Privacy Policy

1. Introduction

This Privacy Policy describes how SaaSAnalytics ("we", "us", or "our") collects, uses, stores, and protects your personal information when you use our Service.

We are a sole proprietorship registered in Hungary, and we are committed to protecting your privacy in accordance with:

• EU General Data Protection Regulation (GDPR)
• Hungarian data protection laws
• Other applicable privacy regulations

2. Data Controller Information

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

• Email address: For account identification, authentication, and communication
• Full name: For personalization and invoicing purposes
• Password: Securely hashed using bcrypt (we never store plain-text passwords)
• Account status: Whether your account is active or disabled
• Registration date: When you created your account

3.2 Website Information

When you add websites to track, we collect:

• Website domain: The domain name of your tracked website
• Website name: Optional display name for your website
• Timezone: For accurate date/time reporting in analytics
• Configuration settings: Goals, funnels, and other tracking preferences

3.3 Billing and Payment Information

When you subscribe, we collect:

• Billing address: Street address, city, state/province, postal code, and country
• Payment transaction data: Amount, currency, payment status, transaction IDs (processed by Stripe)
• Stripe identifiers: Customer ID, subscription ID, payment intent ID

Important: We do NOT store your credit card details. All payment card information is processed and stored securely by Stripe, our PCI-DSS compliant payment processor.

3.4 Analytics Data (Your Visitors)

For visitors to your tracked websites, we collect:

• Page views: URLs visited, page titles, referrer information
• Session data: Session duration, bounce status, pages per session
• Device information: Browser type, operating system, screen resolution
• Geographic data: Country and city (derived from IP address, which is not stored)
• Traffic sources: UTM parameters, referrer domains, search engines
• Custom events: Events you define such as button clicks, form submissions, and conversions

Privacy by design: We do not use cookies for tracking visitors by default. We do not collect personally identifiable information (PII) from your website visitors. IP addresses are used only for geolocation and are not stored.

3.5 Technical Data

We automatically collect:

• Authentication data: JWT tokens stored in secure, HTTP-only cookies
• Rate limiting data: Request counts to prevent abuse (stored temporarily)
• Session data: Temporary data for maintaining your logged-in state

3.6 Email Communication Data

We process email addresses for:

• Transactional emails: Password resets, welcome emails, trial notifications
• Invoices: Electronic invoices sent upon payment
• Customer support: Responses to your inquiries
• Service updates: Important announcements about the Service

4. How We Use Your Information

4.1 Service Provision

• Create and maintain your account
• Authenticate your identity and secure your account
• Track and display website analytics data
• Enable goal tracking, funnel analysis, and user journey insights
• Provide real-time and historical analytics dashboards
• Provide technical support and customer service

4.2 Payment Processing

• Process subscription payments through Stripe
• Manage subscription lifecycle (trials, renewals, cancellations)
• Generate electronic invoices for tax compliance
• Handle refund requests and process refunds
• Maintain payment records for accounting and tax purposes

4.3 Communication

• Send password reset emails with time-limited tokens
• Send welcome emails to new users
• Send trial expiration notifications
• Send invoices/receipts for purchases
• Respond to support inquiries

4.4 Security and Fraud Prevention

• Rate limiting to prevent abuse and DDoS attacks
• Detect and prevent fraudulent transactions
• Monitor for suspicious account activity
• Enforce password requirements (8+ chars, mixed case, numbers, special characters)

4.5 Legal Compliance

• Comply with GDPR, Hungarian, and EU data protection laws
• Comply with Hungarian tax and invoicing regulations
• Respond to legal requests and court orders
• Enforce our Terms of Service

5. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

6. Data Sharing and Third-Party Services

We share your data with the following trusted third-party service providers who help us operate the Service:

Important: We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.

7. Data Retention

7.1 Active Accounts

We retain your personal data for as long as your account is active and you maintain a valid subscription. Analytics data is retained according to your plan limits.

7.2 Expired Subscriptions

• Trial accounts: Data is retained for a reasonable period after trial expiration to allow for subscription
• Cancelled subscriptions: Data may be retained for a period to allow for resubscription

7.3 Closed Accounts

After you close your account or request deletion:

• We will delete your personal data within 30 days
• Some data may be retained for legal or regulatory purposes (e.g., payment records for tax compliance)
• Anonymized usage data may be retained for analytics and service improvement

7.4 Legal Retention Requirements

Certain data must be retained to comply with legal obligations:

• Payment and invoice records: Retained for 8 years (Hungarian tax law requirement)
• Fraud prevention records: Retained as necessary to prevent future fraudulent activity

8. Cookies and Tracking Technologies

8.1 Authentication Cookie

8.2 Analytics Tracking Script

Our analytics tracking script installed on your websites:

• Does NOT use cookies: We use cookieless tracking by default
• Does NOT collect PII: No names, emails, or personal data from visitors
• Does NOT store IP addresses: IPs are used only for geolocation, then discarded
• Is lightweight: Minimal impact on page load performance

8.3 What We DON'T Use

We do NOT use:

• Advertising or marketing cookies
• Social media tracking pixels
• Cross-site tracking technologies
• Behavioral advertising networks
• Data brokers or third-party data selling

9. Data Security

We implement industry-standard security measures to protect your data:

9.1 Encryption

• In transit: All data transmitted over HTTPS/TLS encryption
• At rest: Database encryption provided by MongoDB Atlas
• Passwords: Hashed with bcrypt (10+ salt rounds, irreversible)

9.2 Access Controls

• Role-based access control (user/admin)
• JWT-based authentication with secure, HTTP-only cookies
• Rate limiting on all API endpoints
• Password reset tokens expire after 1 hour

9.3 Infrastructure Security

• Database hosted on secure MongoDB Atlas infrastructure
• Redis rate limiting via Upstash (cloud-based, encrypted)
• Payment processing via PCI-DSS compliant Stripe
• Regular security updates and patches

Note: While we implement strong security measures, no system is 100% secure. You are responsible for maintaining the confidentiality of your password and reporting any unauthorized access immediately.

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

To exercise your rights, please contact us at hello@usegrand.app. We will respond to your request within 30 days as required by GDPR.

11. International Data Transfers

We are based in Hungary (EU), but some of our service providers are located outside the EU:

• Stripe (USA): Covered by Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework
• Resend (USA): GDPR-compliant data processing agreement

We ensure that all international data transfers comply with GDPR requirements through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions for certain countries
• Data processing agreements with GDPR compliance guarantees

12. Children's Privacy

Our Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at hello@usegrand.app. We will delete such information from our records.

13. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours (GDPR requirement)
• Notify affected users without undue delay if the breach poses a high risk
• Provide information about the nature of the breach and remedial actions taken
• Take immediate steps to contain and remediate the breach

14. Automated Decision-Making

We do NOT use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

The only automated processes we use are:

• Rate limiting: Automatic blocking of excessive requests (abuse prevention)
• Fraud detection: Stripe's automated fraud screening (payment security)
• Analytics aggregation: Automatic processing of visitor data into aggregate statistics

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we do:

• We will update the "Last Updated" date at the top of this page
• We will notify you of material changes via email or through the Service
• We will provide a prominent notice on our website
• For significant changes, we may require your renewed consent

Your continued use of the Service after changes indicates your acceptance of the updated Privacy Policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

We will respond to your inquiry within 30 days as required by GDPR.