Privacy Policy
Last updated: July 9, 2026
Beta notice: saaskaya is currently in closed beta. This policy applies to beta participants and may be updated before the paid public launch.
1. Who Processes Your Data
saaskaya ("we", "the platform") is an AI-assisted website platform. This privacy policy applies to the platform itself, run at saaskaya.com — not to the sites our customers publish. Privacy policies for customer sites are the site owner's responsibility.
2. Personal Data We Process
Account data
- Email address (for sign-in and contact)
- Subscription status (Pro/Premium, billing period end)
- Payment provider customer ID (we never store card details)
- Site keys and ownership relationship
Site content
- The professional description and chat messages you give the AI
- Generated site content (text, image references, theme)
- Messages from your contact form (collected on your own site)
Technical data
- IP address (for abuse prevention and rate-limiting)
- Browser type, session cookie
- System logs (debugging, security events)
3. Purposes of Processing
- Account creation and authentication (magic link)
- AI site generation and chat-driven editing
- Subscription and payment management
- Domain registration and configuration
- Security, abuse prevention, and legal obligations
4. Legal Basis (KVKK Art. 5/2)
- Performance of a contract (subscription, site publishing)
- Legal obligation (invoicing, log retention)
- Legitimate interest (security, abuse prevention)
- Explicit consent (beta invitation, marketing — obtained separately)
5. Data Retention
- Account and site data: for as long as the account is active + 30 days after a deletion request
- Contact-form messages: until the site owner deletes them
- Logs: 90 days
- Backups: 14-day rolling window (deleted data survives in backups for a while)
6. Sharing With Third Parties
- AI providers: your site description and chat messages are sent to DeepSeek/Anthropic for processing (KVKK/GDPR-compliant transfer)
- Creem: handles checkout, tax/invoicing, and payment processing as Merchant of Record/payment facilitator for subscriptions and digital-product payments. Card data is never stored on saaskaya servers.
- Stripe: may be used for payment processing in legacy/transition flows where Stripe is the active payment provider. Card data is never stored on saaskaya servers.
- Cloudflare R2: images you upload
- Resend/SMTP: transactional email (magic link, notifications)
- Domain registrars (Porkbun/NameSilo): WHOIS data for domain registration
Your data is only processed for the purposes listed here; it is not sold to third parties for marketing purposes.
7. Your Rights (KVKK Art. 11)
- Learn whether your data is being processed
- Request information about it if it is
- Learn the purpose of processing and whether it's used accordingly
- Request correction of incomplete/incorrect data
- Request deletion or destruction
- Request that third parties it was shared with are informed
- Object to a result produced solely by automated analysis that is to your detriment
To exercise these rights, email destek@saaskaya.com. Requests are answered within 30 days.
8. Cookies
- Session cookie (sk_session): keeps you signed in, 7 days
- Analytics cookies: none currently (separate consent will be obtained if added)
- Marketing cookies: none
9. Data Security
- Data is stored in a SQLite database on the operator's root-only server
- HTTPS/TLS is enforced (HTTP auto-redirects)
- API keys are stored in plaintext in the DB, but the server is physically protected
- Nightly backups are taken; an off-site copy is optional
10. Children
saaskaya is not directed at people under 18. We do not knowingly process children's data.
11. Changes
This policy may be updated. Significant changes are announced by email. Continued use means acceptance of the updated policy.
12. Contact
Questions and requests: destek@saaskaya.com
Legal review: this text is an operational draft. Professional legal/accounting sign-off for Germany, Turkey, and target sales countries should be obtained before the paid public launch.
