SaasDash.ai

Privacy Policy

Last updated: June 9, 2026

This Privacy Policy describes how SaasDash.ai ("SaasDash", "we", "us", "our") collects, uses, shares, and protects personal data when you visit our website, create an account, or use the SaasDash.ai metrics dashboard. It is written to meet the transparency standards of the Brazilian General Data Protection Law (LGPD, Lei nº 13.709/2018), the European Union General Data Protection Regulation (GDPR), the United Kingdom Data Protection Act 2018, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

1. Who We Are

The data controller for personal data processed through SaasDash.ai is:

  • Entity: Pmc Negocios Digitais Ltda
  • CNPJ: 50.541.698/0001-20
  • Address: Rua Doutor Itapura de Miranda, 100 — Boqueirão, Santos — SP, 11.055-090, Brazil
  • Data protection contact: privacy@saasdash.ai
  • EU/UK GDPR Article 27 representative: to be appointed. Until appointment, EU and UK data subjects may contact us at privacy@saasdash.ai and we will respond within the timelines required by applicable law.

For business customers, when SaasDash processes personal data about your end users on your behalf, you are the controller and we act as a processor. Those roles and obligations are governed by our Data Processing Agreement (see /legal/dpa).

2. Information We Collect

Account data

When you sign in, we receive and store your email address, display name, and profile picture. We support three sign-in methods: Google OAuth, GitHub OAuth, and Resend-delivered email magic links. We do not receive or store your Google or GitHub passwords.

Company profile

You may provide business information including company name, industry, growth stage, business model, target audience, team size, funding stage, and preferred currency. This data is used to contextualize your metrics and AI-generated insights.

SaaS metrics

You enter business metrics such as current customer count, new customers per month, churn rate, average revenue per account (ARPA), sales and marketing spend, and activation rates. These are stored to calculate your Growth Ceiling, CAC, NRR, and other derived metrics. We also store hourglass audit responses, scenario projections, goal tracking data, and weekly pulse check entries.

AI conversations

When you use our AI features (Ask Science, Activation Advisor), your conversation messages, the AI model used, token counts, and response times are stored. Your metrics and company context are sent to Anthropic's Claude API to generate personalized insights. Per Anthropic's commercial API terms, your inputs and outputs are not used to train Anthropic's foundation models. On the Scale plan, you may provide your own Anthropic API key (BYOK), which we encrypt using AES-256-GCM before storage. Only the last 4 characters are stored in plaintext for your reference.

Inbound email content (Executive Assistant)

If you write to one of our support or sales aliases (e.g., support@saasdash.ai, hello@saasdash.ai), your email — including the subject line, body text, headers, and any attachments — is ingested via the Google Gmail API and processed by our Executive Assistant. The Executive Assistant uses Anthropic's Claude to triage, classify, and draft replies. Original messages and AI-generated drafts are stored in our database for up to 90 days, then deleted unless converted into a support ticket or customer record. We do not read inbound mail for any other purpose, and we do not feed inbound mail content into model training.

Payment information

Payments are processed by Stripe. We store your Stripe customer ID, subscription ID, plan, and billing cycle dates. We never store credit card numbers, CVV codes, or full bank account details on our servers. All payment data is handled by Stripe in compliance with PCI DSS Level 1.

Affiliate program

If you join our affiliate program, we store your referral code, custom slug, commission rates, and payout history. For referred visitors, we store a hashed IP address and user agent string for fraud prevention and conversion attribution. Affiliate payouts are processed through Stripe Connect.

NPS surveys & testimonials

We collect NPS survey scores (0–10) and optional comments. If you submit a testimonial via our Wall of Fame, we store your story, struggle, and breakthrough narratives, along with your name, role, and company name. Approved testimonials may be displayed on our public landing page.

Support & feedback

Support tickets, feature requests, and votes you submit are stored along with message content and metadata. Notifications and metric alerts are tracked for delivery status.

Marketing-tracking identifiers

When you visit our marketing pages, we generate an anonymous visitor ID (a UUID stored in sessionStorage) and event IDs that are used to deduplicate conversion events between client-side pixels and our server-side Meta Conversions API integration. When you give marketing-cookies consent, we may also transmit hashed (SHA-256) email addresses and phone numbers to Meta to improve attribution accuracy. Without marketing consent these identifiers are not transmitted.

Exception telemetry

When the application encounters an unhandled error, PostHog captures the stack trace, the route, and request context (browser, OS, page URL). This data is used solely to diagnose and fix bugs. We make a best effort to scrub personal data from error payloads, but we cannot guarantee that no personal data is present in a stack trace.

Server logs

Vercel, our hosting provider, automatically records request logs including IP address, user agent, timestamp, and URL. These logs are retained for up to 90 days for security, abuse prevention, and operational troubleshooting.

