Privacy Policy
Table of Contents
- Scope & Applicability
- Information We Collect
- How We Use Your Information
- Legal Basis for Processing (GDPR)
- AI Data Processing & Third-Party Providers
- Data Sharing & Disclosure
- Multi-Tenant Data Isolation
- Reseller & White-Label Data Flows
- Data Retention
- Security Measures
- Your Privacy Rights
- California Privacy Rights (CCPA/CPRA)
- International Data Transfers
- Cookies & Tracking Technologies
- Children's Privacy
- Changes to This Policy
- Contact Information
1. Scope & Applicability
This Privacy Policy applies to all users of the CaaSaaS platform ("Platform"), accessible at app.caasaas.ai, the marketing website at www.caasaas.ai, and all related APIs and services. It applies to Direct Customers, Resellers, Reseller Clients, and visitors to our website.
For the purposes of GDPR, CaaSaaS acts as a data processor when processing Customer Data on your behalf, and as a data controller for account information, billing data, and website analytics.
If you access CaaSaaS through a Reseller's white-label deployment, the Reseller is the data controller for your Customer Data, and CaaSaaS acts as a sub-processor. You should review your Reseller's privacy policy in addition to this one.
2. Information We Collect
2.1 Account Information
When you register for an account, we collect:
- Organization name, contact name, and email address
- Billing information (processed through our payment provider; we do not store full payment card numbers)
- Plan selection and subscription details
- Account hierarchy information (parent reseller, if applicable)
2.2 Customer Data (Data You Provide)
Through your use of the Platform, you may upload or create:
- Brand profiles, guidelines, logos, and assets
- Content (blog posts, social media content, email campaigns, documents)
- Contact and CRM records
- AI visibility prompts, citation data, and monitoring configurations
- Knowledge base documents and RAG data
- Support tickets and communications
- WordPress site credentials and social media account tokens
2.3 Usage Data (Data We Generate)
We automatically collect:
- Tool execution logs (tool name, timestamp, customer ID, input parameters with sensitive fields excluded, execution time, cost attribution)
- API key usage patterns and rate limit metrics
- AI provider usage (provider, model, token counts, costs)
- Authentication events (login attempts, key rotations, access denials)
- Error logs and performance metrics
2.4 Website Visitor Data
When you visit www.caasaas.ai, we may collect:
- IP address, browser type, operating system, and device information
- Pages visited, time spent, and referral source
- Cookies and similar identifiers (see Section 14)
3. How We Use Your Information
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide Platform services (tool execution, content generation, analytics) | Customer Data, Account Info | Contract performance |
| Process payments and manage subscriptions | Account Info, Billing Data | Contract performance |
| Enforce quotas, rate limits, and package access | Usage Data, Account Info | Contract performance |
| Maintain audit trails for compliance (SOC 2, ISO 27001) | Usage Data, Authentication Logs | Legitimate interest, Legal obligation |
| Detect and prevent fraud, abuse, and security threats | Usage Data, Authentication Logs, IP Addresses | Legitimate interest |
| Send service notifications (outages, billing, security alerts) | Account Info (email) | Contract performance |
| Improve Platform performance and reliability | Aggregated/anonymized Usage Data | Legitimate interest |
| Respond to support requests | Account Info, relevant Customer Data | Contract performance |
We do not:
- Sell your personal information or Customer Data to third parties
- Use your Customer Data to train AI models
- Use your Customer Data for advertising or marketing to third parties
- Share your data with other tenants on the Platform
4. Legal Basis for Processing (GDPR)
For individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases:
- Contract Performance: Processing necessary to provide the Platform services you have subscribed to.
- Legitimate Interest: Processing necessary for security, fraud prevention, platform improvement, and compliance monitoring, balanced against your privacy rights.
- Legal Obligation: Processing required by applicable law, such as tax reporting, audit requirements, or response to lawful government requests.
- Consent: Where required, such as for marketing communications. You may withdraw consent at any time.
