Privacy Policy

1. Who we are

SaasLab is a sole-proprietorship business operated by Radosław Myszka (Poland), publishing software-as-a-service compliance tools for European SMEs. We process personal data of customers, prospective customers, website visitors, and users of our SaaS applications.

For the purposes of GDPR (Regulation (EU) 2016/679), we act as Data Controller for account, billing, and marketing data, and as Data Processor for content data customers upload into our SaaS products (e.g. compliance records, fields and treatments, transport data).

2. What data we collect

Category	Examples	Source
Account data	Full name, email address, company name, NIP/VAT, billing address	Provided by you at signup
Authentication data	Google OAuth profile (name, email, avatar URL); session tokens	Google OAuth flow
Content data	Compliance records, transport logs, field maps, AI inventory entries, etc.	Entered by you in the app
Payment data	Card last-4, payment status, invoice records (full card data is held by Stripe/Paddle, not by us)	Stripe / Paddle
Technical data	IP address, browser, OS, screen size, page paths, error logs	Automatic on visit
Marketing data	Email open/click status (if you opted in), survey responses	Your interaction with our emails

Data we do not collect

• We do not buy email lists or scrape contact databases.
• We do not use third-party advertising trackers (no Google Ads remarketing, no Facebook custom audiences via Conversions API).
• We do not collect biometric data, special categories of personal data (Art. 9 GDPR), or data of children.

3. Legal basis (GDPR)

We process your personal data under one or more of the following legal bases:

• Art. 6(1)(b) GDPR — performance of a contract (providing the SaaS service, processing payments, sending service emails)
• Art. 6(1)(c) GDPR — compliance with a legal obligation (tax/accounting records, data retention obligations)
• Art. 6(1)(f) GDPR — legitimate interest (fraud prevention, network security, direct B2B marketing to existing customers, product improvement based on aggregated usage data)
• Art. 6(1)(a) GDPR — consent (for non-essential cookies, optional marketing emails to non-customers, optional integrations such as connecting your Google Calendar)

4. Processing purposes

1. Service delivery — operating the SaaS, syncing your data between web and mobile, generating reports and PDFs
2. Authentication & account security — Google OAuth login, MFA where applicable, session management, fraud detection
3. Billing & tax — issuing invoices, processing payments via Stripe/Paddle, complying with Polish VAT/CIT obligations
4. Customer support — responding to emails sent to kontakt@saaslab.one or product-specific addresses
5. Service communication — transactional emails (welcome, password reset, billing receipts, deadline reminders, system status)
6. Product improvement — analysing aggregated, pseudonymised usage data to improve features
7. Direct marketing — periodic product updates and regulatory news to existing customers (you may unsubscribe at any time)

5. Data storage & location

Your data is stored in the European Union — specifically on Microsoft Azure infrastructure in West Europe (Netherlands) and North Europe (Ireland) regions. Microsoft Ireland Operations Limited is a sub-processor and a Data Processing Agreement is in place under Art. 28 GDPR.

Application databases use SQLite hosted on Azure App Service (per-product isolation: cbamreporter.db, nis2compliance.db, etc.). Mobile applications (Agri Field Journal) additionally store data locally on the user's device in a persistent SQLite database.

6. Retention periods

Data category	Retention period
Active account data	For the duration of the customer relationship
Content data after account deletion	30 days (then permanent deletion)
Invoices & tax records	5 years from the end of the tax year (Polish tax law)
Marketing preferences	Until you unsubscribe or for 3 years of inactivity
System logs (access logs, error logs)	90 days
Backup snapshots	30 days rolling

7. Third parties & sub-processors

We share personal data only with the following sub-processors, all of which provide adequate safeguards:

Sub-processor	Purpose	Location	Safeguard
Microsoft Ireland Operations Ltd. (Azure)	Application hosting, databases, file storage	EU (West Europe / North Europe)	DPA + EU SCCs
Google LLC (OAuth)	Sign-in only — no data sent beyond OpenID claims	USA	EU SCCs + Adequacy (TADPF)
Stripe Payments Europe Ltd.	Payment processing, billing	Ireland (EU)	DPA + EU SCCs
Paddle.com Market Limited	Alternative payment processing (merchant of record)	UK (adequacy decision)	DPA + Adequacy decision
Cloudflare Inc. (CDN, Web Analytics)	DNS, DDoS protection, anonymous web analytics	USA / global edge	EU SCCs
Google Analytics 4 (G-X3EXYNC2ZD)	Anonymised website usage analytics (anonymize_ip enabled)	EU primary, USA backup	EU SCCs + IP anonymisation
Meta Pixel	Conversion measurement on marketing pages (opt-out via cookie banner)	EU/USA	EU SCCs + Adequacy (TADPF)
GitHub Inc. (backups)	Source code & daily database backups	USA	EU SCCs + private repository

We do not sell or rent personal data to any third party. We do not engage in cross-context behavioural advertising.

