Privacy Policy | Web Agency as a Service

1. Information We Collect

1.1 Information You Provide

We collect information you provide directly to us:

Account Information: Name, email address, password (encrypted)
Profile Information: Optional profile picture and preferences
Workspace Information: Workspace name, settings, team member invitations
Form Data: Forms you create and submissions you receive
Payment Information: Processed securely through Stripe (we do not store card details)
Communications: Support requests, feedback, and correspondence

1.2 Automatically Collected Information

Usage Data: Pages visited, features used, time spent
Device Information: Browser type, operating system, IP address
Log Data: Access times, error logs, API requests
Cookies: Session management and preferences (see Cookie Policy below)

1.3 Information from Third Parties

Stripe: Payment processing and subscription status
OpenAI: AI processing requests (form submissions only)
Email Service: Email delivery status

2. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve our services
Process your transactions and manage subscriptions
Send you technical notices, updates, and security alerts
Respond to your comments, questions, and support requests
Monitor and analyze usage patterns to improve user experience
Detect, prevent, and address technical issues and fraud
Comply with legal obligations and enforce our Terms of Service
Send marketing communications (with your consent, opt-out available)

Legal Basis (GDPR): We process your data based on:

Contract performance (providing the service)
Consent (marketing communications)
Legitimate interests (service improvement, security)
Legal obligations (compliance, fraud prevention)

3. Information Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

3.1 Service Providers

We share data with trusted third-party service providers:

Stripe: Payment processing
OpenAI: AI form processing (opt-in only)
Upstash Redis: Session and cache management
Email Service: Transactional email delivery
Hosting Provider: Infrastructure and data storage

3.2 Legal Requirements

We may disclose your information if required by law, court order, or to protect our rights, safety, or the rights of others.

3.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

3.4 With Your Consent

We may share your information with third parties when you give us explicit consent.

4. Data Security

We implement industry-standard security measures to protect your information:

Encryption: All data in transit uses HTTPS/TLS encryption
Password Security: Passwords are hashed using bcrypt
Access Control: Role-based permissions and authentication
Security Headers: CSP, HSTS, X-Frame-Options implemented
Rate Limiting: Brute force protection on login attempts
Audit Logging: All admin actions are logged
Regular Updates: Security patches applied promptly

Important: No method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

5. Your Rights (GDPR & Privacy Laws)

You have the following rights regarding your personal data:

Access: Request a copy of your personal data
Rectification: Update or correct inaccurate information
Erasure (Right to be Forgotten): Request deletion of your data
Portability: Export your data in a structured format
Restriction: Limit how we process your data
Objection: Object to processing for marketing purposes
Withdraw Consent: Revoke consent for data processing
Lodge a Complaint: File a complaint with your data protection authority

To exercise these rights, contact us at privacy@yourdomain.com

6. Data Retention

We retain your information for as long as necessary to:

Provide our services
Comply with legal obligations
Resolve disputes
Enforce our agreements

Specific Retention Periods:

Account Data: Until account deletion + 30 days
Form Submissions: As long as workspace is active
Audit Logs: 2 years for security compliance
Payment Records: 7 years (legal requirement)
Backup Data: 30 days after deletion

7. Cookies and Tracking Technologies

We use cookies and similar technologies to:

Essential Cookies: Session management, authentication (required)
Preference Cookies: Remember your settings (optional)
Analytics Cookies: Understand usage patterns (optional, with consent)

You can control cookies through your browser settings. Disabling essential cookies may affect functionality.

8. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs)
Data Processing Agreements with service providers
Compliance with GDPR and applicable privacy laws

9. Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the new policy on this page
Updating the "Last updated" date
Sending you an email notification (for significant changes)

Your continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: privacy@yourdomain.com

Support: support@yourdomain.com

Data Protection Officer: dpo@yourdomain.com

Mailing Address:

Web Agency as a Service
[Your Company Address]
[City, State, ZIP]
[Country]