Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: Name, email address, password, and optional profile photo when you register.
• Social Login Data: If you sign in via Google OAuth or Google One Tap, we receive your name, email, and profile photo from Google. We do not access your Google password.
• Billing Information: Payment details are processed securely by our payment provider (Stripe). We do not store credit card numbers on our servers.
• Purchase History: Records of products you buy, license codes redeemed, and transaction details.
• Partner Application Data: If you apply to become a partner, we collect your contact details, product information, website URL, digital signature, and application status.
• Identity Verification (KYC): Verification status (approved/declined/pending) and a session reference ID. Your identity documents (ID photos, selfies) are processed by our third-party provider Didit (didit.me) and are not stored on OhMySaaS servers. See Didit's Privacy Policy for details.
• Communications: Messages sent through our contact form, support tickets, or email correspondence.
• Affiliate Information: If you join our affiliate program, we collect payout details and referral tracking data.
• User Preferences: Notification settings, wishlist items, and newsletter subscription choices.

1.2 Information Collected Automatically

• Device & Browser Data: IP address, browser type, operating system, device identifiers, and screen resolution.
• Signup IP Address: We record the IP address used during account registration for fraud prevention and security purposes.
• Usage Data: Pages visited, time spent, click patterns, search queries, and referring URLs.
• Cookies & Similar Technologies: Session cookies, persistent cookies, and tracking pixels. See our Cookie Policy for full details.
• Location Data: Approximate location based on IP address for fraud prevention and currency localization.

2. How We Use Your Information

• Process Transactions: Fulfill orders, deliver license codes, process refunds, and generate invoices.
• Account Management: Create and maintain your account, authenticate logins, and recover passwords.
• Transactional Communications: Order confirmations, receipts, shipping/delivery notifications, and account alerts.
• Marketing (with consent): Weekly deal newsletters, product recommendations, and promotional offers. You can unsubscribe at any time.
• Improve Our Service: Analyze usage patterns, conduct A/B testing, develop new features, and optimize user experience.
• Fraud Prevention: Detect suspicious activity, prevent unauthorized access, and protect against abuse.
• Legal Compliance: Comply with applicable laws, regulations, and legal processes.
• Affiliate Program: Track referrals, calculate commissions, and process affiliate payouts.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), our legal basis for processing personal data includes:

• Contractual Necessity: Processing needed to fulfill our contract with you (e.g., delivering purchased products).
• Legitimate Interest: Improving our services, preventing fraud, and marketing to existing customers.
• Consent: Where you've opted in to marketing emails or non-essential cookies.
• Legal Obligation: Where we must process data to comply with tax, anti-money-laundering, or other laws.

4. Data Sharing & Third Parties

We never sell your personal data. We may share information with:

• Payment Processors: Stripe processes payments on our behalf under their own privacy policy.
• Identity Verification: Didit (didit.me) processes identity verification for partner applications under their own privacy policy. We share only the minimum data necessary to initiate a verification session.
• Authentication Providers: If you sign in with Google, data is exchanged per Google's Privacy Policy.
• Email Services: Transactional and marketing emails may be sent through third-party providers.
• Analytics Providers: Anonymous, aggregated usage data to understand how our platform is used.
• Software Vendors: When you purchase a product, we share your email with the vendor solely to activate your license.
• Legal Requirements: When required by law, court order, or to protect our rights and safety.
• Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred as part of the transaction.

5. Cookies & Tracking Technologies

We use cookies to provide essential functionality, remember preferences, and analyze traffic. For a detailed breakdown of the cookies we use and how to manage them, please visit our Cookie Policy.

6. Data Security

We implement industry-standard security measures including:

• SSL/TLS encryption for all data transmission
• Bcrypt password hashing - we never store passwords in plaintext
• Regular security audits and vulnerability assessments
• Access controls limiting employee access to personal data
• Secure, encrypted database backups

While we take every reasonable precaution, no method of Internet transmission is 100% secure. We encourage you to use strong, unique passwords and enable any available account security features.

7. Data Retention

• Active Accounts: Data is retained for the lifetime of your account.
• Deleted Accounts: Personal data is erased within 30 days of account deletion.
• Transaction Records: Order and billing records are retained for 7 years for tax and legal compliance.
• Partner Application Data: Retained for the duration of the partnership and 3 years after termination for compliance purposes.
• KYC Verification Status: Verification status is retained for the lifetime of the account. Identity documents are not retained by OhMySaaS (processed and stored by Didit per their retention policy).
• Signup IP Addresses: Retained for the lifetime of the account for security and fraud prevention.
• Support Tickets: Retained for 2 years after resolution.
• Marketing Data: Removed immediately upon unsubscribe request.

8. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct any inaccurate or incomplete data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Portability: Receive your data in a structured, machine-readable format.
• Restriction: Request limited processing of your data.
• Objection: Object to processing based on legitimate interest or direct marketing.
• Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, email privacy@ohmysaas.com. We will respond within 30 days.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure adequate protection through Standard Contractual Clauses (SCCs) or other legally approved transfer mechanisms. By using our Service, you consent to the transfer of your data to these jurisdictions.

10. Children's Privacy

OhMySaaS is not directed to individuals under 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@ohmysaas.com.

11. Your State Privacy Rights

State consumer privacy laws may provide residents with additional rights regarding our use of their personal information. The following states provide (now or in the future) their residents with rights to:

California (CCPA/CPRA), Colorado, Connecticut, Delaware, Texas, Virginia, and other applicable states:

• Confirm whether we process their personal information.
• Access and delete certain personal information.
• Correct inaccuracies in their personal information.
• Data portability — receive personal data in a structured, machine-readable format.
• Opt-out of personal data processing for: targeted advertising, sales of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

How to exercise your rights: Submit a request to privacy@ohmysaas.com. We will verify your identity before processing the request and respond within the timeframe required by applicable law (typically 30–45 days).

Non-discrimination: We will not discriminate against you for exercising any of your privacy rights. We will not deny you goods or services, charge different prices, or provide a different level of service because you exercised your rights.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice on our website. The "Last Updated" date at the top reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

For any questions or concerns about this Privacy Policy or our data practices: