Privacy Policy

📋 Table of Contents

1. Scope, Definitions, and Roles
2. Information We Collect
3. How We Use Your Information and Legal Basis
4. Sharing, Disclosure, and International Transfers
5. Your Data Controller Responsibilities
6. Data Security, Retention, and Breach Protocol
7. Your Data Subject Rights (GDPR)
8. Children's Privacy
9. Changes to this Policy
10. Contact Information and Supervisory Authority

1. Scope, Definitions, and Roles

This Privacy Policy applies to the use of the SenSub software-as-a-service ("Service") provided by SenSub, Inc. ("we," "us," or "our"). We adhere to the principles of the EU General Data Protection Regulation (GDPR).

Data Controller: The entity that determines the purposes and means of processing personal data. You (the SenSub customer) are the Data Controller for Service Data.
Data Processor: The entity that processes personal data on behalf of the Controller. SenSub is the Data Processor for Service Data and the Data Controller for User Data.

User Data: Personal data related to our customers (you, the SaaS founder) who register an account with us.

Service Data / Customer Data: Personal data related to your customers (subscribers) that is processed through our Service on your behalf.

By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 User Data (Information you provide to us)

When you register for a SenSub account or use our Service, we collect:

Account Information: Name, email address, business name, and password (hashed).

Billing Information: Payment details (e.g., credit card information) are processed by our third-party payment provider (Stripe, etc.) and are not stored on our servers. We only retain a billing token and the last four digits of your card.

PayPal Credentials: Your PayPal Client ID and Client Secret. These are mandatory to connect your PayPal Business account to our Service.

2.2 Service Data (Information we process for you)

In order to provide the subscription management service, we retrieve and store specific non-financial data from your linked PayPal account:

Subscriber Data: Customer email address, PayPal Payer ID, and name.

Subscription Details: Plan ID, subscription status (e.g., Active, Suspended, Cancelled), recurring billing amount, and next billing date.

Webhook Events: Records of events received from PayPal, such as payment.received, subscription.created, and subscription.cancelled.

⚠️ Financial Data

We do not store full credit card numbers, bank account numbers, or any sensitive payment instruments used by your customers. This information is handled exclusively by PayPal, the payment processor. SenSub only stores data necessary to link and manage the subscription within our dashboard.

2.3 Usage and Technical Data (Collected automatically)

We automatically collect certain information when you visit our website or use our Service:

Log Data: IP address, browser type, operating system, pages viewed, time spent, and dates/times of access.

Cookies and Tracking: We use cookies and similar tracking technologies to track activity, authenticate users, and gather usage statistics (e.g., using Google Analytics or a self-hosted alternative).

API Call Logs: Records of requests made to the SenSub API for security and debugging purposes.

3. How We Use Your Information and Legal Basis

We process Personal Data only when we have a valid legal basis to do so under Article 6 of the GDPR.

3.1 Lawful Basis for Processing User Data (Our relationship with you)

For the collection and use of your Personal Data (User Data), we rely on the following legal bases:

Contractual Necessity: To fulfill our obligations under the Terms and Conditions, such as providing access to the Service, managing your account, and processing your monthly subscription payments. This applies to Account and Billing Information.

Legitimate Interests: To improve, maintain, and secure our Service, prevent fraud, debug the system, and analyze usage trends. This applies to Log Data and Usage Data.

Consent: For sending non-essential marketing communications, which you can withdraw at any time.

3.2 Lawful Basis for Processing Service Data (Your customers' data)

As the Data Processor, we process Service Data solely on your documented instructions and contractual relationship with you, the Data Controller. You are responsible for ensuring you have a lawful basis (e.g., Contractual Necessity, Legitimate Interest, or Consent) to collect and process your customers' data and that this is clearly communicated in your own privacy policy.

