashboards you view, settings you configure, and features you use within the DataSaaS platform.
Legal basis (GDPR): Contract — we need this data to provide you with the Service.
Data We Collect: Tracked Website Visitors
When the DataSaaS tracking script runs on a customer's website, we collect the following non-personally-identifiable data points:
What we collect
- Page URL and pathname
- Referrer URL
- Page title
- Browser name and version
- Operating system and version
- Device type (desktop, mobile, tablet)
- Screen width
- Browser language
- Country, region, and city (resolved from IP address — the IP address itself is not stored)
- UTM parameters (source, medium, campaign, term, content)
- Advertising click IDs (gclid, fbclid, etc.) for ad attribution
- Custom event names and metadata (only when explicitly configured by the website owner)
- Session data: entry/exit pages, session duration, bounce status
Cookies we set
The DataSaaS tracking script sets two first-party cookies on the tracked website's domain:
| Cookie name | Purpose | Duration |
|---|---|---|
| datasaas_visitor_id | Random UUID to identify returning visitors across sessions | 1 year |
| datasaas_session_id | Random UUID to group page views into a single session | 30 minutes (rolling) |
These cookies contain randomly generated identifiers only — no personal information is stored in them.
What we do NOT collect
- IP addresses — discarded immediately after geolocation lookup
- Names, email addresses, or any form of PII
- Form inputs, keystrokes, or passwords
- Mouse movements, clicks, or scroll recordings
- Screenshots or session replays
- Cross-site tracking data
How We Use Your Data
Dashboard users
- To provide, maintain, and improve the DataSaaS Service.
- To process payments and manage your subscription.
- To send account-related communications (billing confirmations, service updates, security alerts).
Tracked website visitors
- To generate aggregate analytics reports for our customers' dashboards.
- To provide traffic, referrer, geography, and device breakdowns.
We never use tracked visitor data for advertising, profiling, behavioral targeting, or cross-site tracking. Your visitors are your visitors — not our product.
Cookies & Tracking Technologies
On tracked websites: DataSaaS sets two first-party cookies as described above (datasaas_visitor_id and datasaas_session_id). No third-party advertising cookies are set.
On datasaas.com: We use our own DataSaaS tracking to monitor our marketing site performance (we eat our own dog food). The same privacy-first practices apply.
We do not use any third-party tracking scripts, advertising pixels, or social media trackers on the DataSaaS website or within the dashboard.
Data Sharing & Third Parties
We do not sell, rent, or trade your data to anyone. We share data only with the sub-processors listed below, strictly as necessary to operate the Service. We may disclose data if required by law, court order, or governmental authority.
Sub-processors
We use the following third-party services to operate DataSaaS. Each sub-processor has a data processing agreement in place:
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase (AWS) | Database, authentication | All analytics data, account data | US |
| Vercel | Hosting, CDN, serverless functions | Request data (transient) | Global edge |
| Stripe | Payment processing | Billing information | US |
| MaxMind | IP geolocation | IP addresses (transient, not stored) | US |
We will notify customers at least 30 days before adding new sub-processors. See our Data Processing Agreement for details.
Data Retention
- Dashboard user accounts: retained while your account is active. Permanently deleted within 30 days of account deletion.
- Analytics data (Starter plan): retained for up to 3 years.
- Analytics data (Growth plan): retained for up to 5+ years.
- After retention period: data is automatically and irreversibly purged.
You may request earlier deletion of your analytics data at any time by contacting us or deleting your account.
Your Rights
For dashboard users (GDPR — EEA/UK residents)
You have the right to:
- Access your personal data and receive a copy.
- Rectify inaccurate or incomplete data.
- Eraseyour personal data ("right to be forgotten").
- Restrict processing of your data.
- Data portability — receive your data in a structured, machine-readable format.
- Object to processing based on legitimate interest.
- Lodge a complaint with your national data protection authority.
To exercise any of these rights, contact us at legal@datasaas.com. We will respond within 30 days.
For tracked website visitors
If you are a visitor to a website that uses DataSaaS, the website owner is the data controller. Please contact the website owner directly to exercise your data rights. They can then work with us to fulfill your request.
International Data Transfers
Your data may be transferred to and processed in the United States (where Supabase, Vercel, and Stripe operate). These transfers are protected by:
- Standard Contractual Clauses (SCCs) as approved by the European Commission.
- Data processing agreements with each sub-processor.
- Appropriate technical and organizational safeguards.
For more details, see our Data Processing Agreement.
Security
We take the security of your data seriously and implement the following measures:
- Encryption in transit — all data is transmitted over TLS (HTTPS).
- Encryption at rest — database storage is encrypted via Supabase/AWS.
- Row Level Security (RLS) — Supabase enforces strict data isolation between customer accounts at the database level.
- Access controls — employee access to customer data is restricted and logged.
- No plaintext IP storage — IP addresses are used transiently for geolocation and immediately discarded.
Children's Privacy
DataSaaS is not directed at children under the age of 16. We do not knowingly collect personal data from children. If a website owner uses DataSaaS on a website directed at children, they are responsible for ensuring compliance with applicable laws, including COPPA and GDPR provisions for minors.
California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- Right to know what personal information is collected and how it is used.
- Right to delete your personal information.
- Right to opt out of the sale of personal information — DataSaaS does not sell personal information.
- Right to non-discrimination for exercising your privacy rights.
For tracked website visitors: DataSaaS acts as a "service provider" under CCPA. Please direct your requests to the website owner (the "business").
Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. For material changes, we will notify dashboard users via email.
Contact
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
- Email: legal@datasaas.com
- Address: [Your Company Address]