Privacy Policy

1. Overview

This Privacy Policy describes how SaaScot ("we," "our," or "us") collects, uses, and protects your personal information when you use our AI-powered SaaS backup and recovery platform.

We are committed to protecting your privacy and ensuring transparency in how we handle your data. This policy applies to all users of our services, including our website, mobile applications, and backup platform.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, company details, and authentication credentials
• Payment Information: Billing address and payment details (processed securely by our payment processors)
• Support Communications: Information you provide when contacting our support team
• Configuration Data: Backup preferences, retention policies, and system configurations

2.2 Information We Collect Automatically

• Usage Data: Service usage patterns, feature utilization, and performance metrics
• Technical Data: IP addresses, browser types, device information, and access logs
• Backup Metadata: File names, sizes, timestamps, and backup operation logs
• Security Logs: Authentication attempts, access patterns, and security events

2.3 Your Business Data

As a backup service, we process and store your business data from connected SaaS applications. This may include:

• Files, documents, and attachments from your SaaS applications
• Email messages and calendar items
• Database records and application configurations
• User directories and permission structures

3. How We Use Your Information

3.1 Service Provision

• Providing backup and recovery services for your SaaS applications
• Maintaining and improving our platform performance
• Providing customer support and technical assistance
• Processing payments and managing your account

3.2 Security and Compliance

• Detecting and preventing security threats and unauthorized access
• Conducting security audits and compliance monitoring
• Investigating and responding to security incidents
• Meeting legal and regulatory requirements

3.3 Platform Improvement

• Analyzing usage patterns to improve our services
• Developing new features and capabilities
• Optimizing backup performance and reliability
• Training our AI systems for better threat detection

4. Information Sharing

We do not sell, rent, or trade your personal information. We may share information only in the following circumstances:

4.1 Service Providers

We work with trusted third-party service providers who assist us in delivering our services:

• Cloud Infrastructure: AWS, Microsoft Azure, Google Cloud (with encryption and access controls)
• Payment Processing: Stripe (for secure payment processing)
• Monitoring Services: Performance and security monitoring tools
• Support Tools: Customer support and communication platforms

4.2 Legal Requirements

We may disclose information when required by law or to protect our rights, including:

• Responding to legal process, court orders, or government requests
• Investigating potential violations of our terms of service
• Protecting the security and integrity of our services
• Protecting against fraud, abuse, or illegal activities

5. Data Protection & Security

5.1 Encryption

• AES-256 encryption for all data at rest
• TLS 1.3 encryption for all data in transit
• Customer-managed encryption keys (CMEK) available
• End-to-end encryption for sensitive operations

5.2 Access Controls

• Multi-factor authentication for all user accounts
• Role-based access control (RBAC) for team management
• Regular access reviews and permission audits
• Zero-trust architecture with continuous verification

5.3 Infrastructure Security

• SOC 2 Type II certified security controls
• 24/7 security monitoring and incident response
• Regular penetration testing and vulnerability assessments
• Immutable backup storage for ransomware protection

6. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

• Account Data: Retained while your account is active and for 30 days after termination
• Backup Data: Retained according to your configured retention policies
• Usage Logs: Retained for 12 months for security and performance analysis
• Financial Records: Retained for 7 years to comply with tax and financial regulations

7. Your Privacy Rights

7.1 Access and Control

• Access: Request a copy of your personal information
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal information
• Data Portability: Export your data in a structured format

7.2 GDPR Rights (EU Residents)

• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to object to processing
• Right to lodge a complaint with supervisory authorities

7.3 CCPA Rights (California Residents)

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of the sale of personal information
• Right to non-discrimination for exercising privacy rights

8. Cookies & Tracking

We use cookies and similar technologies to enhance your experience and analyze service usage:

• Essential Cookies: Required for authentication and core functionality
• Analytics Cookies: Help us understand usage patterns and improve performance
• Preference Cookies: Remember your settings and preferences

You can control cookie preferences through your browser settings. Disabling essential cookies may affect service functionality.

9. Regulatory Compliance

SaaScot is designed to help you maintain compliance with major data protection regulations:

• GDPR: Full compliance with EU data protection requirements
• CCPA: California Consumer Privacy Act compliance
• HIPAA: Healthcare data protection capabilities
• SOC 2: Annual third-party security and availability audits
• ISO 27001: Information security management standards

10. International Data Transfers

Your data may be processed in countries other than your own. We ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs) for EU data transfers
• Data Processing Agreements with all third-party processors
• Geographic data residency controls where required
• Adequacy decisions and certification mechanisms

11. Children's Privacy

Our services are not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn that we have collected information from a child under 16, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Posting the updated policy on our website
• Sending email notifications to registered users
• Displaying notices within our platform
• Providing 30 days' notice for material changes