3. How We Use Your Data — Purposes & Legal Bases

The table below maps each processing purpose to the categories of data involved and the legal basis under the GDPR (the same purposes rely on equivalent LGPD bases — execution of contract, legitimate interest, consent, or legal obligation).

PurposeData categoriesGDPR legal basis
Authenticate users and maintain sessionsAccount data, session cookiesContract (Art. 6(1)(b))
Calculate and display Growth Ceiling, CAC, NRR, scenariosCompany profile, SaaS metricsContract (Art. 6(1)(b))
Generate AI insights and recommendationsSaaS metrics, company profile, AI conversationsContract (Art. 6(1)(b))
Triage inbound support email via Executive AssistantInbound email contentLegitimate interest (Art. 6(1)(f)) — operating a customer-support function
Process payments and manage subscriptionsAccount data, payment informationContract (Art. 6(1)(b))
Send transactional emails (invites, alerts, dunning)Account data, metrics summariesContract (Art. 6(1)(b))
Send marketing email (newsletters, re-engagement)Account data, behavioral dataConsent (Art. 6(1)(a)), with opt-out at any time
Product analytics & feature usageBehavioral events, plan, roleConsent (Art. 6(1)(a)) via cookie banner
Advertising attribution (Meta Pixel + Conversions API)Hashed email/phone, event metadataConsent (Art. 6(1)(a)) via cookie banner — marketing toggle
Bug diagnosis (exception telemetry)Stack traces, request contextLegitimate interest (Art. 6(1)(f)) — maintaining a secure, working service
Fraud prevention (affiliate program)Hashed IP, user agentLegitimate interest (Art. 6(1)(f))
Comply with tax and accounting lawsPayment records, invoicesLegal obligation (Art. 6(1)(c))
Detect prompt injection and security abuseAI conversations, request metadataLegitimate interest (Art. 6(1)(f))

4. Cookies & Tracking

We use a small number of strictly necessary cookies (authentication, referral attribution) plus, on consent, analytics and marketing cookies. Pre-consent, PostHog runs in a cookieless memory-only mode and our Meta integration strips first-party Meta cookies. The full inventory — including cookie names, providers, durations, and purposes — is published on our Cookie Policy. You can change your choices at any time via the "Cookie settings" control in the website footer.

5. Third-Party Sub-processors

We rely on a curated set of sub-processors to operate the service — authentication providers, payments, email delivery, hosting, AI, and analytics. The complete, version-controlled list of sub-processors — including each vendor's purpose, hosting region, and transfer mechanism for EU/UK data — is published at /sub-processors. We provide at least 30 days' notice on that page before adding or materially changing a sub-processor that handles personal data.

6. What We Do NOT Do

For clarity, the following practices are explicitly outside the scope of how SaasDash operates today:

  • No session replay, screen recording, or keystroke logging. We do not capture video of your screen or record your interactions. PostHog session recording is disabled at configuration. We use product analytics to count events (clicks, pageviews, feature usage) — not to watch you use the product.
  • No sale of personal information. We do not sell personal data to third parties for money. See section 9 for what CCPA "sharing" means in our case and how to opt out.
  • No model training on customer data. Anthropic's commercial API tier does not train its foundation models on the inputs or outputs we send. We do not run our own model training on customer data.
  • No cross-site advertising profiles built by us. We do not operate an ad network, do not enrich profiles from data brokers, and do not build interest/segment profiles of you for ad targeting beyond the standard Meta Pixel/CAPI events disclosed above.
  • No biometric, location, or device-fingerprinting collection. We do not collect precise geolocation, biometric identifiers, or run device-fingerprinting libraries.

7. International Data Transfers

SaasDash is operated from Brazil. The personal data we collect is stored and processed by sub-processors located primarily in the United States and the European Union (see /sub-processors for per-vendor regions). For transfers of EU, UK, or Swiss personal data to countries that have not received an adequacy decision, we rely on:

  • The EU-US Data Privacy Framework (and the UK Extension and Swiss-US framework where applicable) for sub-processors that have self-certified — including Google, Stripe, Anthropic, and Meta;
  • The European Commission's Standard Contractual Clauses (Decision 2021/914) and the UK International Data Transfer Addendum for all other sub-processors;
  • Supplementary technical measures — TLS in transit, encryption at rest, SHA-256 hashing of identifiers sent to advertising platforms, and BYOK encryption for customer-provided API keys.

8. Data Retention

Retention is driven by the type of data, your subscription plan, and our legal obligations:

  • Account data: while your account is active, plus 30 days after deletion for backup unwind;
  • SaaS metric history: Free — no history; Starter — 3 months; Growth — 12 months; Scale — unlimited;
  • AI conversations: retained until you archive or delete them;
  • Inbound email (Executive Assistant): 90 days, unless converted to a customer record;
  • Payment and invoice records: up to 7 years to satisfy Brazilian and US tax/accounting law;
  • Server and security logs: 90 days;
  • Exception telemetry: 90 days in PostHog (or shorter per their retention defaults);
  • Affiliate fraud-prevention identifiers: 12 months from the click event.