5. AI Data Processing & Third-Party Providers
5.1 How AI Processing Works
When you use AI-powered tools on the Platform, your input data (prompts, content, brand profiles) may be sent to third-party AI providers for processing. The AI provider generates a response, which CaaSaaS returns to you. CaaSaaS stores the result in your tenant-scoped data space.
5.2 AI Provider Data Practices
| Provider | Data Sent | Training on Inputs | Data Retention by Provider |
|---|---|---|---|
| OpenAI | Prompts, context text | No (API data not used for training) | Up to 30 days for abuse monitoring |
| Anthropic (Claude) | Prompts, context text | No (API data not used for training) | Up to 30 days for trust & safety |
| Google (Gemini) | Prompts, context text | No (API data not used for training) | Per Google Cloud data processing terms |
| xAI (Grok) | Prompts, context text, images | Per xAI API terms | Per xAI data processing terms |
| Perplexity | Prompts, context text | Per Perplexity API terms | Per Perplexity data processing terms |
CaaSaaS selects AI providers that offer API terms prohibiting use of inputs for model training. However, provider terms may change, and we recommend reviewing each provider's current data processing practices if this is a concern for your use case. We will update this table as provider terms evolve.
5.3 What We Do Not Send to AI Providers
CaaSaaS does not send your API keys, billing information, CRM contact records, authentication credentials, or other non-content data to AI providers. Only the specific input required for the tool execution is transmitted.
6. Data Sharing & Disclosure
CaaSaaS may share your information in the following limited circumstances:
- AI Providers: Input data sent for AI tool execution as described in Section 5.
- Sub-Processors: Service providers that assist in delivering the Platform (e.g., email delivery via SendGrid, infrastructure providers). Sub-processors are contractually bound to data protection obligations.
- Your Reseller: If you are a Reseller's Client, your Reseller may access your Customer Data as part of their service delivery.
- Legal Requirements: When required by law, subpoena, court order, or to protect the rights, safety, or property of CaaSaaS, our customers, or the public.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you before your data becomes subject to a different privacy policy.
We never sell your personal information or Customer Data.
7. Multi-Tenant Data Isolation
CaaSaaS operates a multi-tenant platform where multiple customers share the same infrastructure. We implement strict data isolation through:
- Customer-Scoped Queries: Every database query is scoped to the authenticated customer's identifier. No cross-tenant data access is possible through normal API operations.
- API Key Authentication: All requests require a valid API key that maps to a specific customer. The customer identity is derived server-side from the key, not from client-provided headers.
- Hierarchical Access Control: Resellers can only see their own Clients. Direct Customers cannot see other Customers. Platform-owner-only operations are restricted by role.
- Separate Collections: Where appropriate, data is stored in customer-scoped collections or partitions.
8. Reseller & White-Label Data Flows
When you use CaaSaaS through a Reseller:
- The Reseller is the data controller for your Customer Data
- CaaSaaS acts as a sub-processor under the Reseller's instructions
- Your Reseller determines what data is collected and how it is used
- You should review your Reseller's privacy policy for details specific to their service
CaaSaaS provides Resellers with tools to manage Client data, including the ability to export and delete Client data in compliance with privacy regulations. CaaSaaS does not independently contact a Reseller's Clients for marketing purposes.
9. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Customer Data (content, brands, contacts) | Duration of subscription + 30 days | Contract performance; data export window |
| Account Information | Duration of subscription + 90 days | Contract performance; dispute resolution |
| Tool Execution Audit Logs | 12 months (configurable for Enterprise) | SOC 2/ISO 27001 compliance |
| AI Usage Logs (provider, model, cost) | 12 months | Billing reconciliation; compliance |
| Authentication & Security Logs | 12 months | Security monitoring; compliance |
| Billing Records | 7 years | Tax and financial reporting obligations |
| Website Analytics | 26 months | Legitimate interest (anonymized after 14 months) |
You may request earlier deletion of your Customer Data at any time (see Section 11). Deletion removes data across all databases (PostgreSQL, MongoDB, Redis) and is irreversible.