4. Sharing, Disclosure, and International Transfers

We do not sell your Personal Data or your customers' data. We may share information only in the following limited circumstances:

With Sub-Processors: We use third-party companies (e.g., hosting, email delivery, analytics) to facilitate our Service. These parties act as our sub-processors and are bound by contractual Data Processing Agreements (DPAs) ensuring they adhere to GDPR standards.

For Legal Compliance: We may disclose information if required to do so by law or in response to valid requests by public authorities (e.g., a court order or subpoena).

Business Transfers: If SenSub, Inc. is involved in a merger, acquisition, or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is subject to a different Privacy Policy.

4.1 International Data Transfers

SenSub, Inc. operates from Morocco, meaning the data you provide (User Data) and the data we process on your behalf (Service Data) may be transferred to, and stored at, a destination outside the European Economic Area (EEA).

ℹ️ Safeguards for International Transfers

Where your data is transferred outside the EEA, we ensure that an adequate level of protection is afforded by implementing appropriate safeguards, such as entering into the Standard Contractual Clauses (SCCs) approved by the European Commission, or by ensuring the recipient country has been deemed to provide an adequate level of protection by the European Commission.

5. Your Data Controller Responsibilities

As the Data Controller for your customers' data (Service Data), you have specific responsibilities:

You must ensure that your own privacy policy and terms of service adequately cover your customers' data collected and processed via the SenSub integration and PayPal.

You are responsible for obtaining any necessary consents or establishing other lawful bases from your customers for the processing of their Personal Data.

In the event one of your customers exercises a data subject right (e.g., Right to Erasure), you, as the Controller, must instruct SenSub (the Processor) to fulfill that request.

6. Data Security, Retention, and Breach Protocol

6.1 Security Measures

We strive to use commercially acceptable means to protect your Personal Data, including technical and organizational measures such as:

Secure Socket Layer (SSL/TLS) encryption for all data in transit.

Encryption of sensitive credentials (like PayPal API keys) using AES-256 encryption at rest.

Access control restrictions for employee access to data.

6.2 Data Retention

We retain User Data only for as long as necessary to provide the Service and for essential business purposes. If you delete your account, we will delete or anonymize your data within 30 days, except where retention is required for legal compliance (e.g., financial/billing records).

6.3 Data Breach Protocol

In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we are committed to:

Notifying the relevant Supervisory Authority within 72 hour of becoming aware of the breach, where feasible, and notifying you (the Data Controller) without undue delay. We will also communicate the breach to affected individuals if the breach is deemed high-risk.

7. Your Data Subject Rights (GDPR)

If you are a resident of the EEA, you have the following rights regarding the Personal Data we hold about you (User Data). To exercise any of these rights, please contact us using the details in Section 10.

Right to be Informed: The right to know how your data is processed (which is covered by this policy).

Right of Access: The right to request and receive a copy of the Personal Data we hold about you.

Right to Rectification: The right to have inaccurate or incomplete Personal Data corrected or completed.

Right to Erasure ('Right to be Forgotten'): The right to request that we delete your Personal Data, subject to certain legal obligations.

Right to Restrict Processing: The right to request that we limit the way we use your Personal Data.

Right to Data Portability: The right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.

Right to Object: The right to object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent: The right to withdraw consent at any time where processing is based on consent.

8. Children's Privacy

Our Service is not intended for use by anyone under the age of 18 ("Children"). We do not knowingly collect personally identifiable information from anyone under 18. If you are a parent or guardian and you are aware that your Children has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.

9. Changes to this Policy

We may update our Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page or via email, typically 30 days prior to the change becoming effective. Your continued use of the Service after the revised Policy has become effective indicates that you have read, understood, and agreed to the current version of the Policy.

📧 Contact Information and Supervisory Authority

If you have questions about this Privacy Policy, wish to exercise your data rights, or need assistance, please contact us:

Data Protection Contact: contact@ialae.com
Address: Route Tétouan, 140 ET2, N6. Tangier, Morocco

Right to Lodge a Complaint: If you are a resident of the European Economic Area (EEA) and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.