Privacy Policy

Effective Date: October 16, 2025
Last Updated: October 16, 2025

1. Introduction

Saasama ("we," "us," "our," or "Company") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, process, store, share, and protect your data when you use the SaaSaMa web application and related services (collectively, the "Service").

This Privacy Policy applies to all users of our Service and complies with applicable data protection laws, including the General Data Protection Regulation (GDPR), Turkish Personal Data Protection Law (KVKK), California Consumer Privacy Act (CCPA), and other relevant privacy regulations.

By using our Service, you acknowledge that you have read and understood this Privacy Policy.

2. Controller and Processor Roles

2.1 Saasama as Data Controller

When you register for an account, use our Service, or interact with our website, SaaSaMa acts as a data controller for the personal information we collect directly from you. We determine the purposes and means of processing this data.

2.2 Saasama as Data Processor

When our customers use the Service to collect, manage, and analyze marketing data through third-party platform integrations (such as Meta API, LinkedIn API), SaaSaMa acts as a data processor. In these cases, our customers act as data controllers and are responsible for the lawfulness of data processing, obtaining necessary consents, and ensuring compliance with applicable privacy laws.

3. Information We Collect

We collect various types of information to provide and improve our Service:

3.1 Information You Provide Directly

Account Information:

• Name, email address, company name, job title

• Password (encrypted and securely stored)

• Billing information and payment details

• Contact information (phone number, business address)

• Communication preferences

Support and Communication Data:

• Information you provide when contacting customer support

• Feedback, survey responses, and testimonials

• Messages sent through our chat system or email

3.2 Information Collected Through Third-Party API Integrations

When you connect your third-party marketing accounts to our Service, we access and process data from these platforms according to your authorization:

Meta (Facebook/Instagram) API:

• Account information, page data, and business asset details

• Campaign metrics, ad performance data, audience insights

• Engagement statistics and conversion data

LinkedIn API:

• Company page information and follower demographics

• Campaign performance metrics and engagement data

• Lead generation data and conversion statistics

Future Integrations: Additional marketing platforms may be integrated as we expand our Service. We will update this policy accordingly and notify you of significant changes.

Important: We only access data that you explicitly authorize through OAuth authentication flows. You can disconnect any integration at any time through your account settings.

3.3 Automatically Collected Information

Usage Data:

• Pages visited, features accessed, time spent on the Service

• Click patterns, navigation paths, and feature usage frequency

• Session duration, access times, and interaction patterns

Device and Technical Information:

• IP address, browser type and version, operating system

• Device identifiers, screen resolution, language preferences

• Referral URLs, exit pages

Log Data:

• Server logs including timestamps, error messages

• API request logs, authentication attempts

• System performance metrics

3.4 Information from Analytics and Marketing Tools

We use various third-party tools to analyze user behavior and improve our Service:

Analytics Tools:

• Google Analytics: Website and app usage statistics, user demographics, behavior flow

• Mixpanel: Product analytics, feature usage, user journey tracking, A/B testing results

• Dreamdata: Revenue attribution, marketing performance tracking, customer journey analysis

Marketing and Tracking Tools:

• Meta Pixel: Website visitor tracking, conversion tracking, retargeting

• RB2B: Website visitor identification, company-level tracking

• HubSpot: CRM data, marketing automation, email engagement tracking, form submissions

• Google Tag Manager: Tag management and tracking code deployment

These tools may use cookies and similar technologies as described in Section 9.

4. How We Use Your Information

We process your personal data for the following purposes:

4.1 Service Delivery

• Create and manage your account

• Provide access to the Service and its features

• Process API connections and data synchronization

• Facilitate data analysis and reporting

• Enable team collaboration features

4.2 Service Improvement and Development

• Analyze usage patterns to improve user experience

• Develop new features and functionality

• Conduct A/B testing and product experimentation

• Troubleshoot technical issues and optimize performance

• Train and improve our AI and machine learning models for service enhancement

4.3 Communication

• Send transactional emails (account notifications, password resets, security alerts)

• Provide customer support and respond to inquiries

• Send product updates, feature announcements, and service-related information

• Request feedback and conduct user research

4.4 Marketing and Personalization

• Send marketing communications about our products and services (with your consent where required)

• Personalize your experience based on usage patterns

• Conduct targeted advertising campaigns

• Measure marketing campaign effectiveness

4.5 Security and Fraud Prevention

• Detect, prevent, and investigate fraudulent or unauthorized activities

• Protect the security and integrity of our Service

• Monitor for suspicious behavior and security threats

• Enforce our Terms of Service and other policies

4.6 Legal and Compliance

• Comply with legal obligations and regulatory requirements

• Respond to lawful requests from authorities

• Resolve disputes and enforce agreements

• Maintain records for audit and compliance purposes

4.7 Legal Basis for Processing (GDPR/KVKK)

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you requested

• Legitimate Interests: Our legitimate business interests (analytics, security, service improvement) that don't override your privacy rights

