← Back to home

Privacy Policy

Last updated: May 1, 2026

Who we are

GetSaaSWatch ("we," "us," or "our") provides subscription visibility and spend analytics. This Policy applies to personal data processed through our website, dashboard, APIs, and the optional GetSaaSWatch browser extension (Chrome Web Store and Microsoft Edge Add-ons) and optional GetSaaSWatch desktop application (desktop agent; currently Windows-only via the Microsoft Store) deployed under your or your organization's account (collectively, the "Service"). If you are located in the EEA, UK, California, or another jurisdiction with privacy laws, the sections below describe your applicable rights.

Data we collect

Account data: email, user identifiers, and authentication data from Supabase. Billing data: identifiers and plan details processed by our payment provider (for example, Creem). We do not store full payment card numbers. Product and dashboard data: Stripe subscription metadata you authorize (for example, name, amount, currency, status), classification preferences, dictionary entries, departments and members, ownership assignments, offboarding-task records, notification settings, and other saved settings. Feedback and support data: when you submit feedback, we store your message and limited troubleshooting context (for example, page path, locale, and browser user agent), linked to your account identifier and email snapshot at submission. Service usage data: when you access our website or APIs, we or hosting providers may collect technical data such as IP address, browser type/version, request paths, and timestamps. We use this for security, abuse prevention, and reliability. We generally do not use it for long-term individual profiling. Optional desktop application (Windows / Microsoft Store only today): when your organization enables the desktop data source and installs the GetSaaSWatch desktop agent on a supported Windows device, it sends work-relevant usage signals to our APIs for the same governance scenarios as the browser extension (including pairing with the extension on the same device; a paired primary browser extension and desktop agent on one machine typically roll up to one logical seat, see Seat-occupied devices in-product). Payloads depend on version and configuration. Details appear under “Browser extension, desktop application, and usage events.” Browser extension and desktop client telemetry are described further in the next section.

Browser extension, desktop application, and usage events

When your organization enables extension-based features and deploys the GetSaaSWatch browser extension (Chrome Web Store / Microsoft Edge Add-ons), and/or enables the desktop application data source and installs the Microsoft Store GetSaaSWatch desktop agent on Windows, those clients send usage events to our APIs to power Shadow IT, unused-subscription, unregistered-agent, ownership-attribution, offboarding workflows, and paired seat counting across browser and desktop on the same machine. We do not ship a macOS (or other desktop OS) agent in the current public release. Event fields typically include tool or process classification signals, hostname, timestamps, per-client install identifiers, and optional metadata (for example, page title for the extension, human vs. agent, `subscription_id`, `responsible_member_id`, and optional device label). Requests may include organization identifiers, company codes, list-token-related data, and pairing or challenge codes used only to bind devices as instructed in-product. Neither client is designed to capture keystrokes, clipboard contents, or a continuous log of all activity outside your organization’s configured scope; the purpose is work-tool visibility and governance. Reported fields depend on product version and configuration. We do not sell this data and do not use it for cross-site behavioral advertising. Where same-origin attribution is enabled for the browser extension, a local user identifier may be stored in browser local storage and is cleared, or no longer relied on, after sign-out or session expiration. Desktop pairing and local operational data follow technical controls described in-product and are subject to server-side retention rules in this Policy.

Cookies, local storage, and similar technologies

We use essential cookies and browser local storage (for example, localStorage) to operate the site, remember language/theme preferences, and store your choice on this notice. In the current public release, we do not load optional third-party behavioral advertising or analytics scripts without separate disclosure. If this changes, we will update this Policy and request consent where required.

Do Not Track

Some browsers can send a “Do Not Track” (DNT) signal. We do not currently recognize or respond to DNT signals. To limit tracking or adjust data collection, review your browser’s privacy and site settings, and contact us or manage your account and cookie preferences as described under “Your rights” in this policy.

Organization customers and end users

If your employer or customer enables GetSaaSWatch for you, that organization is typically the workspace administrator and may define deployment scope, issue company codes/list tokens, and set internal policies. Questions about workplace monitoring or employment-law obligations should be directed to your organization. We process data as described in this Policy and under our agreement with you or your organization. Organizations are responsible for providing workforce notices required by applicable law. If you are asked to install the browser extension or desktop application and are unsure whether your employer has properly authorized deployment or provided required notice, stop using those clients and contact your IT, legal, or compliance team.

How we use data

We use data to provide, maintain, and improve the Service (including insights, alerts, reporting, ownership attribution, and offboarding workflows), send operational and alert emails configured by you or your admin, protect security and prevent abuse, comply with legal obligations, and communicate service updates. We do not sell personal information, and we do not use browser extension or desktop client usage data for cross-site behavioral advertising.

Storage, retention, and international transfers

Data may be stored with cloud providers such as Supabase and Vercel in the data center regions they select. If you or your organization are in the EEA, UK, or another region, data may be transferred to the United States or other countries. These transfers rely on standard contractual clauses, adequacy decisions, or other legally permitted transfer mechanisms, as applicable. While your account is active, we retain data needed to provide the Service. After account deletion or a valid deletion request, we delete or anonymize covered personal information within thirty (30) days, unless longer retention is required by law or needed for legitimate purposes such as dispute resolution or legal compliance.

Data security

We implement reasonable technical and organizational safeguards to protect personal information, including TLS/HTTPS encryption in transit, authentication and access controls for dashboards and APIs, role-based least-privilege access, and security controls provided by our cloud providers. No transmission or storage method is completely secure. If an incident may affect your rights, we will take steps required by applicable law, including notice where appropriate.

Subprocessors

We rely on subprocessors to operate the Service, including Stripe (billing data you connect), Creem (checkout), Supabase (authentication and database), Vercel (hosting), Resend (transactional email delivery), and other email delivery providers. Their processing is subject to their terms and data processing agreements. The list may change as our stack evolves; we will reflect material updates here or in the dashboard as appropriate.

Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, object to certain processing, or port your data (for example under GDPR, UK GDPR, or CCPA/CPRA, where applicable). To exercise these rights, email support@getsaaswatch.com or use account deletion in Settings. We may need to verify your identity before responding. Where extension or desktop client data is tied to an organization-managed workspace, some requests may need administrator coordination. We respond within timelines required by applicable law. If you are a California resident, CCPA/CPRA may grant rights to know data categories and purposes, request deletion, and opt out of "sale" or "sharing" where those terms apply. We do not sell your personal information (consistent with "How we use data").

Children’s privacy

The Service is not directed to individuals under 16 (or the digital age of consent in your jurisdiction), and we do not knowingly collect personal information from children. If you believe we have collected information from a child in error, contact support@getsaaswatch.com.

Changes to this Policy

We may update this Policy from time to time. We will post the updated version on this page and revise the “Last updated” date. Where required by law or for material changes that expand collection or use, we will provide additional notice (for example, by email or an in-dashboard message) and seek consent where necessary.

Contact

For privacy questions or requests, email support@getsaaswatch.com.