8. International transfers

Where personal data is transferred outside the EU/EEA (specifically to USA-based sub-processors above), we rely on:

• EU-US Data Privacy Framework (TADPF) adequacy decision (12 July 2023) — for Google LLC and Meta where applicable
• Standard Contractual Clauses (Module 2) — incorporated into all DPAs for sub-processors lacking individual adequacy
• Supplementary technical measures — pseudonymisation in transit, IP anonymisation in analytics, encryption at rest (AES-256) and in transit (TLS 1.2+)

9. Your rights under GDPR

You have the following rights regarding your personal data:

1. Right of access (Art. 15) — request a copy of your data
2. Right to rectification (Art. 16) — correct inaccurate or incomplete data
3. Right to erasure / "right to be forgotten" (Art. 17) — request deletion subject to legal-retention exceptions
4. Right to restriction of processing (Art. 18) — pause processing while a dispute is resolved
5. Right to data portability (Art. 20) — receive your data in a structured, commonly used format (CSV/JSON)
6. Right to object (Art. 21) — object to processing based on legitimate interest, including direct marketing
7. Right to withdraw consent (Art. 7(3)) — for any consent-based processing, at any time
8. Right not to be subject to automated decision-making (Art. 22) — we do not perform any solely-automated decisions with legal or similarly significant effects
9. Right to lodge a complaint — with the Polish supervisory authority (UODO, uodo.gov.pl) or your local national DPA

To exercise any of these rights, email kontakt@saaslab.one. We respond within 30 days (extendable by 60 days for complex requests, with notification). There is no fee for reasonable requests.

10. Cookies & tracking

The marketing website (saaslab.one) and our SaaS applications use the following cookie categories:

Type	Purpose	Lifetime	Consent required
Strictly necessary	Session, CSRF, language preference, cookie banner state	Session — 1 year	No
Functional	UI preferences, tutorial dismissal flags	Up to 1 year	No (legitimate interest)
Analytics (Google Analytics 4 _ga)	Aggregated, IP-anonymised usage statistics	13 months	Yes (banner)
Marketing (Meta Pixel _fbp)	Conversion measurement on landing pages	3 months	Yes (banner)
Cloudflare Web Analytics	Cookieless privacy-respecting traffic analytics	None (cookieless)	No

You can manage cookie preferences via the cookie banner shown on first visit, your browser settings, or by contacting us. Withdrawal of analytics/marketing consent does not affect site functionality.

11. Security measures

• Encryption in transit: TLS 1.2+ (HSTS enabled, Cloudflare-managed certificates)
• Encryption at rest: AES-256 on Azure storage; database files encrypted by Azure-managed keys
• Access control: Single-tenant authentication via Google OAuth 2.0; admin access protected by 2FA
• Backup: Daily automated backups, 30-day rolling retention
• Logging: Application access logs retained 90 days; security alerts via Azure Defender
• Incident response: Personal data breaches notified to UODO within 72 hours where required by Art. 33 GDPR; affected users notified without undue delay where Art. 34 conditions are met
• Sub-processor controls: Annual review of DPAs; incidents at sub-processor level cascade-notified to us within agreed SLAs

12. Children

SaasLab products are designed for business use by adults (compliance professionals, business owners, consultants). We do not knowingly collect personal data of children under 16. If you believe a child has provided us with personal data, contact us immediately and we will delete it.

13. Changes to this policy

We may update this policy to reflect changes in legislation, our services, or sub-processors. Material changes will be notified via in-app banner or email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Historical versions are available on request.

14. Contact & complaints

For any questions, requests, or complaints regarding this policy or your personal data:

SaasLab (Radosław Myszka)
Email: kontakt@saaslab.one
Website: saaslab.one
Polish version of this policy: saaslab.one/polityka-prywatnosci

You may also lodge a complaint with the Polish data-protection authority:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
Website: uodo.gov.pl

If you are based outside Poland, you may instead lodge a complaint with your national supervisory authority. A list is maintained by the European Data Protection Board at edpb.europa.eu.