• Consent: Your explicit consent for marketing communications and certain data processing activities

• Legal Obligation: Compliance with applicable laws and regulations

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your data in the following circumstances:

5.1 Third-Party Service Providers

We share data with trusted service providers who assist us in operating our Service:

Infrastructure and Hosting:

• Cloud hosting providers for data storage and processing

• Database management services

• Content delivery networks (CDNs)

Analytics and Product Development:

• Google Analytics, Mixpanel for usage analytics

• Dreamdata for revenue attribution and marketing analytics

• Error tracking and monitoring services

Marketing and Communication:

• HubSpot for CRM and marketing automation

• Email service providers

• Meta, LinkedIn for advertising and retargeting

• RB2B for visitor identification

Payment Processing:

• Payment processors for secure transaction handling

• Billing and subscription management services

Security and Compliance:

• Security monitoring and threat detection services

• Compliance management tools

All service providers are contractually bound to protect your data, process it only for specified purposes, and comply with applicable data protection laws through Data Processing Agreements (DPAs).

5.2 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our Service before your data is transferred and becomes subject to a different privacy policy.

5.3 Legal Requirements and Protection

We may disclose your information when required by law or when we believe in good faith that such disclosure is necessary to:

• Comply with legal obligations, court orders, or government requests

• Enforce our Terms of Service and other agreements

• Protect the rights, property, or safety of SaaSaMa, our users, or the public

• Detect, prevent, or investigate fraud, security breaches, or illegal activities

5.4 With Your Consent

We may share your information for purposes not described in this policy with your explicit consent.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law.

6.1 Retention Periods

Account Data: Retained while your account is active and for up to 90 days after account deletion for recovery purposes

API Integration Data: Retained according to your subscription plan and integration settings, typically refreshed regularly from source platforms

Usage and Analytics Data: Retained for 12-24 months for analysis and service improvement

Log Files: Retained for 90 days for security and troubleshooting purposes

Marketing Communications Data: Retained until you unsubscribe or withdraw consent

Financial Records: Retained for 7 years to comply with tax and accounting regulations

Legal and Compliance Records: Retained as required by applicable laws and regulations

6.2 Data Deletion

When retention periods expire or when you request deletion, we will:

• Permanently delete or anonymize your personal data

• Remove data from active systems and backups according to our backup schedule

• Ensure secure and irreversible deletion using industry-standard methods

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

7.1 Access and Portability

• Request access to your personal data

• Receive a copy of your data in a structured, commonly used format

• Transfer your data to another service provider (data portability)

7.2 Correction and Update

• Correct inaccurate or incomplete personal information

• Update your account information at any time through your account settings

7.3 Deletion and Erasure

• Request deletion of your personal data ("right to be forgotten")

• Delete your account and associated data through account settings or by contacting us

7.4 Restriction and Objection

• Restrict or object to certain processing activities

• Opt out of marketing communications

• Object to automated decision-making and profiling

7.5 Withdraw Consent

• Withdraw consent for data processing at any time (where consent is the legal basis)

• Disconnect third-party integrations and revoke API access

7.6 Managing Third-Party Integrations

Disconnecting Integrations: You can disconnect any third-party platform integration (Meta, LinkedIn, etc.) at any time through your account settings. When you disconnect an integration:

• We will immediately stop accessing new data from that platform

• You can choose to delete all previously synced data from that integration

• The disconnection is effective immediately

API Access Revocation: You can also revoke API access directly through the third-party platform's settings:

• Meta: Business Settings > Data Sources > Datasets

• LinkedIn: Settings > Account Preferences > Permitted Services

• Other platforms: Refer to their respective documentation

Data Deletion After Disconnection: Upon disconnection, you have three options:

1. Keep historical data for reporting purposes

2. Delete all data from the integration immediately

3. Schedule automatic deletion after a specified period

7.7 Exercising Your Rights

To exercise any of these rights, you can:

• Access your account settings for most data management tasks

• Email us at: kursat@saasama.com

We will respond to your request within 30 days (GDPR/KVKK) or as required by applicable law. We may need to verify your identity before processing certain requests.

7.8 Right to Lodge a Complaint

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with a supervisory authority:

• EU/EEA: Your local Data Protection Authority

• Turkey: Kişisel Verileri Koruma Kurumu (KVKK)

• UK: Information Commissioner's Office (ICO)

• California: California Privacy Protection Agency

8. Data Security

We implement industry-standard security measures to protect your personal information:

8.1 Technical Measures

• Encryption: All data in transit is encrypted using TLS 1.3 or higher; data at rest is encrypted using AES-256

• Access Controls: Role-based access control (RBAC) and multi-factor authentication (MFA)

• Secure Infrastructure: Hosting on certified cloud platforms with SOC 2 compliance

• Network Security: Firewalls, intrusion detection systems, and DDoS protection

• Regular Security Audits: Penetration testing and vulnerability assessments

8.2 Organizational Measures

• Data protection policies and procedures

• Employee training on data privacy and security

• Confidentiality agreements with all personnel

• Incident response and data breach notification procedures

• Regular security awareness training

8.3 Third-Party Security

• All third-party service providers undergo security assessments

• Data Processing Agreements (DPAs) with security obligations

• Regular vendor security reviews and audits

8.4 Limitations

While we strive to protect your data, no security system is impenetrable. You are responsible for maintaining the confidentiality of your account credentials and should notify us immediately of any unauthorized access.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience and analyze Service usage.

