Privacy Policy
Last updated: April 2, 2026
Who we are
SaaSWatch (“we”, “us”) provides subscription visibility and spend analytics. This policy applies to personal data processed when you use our website, dashboard, APIs, and the optional SaaSWatch browser extension deployed under your or your organization’s account (together, the “Service”). If you are in the EEA, UK, California, or other regions with privacy laws, the sections below describe rights you may have, where applicable.
Data we collect
Account: email address, user identifiers, and authentication data from Supabase. Billing: when you purchase a paid plan, identifiers and plan details processed by our payment provider (e.g. Creem); we do not store your full payment card number. Product & dashboard: Stripe-connected subscription metadata you authorize (e.g. names, amounts, currency, status), classification and dictionary preferences, department assignments, notification settings, and other settings you save. Feedback & support: when you submit “Feedback” in the dashboard, we store the content you provide plus minimal troubleshooting context (e.g. current page path, locale, and browser user agent) and link it to your account identifier and an email snapshot at submission time. Service usage data: when you visit our website or call our APIs, we or our hosting providers may automatically collect technical information such as IP address, browser type and version, approximate location (if inferred), request paths, and access timestamps. We use this for security, abuse prevention, and basic performance and reliability analysis; we generally do not use it for long-term individual profiling. Data collected through the browser extension is described in the next section.
Browser extension and usage events
When your organization turns on extension-based features in Settings and deploys the SaaSWatch browser extension, the extension sends “usage events” to our API to power Shadow IT, unused subscription service, and unregistered AI agent signals. Events typically include: a tool identifier (name), hostname, timestamp, a per-browser install id, and optional fields (e.g. page title, human vs. agent, link to an internal subscription row, optional device label). Requests may include your company identifier, the company code issued by your admin, and—if configured—data needed to sync the subscription list associated with a list token. The extension is not designed to log keystrokes, clipboard contents, full page capture, or a continuous record of all browsing. Its purpose is to detect usage of work-related tools within the scope your organization configures. Exact fields depend on the deployed extension version and configuration. We do not sell this data for cross-site advertising profiles; we do not sell your personal information (consistent with “How we use data”). When you have an active SaaSWatch session on the same origin as the extension, we may store your user identifier in browser local storage so the extension can attribute usage to the correct workspace user, where permitted. That value is cleared or no longer relied on when you sign out or the session ends, as implemented by our web app.
Cookies, local storage, and similar technologies
We use necessary cookies and browser local storage (e.g. localStorage) to run the site, remember language and theme preferences, and record your choice on this notice. The current public release does not load optional third-party behavioral advertising or analytics scripts without separate disclosure; if we add them later, we will update this policy and obtain consent where required.
Do Not Track
Some browsers can send a “Do Not Track” (DNT) signal. We do not currently recognize or respond to DNT signals. To limit tracking or adjust data collection, review your browser’s privacy and site settings, and contact us or manage your account and cookie preferences as described under “Your rights” in this policy.
Organization customers and end users
If your employer or customer enables SaaSWatch for you, that organization is typically the workspace administrator and may decide deployment scope, issue company codes and list tokens, and set internal policies. Workplace monitoring and employment law questions should be directed to your organization. We process data as described here and per our agreement with you or your organization. Organizations should provide any notices to their workforce required under applicable law. If you are an employee asked to install the extension or you installed it yourself and are unsure whether your employer has properly authorized use or provided required notices, stop using the extension and contact your IT, legal, or compliance team.
How we use data
We use data to provide, maintain, and improve the Service (including insights, alerts, reports, and extension-backed features), send operational and alert emails you or your admin configure, protect security (including anti-abuse), comply with legal obligations, and communicate about the Service. We do not sell your personal information. We do not use extension usage data to run behavioral ads across unrelated sites.
Storage, retention, and international transfers
Data may be stored using cloud providers such as Supabase and Vercel in data center regions they select. If you or your organization are in the EEA, UK, or elsewhere, data may be transferred to the United States or other countries. Such transfers rely on standard contractual clauses, adequacy decisions, or other mechanisms permitted by law, as applicable. While your account is active, we retain data needed to provide the Service. After you delete your account or we honor a valid deletion request, we will delete the personal information covered by that request or anonymize it so it no longer identifies you within thirty (30) days, except where retention is required by law or for legitimate purposes such as resolving disputes or meeting legal obligations.
Data security
We use reasonable technical and organizational measures to protect personal information, including TLS/HTTPS encryption in transit, authentication and access controls for the dashboard and APIs, role-based and least-privilege access for staff and systems, and the security capabilities of our cloud providers. No method of transmission or storage is completely secure; if an incident may affect your rights, we will take steps required by applicable law, including notice where appropriate.
Subprocessors
We rely on subprocessors to operate the Service, including Stripe (billing data you connect), Creem (checkout), Supabase (authentication and database), Vercel (hosting), Resend (transactional email delivery), and other email delivery providers. Their processing is subject to their terms and data processing agreements. The list may change as our stack evolves; we will reflect material updates here or in the dashboard as appropriate.
Your rights
Depending on where you live, you may have rights to access, correct, delete, restrict or object to certain processing, or port your data (for example under GDPR, UK GDPR, or CCPA/CPRA, as applicable). To exercise rights, email support@getsaaswatch.com or use account deletion in Settings. We may need to verify your identity before responding. Where extension data is tied to an organization-controlled workspace, some requests may need to be coordinated with your administrator. We respond within timelines required by applicable law. If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) may give you rights to know the categories and purposes of personal information we collect, to request deletion of your personal information, and to opt out of the “sale” or “sharing” of personal information where those terms apply. We do not sell your personal information (consistent with “How we use data” above). To exercise these rights, contact us as described in this section.
Contact
For privacy questions or requests, email support@getsaaswatch.com.