Legal

Privacy Policy

This policy explains how SenSub collects, uses, and protects the personal data of our users and their customers.

Last Updated: December 21, 2025

📋 Table of Contents

1. Scope, Definitions, and Roles

This Privacy Policy applies to the use of the SenSub software-as-a-service ("Service") provided by SenSub, Inc. ("we," "us," or "our"). We adhere to the principles of the EU General Data Protection Regulation (GDPR).

  • Data Controller: The entity that determines the purposes and means of processing personal data. You (the SenSub customer) are the Data Controller for Service Data.
  • Data Processor: The entity that processes personal data on behalf of the Controller. SenSub is the Data Processor for Service Data and the Data Controller for User Data.
  • User Data: Personal data related to our customers (you, the SaaS founder) who register an account with us.
  • Service Data / Customer Data: Personal data related to your customers (subscribers) that is processed through our Service on your behalf.
  • End Customers: Individuals who purchase subscriptions to your service through SenSub-generated checkout pages.

💡 Key Distinction

SenSub acts as:

  • Data Controller for information about YOU (the SaaS owner)
  • Data Processor for information about YOUR CUSTOMERS (End Customers)

This means YOU are responsible for compliance with data protection laws regarding your End Customers' data.

By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 User Data (Information you provide to us)

When you register for a SenSub account or use our Service, we collect:

  • Account Information: Name, email address, business name, and password (hashed).
  • Billing Information: Payment details (e.g., credit card information) are processed by our third-party payment provider (Stripe, etc.) and are not stored on our servers. We only retain a billing token and the last four digits of your card.
  • PayPal Credentials: Your PayPal Client ID and Client Secret. These are mandatory to connect your PayPal Business account to our Service.

2.2 Service Data (Information we process for you)

In order to provide the subscription management service, we retrieve and store specific non-financial data from your linked PayPal account:

  • Subscriber Data: Customer email address, PayPal Payer ID, and name.
  • Subscription Details: Plan ID, subscription status (e.g., Active, Suspended, Cancelled), recurring billing amount, and next billing date.
  • Webhook Events: Records of events received from PayPal, such as payment.received, subscription.created, and subscription.cancelled.

⚠️ Financial Data

We do not store full credit card numbers, bank account numbers, or any sensitive payment instruments used by your customers. This information is handled exclusively by PayPal, the payment processor. SenSub only stores data necessary to link and manage the subscription within our dashboard.

2.3 Usage and Technical Data (Collected automatically)

We automatically collect certain information when you visit our website or use our Service:

  • Log Data: IP address, browser type, operating system, pages viewed, time spent, and dates/times of access.
  • Cookies and Tracking: We use cookies and similar tracking technologies to track activity, authenticate users, and gather usage statistics (e.g., using Google Analytics or a self-hosted alternative).
  • API Call Logs: Records of requests made to the SenSub API for security and debugging purposes.

3. How We Use Your Information and Legal Basis

We process Personal Data only when we have a valid legal basis to do so under Article 6 of the GDPR.

3.1 Lawful Basis for Processing User Data (Our relationship with you)

For the collection and use of your Personal Data (User Data), we rely on the following legal bases:

  • Contractual Necessity: To fulfill our obligations under the Terms and Conditions, such as providing access to the Service, managing your account, and processing your monthly subscription payments. This applies to Account and Billing Information.
  • Legitimate Interests: To improve, maintain, and secure our Service, prevent fraud, debug the system, and analyze usage trends. This applies to Log Data and Usage Data.
  • Consent: For sending non-essential marketing communications, which you can withdraw at any time.

3.2 Lawful Basis for Processing Service Data (Your customers' data)

As the Data Processor, we process Service Data solely on your documented instructions and contractual relationship with you, the Data Controller. You are responsible for ensuring you have a lawful basis (e.g., Contractual Necessity, Legitimate Interest, or Consent) to collect and process your customers' data and that this is clearly communicated in your own privacy policy.

3.3 Purposes of Processing

We use the information we collect for the following purposes:

  • Service Delivery: To provide, maintain, and improve the SenSub platform
  • Account Management: To create and manage your account, authenticate users, and provide customer support
  • Billing: To process subscription payments and send invoices
  • Communication: To send transactional emails, service updates, and security alerts
  • Analytics: To understand how users interact with our Service and improve functionality
  • Security: To detect and prevent fraud, abuse, and security incidents
  • Legal Compliance: To comply with applicable laws and regulations

4. Sharing, Disclosure, and International Transfers

We do not sell your Personal Data or your customers' data. We may share information only in the following limited circumstances:

  • With Sub-Processors: We use third-party companies (e.g., hosting, email delivery, analytics) to facilitate our Service. These parties act as our sub-processors and are bound by contractual Data Processing Agreements (DPAs) ensuring they adhere to GDPR standards.
  • For Legal Compliance: We may disclose information if required to do so by law or in response to valid requests by public authorities (e.g., a court order or subpoena).
  • Business Transfers: If SenSub, Inc. is involved in a merger, acquisition, or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is subject to a different Privacy Policy.

