Effective date: [DATE — set this when you publish]
This Privacy Policy explains how [Your Company Name] ("we", "us", "our", "Saneops") collects, uses, discloses, and protects information about visitors and customers of the Saneops website, hosted service, and self-hosted distributions (collectively, the "Services").
This policy is designed to comply with:
- EU/UK GDPR (General Data Protection Regulation)
- India's DPDP Act 2023 (Digital Personal Data Protection Act)
- California CCPA / CPRA
- Brazil's LGPD
If you have questions, contact privacy@your-domain.com.
1. Who we are
Data controller for our website + hosted service: [Your Company Name], [Registered Address], India. Contact: privacy@your-domain.com.
For self-hosted deployments, the customer is the controller of any personal data their Saneops instance processes; we act as the processor under our Data Processing Addendum (see DPA).
2. What we collect
a) Information you give us
- Account data: name, work email, company name, role.
- Authentication data: bcrypt-hashed password (we never store plaintext) OR your OIDC identity-provider's subject identifier.
- Billing data: company name, billing address, tax ID. Card numbers are handled by Stripe — we never see them.
- Support communications: emails, chat messages you send us.
b) Information collected automatically (hosted service)
- Operational telemetry: HTTP request paths (no body), status codes, response times. Used for capacity planning and error tracking.
- Audit log: every admin-level action (rule create, workflow delete) with actor email and timestamp. Retained 1 year.
- Cookies: a single signed session cookie (
session) and a CSRF cookie (as_csrf). No third-party tracking cookies.
c) Information our customers feed in
When you ingest alerts via webhook, the alert payload may include:
- Alertname, severity, labels (which CAN include free-form text like service names, hostnames)
- Annotations (descriptions, runbook URLs, etc.)
- Timestamps
This data is YOURS. We process it on your behalf (see DPA). We do not look at, share, or sell its content.
3. What we DON'T collect
- We do not use third-party advertising trackers.
- We do not sell or share customer data with brokers or AI training providers.
- We do not send your alert content to any LLM unless you have explicitly configured one (and the provider you chose is yours, not ours — see docs/rca.md).
- We do not perform behavioral profiling of users.
4. Why we collect (lawful basis)
| Purpose | Lawful basis (GDPR Art. 6) |
|---|---|
| Provide the Services | Contractual necessity (b) |
| Bill paid plans | Contractual necessity (b) |
| Send service / security notifications | Legitimate interest (f) |
| Send marketing communications | Consent — opt-in only (a) |
| Detect abuse, fraud, security incidents | Legitimate interest (f) |
| Comply with tax / legal obligations | Legal obligation (c) |
5. Who we share with
We use the following sub-processors. Each is bound by a written DPA with terms at least as protective as this one:
| Sub-processor | What they do | Where data is processed |
|---|---|---|
| Stripe, Inc. | Payment processing | US |
| AWS (or your chosen cloud) | Hosting (when you use our hosted service) | as configured per region |
| Postmark / Resend | Transactional emails | US/EU |
| Anthropic / OpenAI / your LLM choice | AI features — only if YOU configure | per their terms |
We do not share personal data with anyone else without your explicit consent, except as required by law.
6. Where we store
By default, EU customer data is processed in EU regions (Frankfurt or Ireland). India customer data in Mumbai. US customer data in us-east-1.
Self-hosted customers process data wherever they choose to deploy.
7. How long we keep it
| Category | Retention |
|---|---|
| Account data | While your account is active + 90 days post-cancellation |
| Audit logs | 1 year |
| Operational telemetry | 90 days |
| Customer alert/incident data (hosted) | Per your subscription tier (90 days–1 year by default) |
| Billing records | 7 years (legal/tax obligation) |
| Support emails | 3 years |
After retention, data is permanently deleted within 30 days unless you've requested a different schedule via DPA.
8. Your rights
Under GDPR, DPDP, CCPA, and LGPD you can:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data (with limited exceptions for legal obligations)
- Restrict or object to certain processing
- Port your data in machine-readable format
- Withdraw consent at any time
- Lodge a complaint with your supervisory authority
To exercise these rights, email privacy@your-domain.com. We respond within 30 days (GDPR / DPDP) or 45 days (CCPA).
9. Security
See our SECURITY.md. Highlights:
- bcrypt password hashing
- AES-128-CBC + HMAC-SHA256 (Fernet) encryption for secrets at rest
- TLS 1.2+ in transit (when you put a TLS terminator in front)
- CSRF, rate limiting, security headers (CSP, HSTS, etc.)
- Tenant isolation at every database query
- 5-attempt login lockout
- Audit log of all admin actions
In the unlikely event of a breach affecting personal data, we will notify affected customers within 72 hours of becoming aware (GDPR Art. 33) and the relevant supervisory authority as required.
10. Children
The Services are not intended for users under 16. We do not knowingly collect data from children. If you believe we have, contact privacy@your-domain.com and we will delete it immediately.
11. Cookies
We set a minimum of two cookies:
| Name | Purpose | Lifetime |
|---|---|---|
session |
Authenticate logged-in users | 12 hours |
as_csrf |
CSRF protection | 12 hours |
Both are first-party, HTTP-only (session) and SameSite=Lax. We do not use Google Analytics or other third-party trackers by default.
12. International transfers
When personal data is transferred outside its region of origin (e.g. EU → US, India → US), we rely on:
- Standard Contractual Clauses (SCCs) for EU/UK data
- Equivalent contractual safeguards for India / Brazil data
Sub-processor SCCs are available on request.
13. Changes to this policy
We post the current policy at our website. Material changes are announced 30 days in advance via email to admins of paid plans.
14. Contact
| What | Where |
|---|---|
| Privacy / data subject requests | privacy@your-domain.com |
| Security disclosures | security@your-domain.com — see SECURITY.md |
| Customer support | support@your-domain.com |
| EU representative (Article 27 GDPR) | [appoint via Prighter / EU rep service] |
| Legal entity | [Your Company Name], [Registered Address] |
Owner note: This document is a starting template tailored to a SaaS / DevTools company with B2B customers. Replace bracketed placeholders. Have a privacy-law-aware lawyer review before publication. Costs ~₹30k–80k for an Indian lawyer to localize + review for EU/CCPA edges. Critical things they will catch:
- Whether your specific operations qualify as "data fiduciary" vs "data processor" under DPDP
- Whether your hosted service triggers DPDP's significant-data- fiduciary obligations (likely no at first; yes at scale)
- Whether any sub-processor (e.g., your LLM provider) requires additional contractual paperwork in your customer's contract
- Whether your retention schedule is defensible
Don't ship this to customers without that review.