If you delete your account, we will remove personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records, fraud prevention).

9. Your Rights

If you are in the European Economic Area, the United Kingdom, or Switzerland (GDPR / UK GDPR)

You have the right to:

  • Access the personal data we hold about you (Art. 15);
  • Have inaccurate data rectified (Art. 16);
  • Have your data erased — the "right to be forgotten" (Art. 17);
  • Restrict our processing of your data (Art. 18);
  • Receive your data in a portable format (Art. 20);
  • Object to processing based on legitimate interest, including direct marketing (Art. 21);
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22) — note that AI-generated recommendations on our platform are advisory and do not produce legal effects;
  • Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal;
  • Lodge a complaint with your local supervisory authority (in Brazil: ANPD; in the EU: your national DPA; in the UK: the ICO).

We will respond to verified requests within 30 days.

If you are a California resident (CCPA / CPRA)

You have the right to:

  • Know what categories and specific pieces of personal information we collect, the sources, the purposes, and the third parties we share them with;
  • Delete personal information we hold about you, subject to legal exceptions;
  • Correct inaccurate personal information;
  • Opt out of the sale or sharing of your personal information — see our Do Not Sell or Share My Personal Information notice;
  • Limit the use of sensitive personal information — we currently do not use sensitive PI for any purpose beyond providing the service;
  • Non-discrimination — we will not deny service, charge a different price, or provide a lower quality of service because you exercised a CCPA right.

Categories of personal information we collect(CCPA classifications): identifiers (name, email, IP); commercial information (subscription, payment history); internet/network activity (page views, events); inferences (plan, growth-stage segment); professional information (company, role).

Categories we "sell": none. Categories we "share" (as defined by CPRA, for cross-context behavioral advertising): identifiers (hashed email, hashed phone) and internet/network activity (event metadata) are shared with Meta via the Meta Pixel and Conversions API, only when you have given marketing-cookie consent.

If you are in Brazil (LGPD)

You have the right to:

  • Access — request a copy of all personal data we hold about you;
  • Correction — update or correct inaccurate data via your account settings;
  • Deletion — request deletion of your account and associated data;
  • Portability — request transfer of your data to another service provider;
  • Anonymization, blocking, or elimination of unnecessary, excessive, or unlawfully processed data;
  • Information about which public and private entities we share your data with;
  • Consent withdrawal — withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • Review of automated decisions affecting your interests;
  • Petition to the ANPD against our handling of your data.

10. How to Exercise Your Rights

Email privacy@saasdash.ai from the address associated with your SaasDash account. We may ask you to verify your identity before fulfilling a request — typically by confirming the request from your account email. We respond within 15 business days for LGPD requests and within 30 days for GDPR and CCPA requests. If we cannot meet that timeline, we will tell you why and give an updated estimate.

You can also use our designated agent: an authorized agent acting on your behalf may submit a request to the email above, accompanied by written authorization signed by you.

11. Data Security

  • All data in transit is encrypted via HTTPS/TLS;
  • Database hosted on Neon PostgreSQL with encryption at rest;
  • BYOK API keys encrypted with AES-256-GCM using a dedicated server-side encryption secret;
  • Credit card data is handled exclusively by Stripe (PCI DSS Level 1);
  • Affiliate visitor IPs are hashed before storage;
  • Identifiers sent to Meta (email, phone) are SHA-256 hashed before transmission;
  • AI security system detects and logs prompt-injection attempts;
  • Audit logs track administrative actions on company data;
  • Rate limiting is enforced via Upstash Redis to mitigate abuse.

12. Data Breach Notification

In the event of a personal data breach that creates a risk to the rights and freedoms of data subjects, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it (GDPR Art. 33), and the affected individuals as required by the LGPD, the GDPR, and applicable U.S. state breach-notification statutes.

13. Children's Privacy

SaasDash.ai is a business tool designed for SaaS founders and professionals. We do not knowingly collect data from children under 16 (under 13 in the United States). If we learn that we have collected data from a child, we will delete it promptly.

14. Governing Data Protection Law

We process personal data in accordance with the Brazilian LGPD, the EU/UK GDPR for EEA and UK residents, and the CCPA/CPRA for California residents. Where these regimes conflict, the most protective provision applies to your data.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — such as adding a new category of data we collect or a new sub-processor that handles personal data — we will notify you at least 30 days in advance by email or a prominent in-app notice. The "Last updated" date at the top of this page always reflects the most recent change. Continued use of SaasDash.ai after changes become effective constitutes acceptance of the updated policy.

16. Contact

For privacy-related questions or requests, contact privacy@saasdash.ai. For Terms of Service questions, contact legal@saasdash.ai.