4.1 International Data Transfers

SenSub, Inc. operates from Morocco, meaning the data you provide (User Data) and the data we process on your behalf (Service Data) may be transferred to, and stored at, a destination outside the European Economic Area (EEA).

ℹ️ Safeguards for International Transfers

Where your data is transferred outside the EEA, we ensure that an adequate level of protection is afforded by implementing appropriate safeguards, such as entering into the Standard Contractual Clauses (SCCs) approved by the European Commission, or by ensuring the recipient country has been deemed to provide an adequate level of protection by the European Commission.

4.2 Sub-Processors

We use the following categories of sub-processors to provide our Service:

  • Cloud Hosting: For server infrastructure and data storage
  • Payment Processing: For billing and subscription management (your billing, not your customers')
  • Email Services: For transactional emails and notifications
  • Analytics: For usage tracking and service improvement

We maintain a list of sub-processors and will notify you of any changes. You may request the current list by contacting us at contact@ialae.com.

5. Your Data Controller Responsibilities

As the Data Controller for your customers' data (Service Data), you have specific responsibilities:

  • You must ensure that your own privacy policy and terms of service adequately cover your customers' data collected and processed via the SenSub integration and PayPal.
  • You are responsible for obtaining any necessary consents or establishing other lawful bases from your customers for the processing of their Personal Data.
  • In the event one of your customers exercises a data subject right (e.g., Right to Erasure), you, as the Controller, must instruct SenSub (the Processor) to fulfill that request.
  • You must ensure compliance with all applicable data protection laws (GDPR, CCPA, etc.) for your End Customers.
  • You are responsible for providing clear notice to your End Customers about data collection and processing.
  • You must maintain appropriate technical and organizational security measures for End Customer data.

5.1 Data Processing Agreement (DPA)

Upon request, we will execute a Data Processing Agreement (DPA) with you that complies with GDPR Article 28 requirements. This agreement will detail our obligations as a data processor, including:

  • Processing data only according to your documented instructions
  • Ensuring confidentiality of data processing
  • Implementing appropriate security measures
  • Assisting with data subject rights requests
  • Assisting with data breach notifications
  • Deleting or returning data upon termination

To request a DPA, contact us at contact@ialae.com.

5.2 Your Privacy Policy Requirements

Your privacy policy must inform End Customers about:

  • What data you collect and why
  • That SenSub processes data on your behalf
  • That PayPal processes payments (not SenSub)
  • How End Customers can exercise their data rights
  • Your data retention periods
  • How to contact you with privacy questions

6. Cookies and Tracking Technologies

6.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website. We use cookies to provide, improve, and secure our Service.

6.2 Types of Cookies We Use

  • Essential Cookies: Required for the Service to function (e.g., authentication, security). These cannot be disabled.
  • Analytics Cookies: Help us understand how users interact with our Service (e.g., Google Analytics or self-hosted alternatives). You can opt out.
  • Preference Cookies: Remember your settings and preferences.

6.3 Managing Cookies

You can control cookies through your browser settings. However, disabling certain cookies may limit your ability to use some features of our Service. To opt out of Google Analytics, visit: https://tools.google.com/dlpage/gaoptout

6.4 Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. We do not currently respond to DNT signals, but we respect your privacy choices and provide opt-out mechanisms for analytics.

7. Data Security, Retention, and Breach Protocol

7.1 Security Measures

We strive to use commercially acceptable means to protect your Personal Data, including technical and organizational measures such as:

  • Encryption in Transit: All data transmitted between your browser and our servers uses TLS 1.2+ encryption
  • Encryption at Rest: Sensitive credentials (PayPal API keys) are encrypted using AES-256 encryption
  • Access Controls: Role-based access controls limit employee access to data on a need-to-know basis
  • Authentication: Multi-factor authentication (MFA) available for your account
  • Password Security: Passwords are hashed using industry-standard bcrypt with salt
  • Infrastructure Security: Regular security patches, firewalls, and intrusion detection systems
  • Monitoring: Continuous monitoring for suspicious activity and security threats
  • Regular Audits: Periodic security assessments and vulnerability scanning

However, no method of transmission over the Internet or electronic storage is 100% secure. While we implement reasonable security measures, we cannot guarantee absolute security.