10. Security Measures
CaaSaaS implements security controls aligned with SOC 2 Type II and ISO 27001 standards:
- Encryption in Transit: All data transmitted between your systems and CaaSaaS is encrypted using TLS 1.2 or higher.
- Encryption at Rest: Customer Data stored in our databases is encrypted at rest.
- API Key Security: API keys are hashed using SHA-256 before storage. Original keys cannot be retrieved after issuance.
- Access Control: Role-based access control (RBAC) with hierarchical enforcement ensures users can only access data appropriate to their role and tenant.
- Audit Logging: Every tool execution, authentication event, and administrative action is logged with immutable audit trails.
- Rate Limiting: Sliding window rate limiting protects against abuse and denial-of-service attempts.
- Infrastructure: The Platform runs on dedicated infrastructure with network-level isolation between components. Inter-server communication is encrypted via WireGuard VPN tunneling.
- Incident Response: CaaSaaS maintains an incident response plan. In the event of a data breach affecting your personal data, we will notify you within 72 hours as required by GDPR, or sooner if required by other applicable law.
11. Your Privacy Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete personal data.
- Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data. CaaSaaS processes erasure requests through our GDPR-compliant deletion tools, which remove data across all storage systems.
- Right to Restrict Processing: Request that we limit how we process your data in certain circumstances.
- Right to Data Portability: Receive your data in a structured, machine-readable format (JSON, CSV).
- Right to Object: Object to processing based on legitimate interests.
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: File a complaint with your local data protection authority.
To exercise any of these rights, contact us at privacy@caasaas.ai. We will respond within 30 days (or sooner if required by applicable law). We may verify your identity before processing requests.
12. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Opt-Out of Sale: CaaSaaS does not sell personal information. No opt-out is necessary.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Limit Use of Sensitive Information: You may limit the use of sensitive personal information to purposes necessary for providing the services.
Categories of personal information collected in the preceding 12 months:
| Category | Examples | Sold? | Shared for Ads? |
|---|---|---|---|
| Identifiers | Name, email, customer ID, API keys (hashed) | No | No |
| Commercial Information | Subscription plan, billing history, tool usage | No | No |
| Internet Activity | API call logs, pages visited on www.caasaas.ai | No | No |
| Professional Information | Organization name, role/title | No | No |
To submit a CCPA/CPRA request, email privacy@caasaas.ai with the subject "CCPA Request."
13. International Data Transfers
CaaSaaS operates infrastructure in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. We implement appropriate safeguards for international data transfers, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission, where required
- Data Processing Agreements (DPAs) with sub-processors that include adequate transfer mechanisms
- Technical and organizational measures to protect data regardless of processing location
Enterprise and Reseller Customers may request a DPA that includes Standard Contractual Clauses. Contact legal@caasaas.ai.
14. Cookies & Tracking Technologies
14.1 Marketing Website (www.caasaas.ai)
Our marketing website uses the following types of cookies:
- Strictly Necessary: Required for the website to function (session management, security). Cannot be disabled.
- Analytics: Help us understand how visitors interact with the website (e.g., pages visited, time on site). Data is anonymized.
We do not use advertising cookies or cross-site tracking pixels on our marketing website.
14.2 Platform Application (app.caasaas.ai)
The Platform application uses strictly necessary cookies for session management and authentication. No third-party analytics or advertising cookies are used within the application.
14.3 Managing Cookies
You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent the Platform from functioning correctly.
15. Children's Privacy
CaaSaaS is a business-to-business platform not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly. If you believe a child has provided personal information to CaaSaaS, contact us at privacy@caasaas.ai.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email or through a prominent notice on the Platform at least 30 days before the changes take effect. The "Last Updated" date at the top of this policy indicates when it was most recently revised.
Your continued use of the Platform after changes become effective constitutes acceptance of the revised policy.
17. Contact Information
For privacy-related questions, requests, or complaints:
CaaSaaS — Privacy Team
Email: privacy@caasaas.ai
Legal: legal@caasaas.ai
Support: support@caasaas.ai
Website: www.caasaas.ai
For EU/EEA data protection inquiries, you may also contact your local supervisory authority.