9.1 Types of Cookies We Use

Strictly Necessary Cookies:

• Essential for Service functionality

• Authentication and session management

• Security and fraud prevention

Performance and Analytics Cookies:

• Google Analytics: Usage statistics, page performance

• Mixpanel: Feature usage, user behavior analysis

• Dreamdata: Marketing attribution, conversion tracking

Functional Cookies:

• User preferences and settings

• Language selection

• Remember me functionality

Marketing and Advertising Cookies:

• Meta Pixel: Conversion tracking, retargeting

• HubSpot: Marketing automation, lead tracking

• RB2B: Visitor identification

• LinkedIn Insight Tag: Campaign performance

9.2 Managing Cookies

You can control cookies through:

• Browser Settings: Configure your browser to refuse cookies or alert you when cookies are being sent

• Cookie Consent Manager: Manage your preferences through our cookie consent banner

• Opt-Out Tools:

  • Google Analytics: Google Analytics Opt-out

  • Industry Opt-Outs: Digital Advertising Alliance, Network Advertising Initiative

Note: Disabling certain cookies may affect Service functionality.

9.3 Do Not Track Signals

We currently do not respond to Do Not Track (DNT) browser signals, but we respect Global Privacy Control (GPC) signals where applicable.

10. International Data Transfers

SaaSaMa operates globally, and your data may be transferred to and processed in countries other than your country of residence.

10.1 Data Transfer Mechanisms

When transferring personal data from the EU/EEA, UK, or Switzerland to countries without adequate data protection levels, we rely on:

• Standard Contractual Clauses (SCCs): EU Commission-approved contracts

• UK Addendum: For transfers from the UK

• Swiss-US Data Privacy Framework

• Adequacy Decisions: Transfers to countries deemed adequate by relevant authorities

10.2 Additional Safeguards

• Encryption of data in transit and at rest

• Access controls and authentication measures

• Regular security assessments of data recipients

• Contractual obligations ensuring equivalent protection

11. Children's Privacy

Our Service is not intended for individuals under the age of 18 (or the minimum legal age in your jurisdiction). We do not knowingly collect personal information from children.

If we become aware that we have collected personal data from a child without parental consent, we will take immediate steps to delete such information. If you believe we have collected information from a child, please contact us at kursat@saasama.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

12.1 Notification of Changes

• Material Changes: We will notify you via email and/or prominent notice on the Service at least 30 days before the changes take effect

• Minor Changes: Updates will be posted on this page with a revised "Last Updated" date

• Continued Use: Your continued use of the Service after changes become effective constitutes acceptance of the updated policy

12.2 Version History

We maintain a version history of this policy, available upon request.

13. Regional Privacy Information

13.1 For European Union/EEA Residents (GDPR)

Data Controller: Saasama,

Legal Basis: As described in Section 4.7

Your Rights: As described in Section 7, including rights to access, rectification, erasure, restriction, data portability, and objection

Automated Decision-Making: We do not use automated decision-making or profiling that produces legal or similarly significant effects

Supervisory Authority: You may lodge a complaint with your local data protection authority

13.2 For Turkey Residents (KVKK)

Data Controller: Saasama, Istanbul, Turkey

Your Rights: Under KVKK Article 11, you have rights to access, correction, deletion, objection, and data portability

Contact: For KVKK-related requests: kursat@saasama.com

Authority: Kişisel Verileri Koruma Kurumu (www.kvkk.gov.tr)

13.3 For California Residents (CCPA/CPRA)

Right to Know: You may request disclosure of personal information collected, sold, or shared

Right to Delete: You may request deletion of personal information

Right to Opt-Out: You may opt out of "sale" or "sharing" of personal information

Right to Correct: You may request correction of inaccurate information

Right to Limit: You may limit use of sensitive personal information

Non-Discrimination: We will not discriminate against you for exercising your rights

Data Sales: We do not sell personal information in the traditional sense, but sharing data with advertising partners may be considered a "sale" under CCPA

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: kursat@saasama.com

Mailing Address:
Saasama
Istanbul, Turkey

Response Time: We aim to respond to all inquiries within 30 days.

15. Additional Information

15.1 Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.

15.2 Job Applicants

If you apply for a position at Saasama, we collect and process your application data. This information is handled separately and retained according to our recruitment privacy notice.

15.3 Business Contacts

Information about business contacts and representatives is processed for legitimate business purposes, including service delivery, communication, and relationship management.

By using Saasama, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

This Privacy Policy is effective as of October 16, 2025.