7.2 Data Retention

We retain data according to the following policies:

  • User Data (Account Information): Retained while your account is active and for 30 days after account deletion, except where legal obligations require longer retention (e.g., tax records for 7 years)
  • Service Data (End Customer Information): Retained as long as you maintain an active SenSub account. Upon account deletion, we provide a 30-day grace period for you to export data before permanent deletion
  • Billing Records: Retained for 7 years for tax and accounting purposes
  • Log Data: Retained for 90 days for security and troubleshooting purposes
  • Backup Data: Included in system backups for up to 90 days, then permanently deleted

You may request deletion of your data at any time by contacting us or deleting your account through the dashboard.

7.3 Data Breach Protocol

In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we are committed to:

  • Notifying the relevant Supervisory Authority within 72 hours of becoming aware of the breach, where feasible
  • Notifying you (the Data Controller) without undue delay
  • Communicating the breach to affected individuals if the breach is deemed high-risk
  • Providing details about the nature of the breach, affected data, and mitigation steps
  • Cooperating with you to fulfill your breach notification obligations to your End Customers

🔒 Our Commitment

We take data security seriously and maintain an incident response plan to quickly detect, contain, and remediate security incidents. We will work with you to minimize the impact of any breach.

8. Your Data Subject Rights (GDPR & CCPA)

If you are a resident of the EEA, you have the following rights regarding the Personal Data we hold about you (User Data). To exercise any of these rights, please contact us using the details in Section 10.

  • Right to be Informed: The right to know how your data is processed (which is covered by this policy).
  • Right of Access: The right to request and receive a copy of the Personal Data we hold about you.
  • Right to Rectification: The right to have inaccurate or incomplete Personal Data corrected or completed.
  • Right to Erasure ('Right to be Forgotten'): The right to request that we delete your Personal Data, subject to certain legal obligations.
  • Right to Restrict Processing: The right to request that we limit the way we use your Personal Data.
  • Right to Data Portability: The right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.
  • Right to Object: The right to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: The right to withdraw consent at any time where processing is based on consent.
  • Right to Not Be Subject to Automated Decision-Making: The right to not be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you.

8.1 How to Exercise Your Rights

To exercise any of these rights, please contact us at contact@ialae.com with your request. We will respond within:

  • 30 days for GDPR requests (extendable by 2 months if complex)
  • 45 days for CCPA requests (extendable by 45 days if necessary)

We may request verification of your identity before processing your request to protect your data security.

8.2 No Discrimination

We will not discriminate against you for exercising your privacy rights. You will not be denied service, charged different prices, or provided different quality of service solely because you exercised your rights.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You can request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell (Note: We do not sell personal information)
  • Right to Delete: You can request deletion of your personal information, subject to certain exceptions
  • Right to Opt-Out: You have the right to opt-out of the "sale" of your personal information (Again, we do not sell personal information)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

9.1 Categories of Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

  • Identifiers: Name, email address, IP address
  • Commercial Information: Subscription plan, billing history
  • Internet Activity: Browsing behavior, interaction with our Service
  • Professional Information: Business name, industry

9.2 No Sale of Personal Information

We do not sell personal information and have not sold personal information in the preceding 12 months. We do not sell the personal information of minors under 16 years of age.

9.3 Authorized Agent

You may designate an authorized agent to make a request on your behalf. The agent must provide written authorization signed by you, and we may require you to verify your identity directly with us.

10. Children's Privacy

Our Service is not intended for use by anyone under the age of 18 ("Children"). We do not knowingly collect personally identifiable information from anyone under 18. If you are a parent or guardian and you are aware that your Children has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.

11. Third-Party Services

11.1 PayPal

Our Service integrates with PayPal for payment processing. When your End Customers make payments, they are redirected to PayPal's secure checkout. PayPal's Privacy Policy governs the collection and use of information during the payment process. We recommend reviewing PayPal's Privacy Policy at: https://www.paypal.com/privacy

SenSub does not collect or store full payment card numbers, bank account numbers, or sensitive authentication data. This information is handled exclusively by PayPal.

11.2 Links to Other Websites

Our Service may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We strongly advise you to review the privacy policy of every site you visit.

11.3 Service Providers

We may employ third-party companies and individuals to facilitate our Service ("Service Providers"), provide the Service on our behalf, perform Service-related services, or assist us in analyzing how our Service is used. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

12. Changes to this Policy

We may update our Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page or via email, typically 30 days prior to the change becoming effective. Your continued use of the Service after the revised Policy has become effective indicates that you have read, understood, and agreed to the current version of the Policy.

📧 13. Contact Information and Supervisory Authority

If you have questions about this Privacy Policy, wish to exercise your data rights, or need assistance, please contact us:

Data Protection Contact: contact@ialae.com
Address: Route Tétouan, 140 ET2, N6. Tangier, Morocco

Right to Lodge a Complaint: If you are a resident of the European Economic Area (EEA) and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.