Privacy Policy · Saaslivery

This Privacy Policy explains how Saaslivery collects, uses, shares, and protects personal information when you visit our websites, create an account, and use our workspace and apps. It also explains your privacy choices and the rights available to you under the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable laws. Please read it alongside our Terms of Service and, for business customers, our Data Processing Addendum (DPA).

1. Overview & scope

Saaslivery is a multi-tenant business-to-business software-as-a-service platform: an ecosystem of small, interconnected productivity apps that live under a single workspace. We replace sprawling office suites with modular micro-utilities that work on their own and better together. Our apps span communication (Chat, Calls, Audio Rooms, Mail), organisation (Calendar, Contacts, Files, Papers, Wiki, Tables, Tasks, Tickets, Feeds), business operations (CRM, Finance, Signatures), and people operations (Workers, Leaves), alongside a marketplace of third-party apps.

This policy applies to our websites and services at saaslivery.com, api.saaslivery.com, apps.saaslivery.com, account.saaslivery.com, your workspace at [workspace].saaslivery.com, and our real-time media service at rtc.saaslivery.com (together, the "Services").

Our two roles: controller and processor

Privacy law distinguishes between the party that decides why and how personal data is processed (the "controller") and the party that processes data on the controller's behalf and instructions (the "processor"). Saaslivery acts in both roles depending on the data:

We are the controller for personal information relating to our public websites, marketing, account registration, workspace administration, and billing. For this data, Saaslivery decides the purposes and means of processing, and this policy governs how we handle it.
We are a processor for "Customer Content" — everything that a workspace and its members create, upload, send, or store inside the apps (for example, messages, files, documents, tasks, CRM records, finance documents, contacts, table data, and call media). For that content, the customer organisation is the controller and Saaslivery processes it only on the customer's documented instructions under our Data Processing Addendum.

If you are an individual user of a workspace and you want to access, correct, export, or delete Customer Content, or to understand how your employer or organisation uses that content, please contact your workspace administrator, who is the controller of that data. Where we receive such a request directly, we will refer you to the relevant controller and assist that controller in responding, as required by law.

2. Information we collect

We collect the following categories of information.

2.1 Account & profile information

When you create or maintain a Saaslivery identity, we collect:

your email address (used as your unique account identifier);
your password, which we store only as a one-way bcrypt hash — we never store your password in plain text and cannot recover it;
your full name;
optional details you choose to add: job title, profile/avatar image (stored in object storage), phone number, and a postal address (street, city, state, postal code, country);
your account status.

2.2 Workspace & membership information

workspace name, slug, industry, company size, and optional email domain;
your membership role (owner, admin, or member) and member preferences;
your join date and your online/presence status.

2.3 Billing & payment information

Payments are processed by our payment processor, Flutterwave. Saaslivery does not receive or store full card numbers. We store only:

tokenised payment-method references — a Flutterwave payment-method token, a Flutterwave customer identifier, the card brand, the last four digits, and the expiry month and year;
subscription state, including trial dates, billing interval, and status;
usage meters such as seat counts, call minutes, message volumes, document counts, and storage in gigabytes;
invoices, including the billing period, amount (in USD), charge reference, and paid date.

2.4 Service & usage data

When you use the Services, we automatically collect:

log data and timestamps of activity;
approximate device and browser information;
IP address;
presence information; and
performance and diagnostic telemetry that helps us keep the Services reliable and secure.

2.5 Customer Content

As a processor, we host and process the content that workspaces and their members create, including: messages and attachments (Chat); files and documents (Files, Papers, Wiki); tasks; CRM records and deals; finance documents such as invoices, expenses, and quotes; contacts; table data; calendar and leave data; feed posts; and call and audio-room media and metadata. Customer Content is handled on behalf of the customer organisation under our DPA, not under this policy's controller terms.

2.6 Communications with us

When you contact us for support, sales, or legal matters, or respond to a survey, we collect the contents of your message and any information you choose to provide so we can respond and keep a record of the interaction.

2.7 Cookies & local storage

We use strictly-necessary session and authentication cookies, preference storage, and minimal first-party analytics. We do not use third-party advertising cookies. See Section 5 for details.

2.8 Sources of personal information

We obtain personal information from the following categories of sources:

Directly from you — when you create an account, complete your profile, configure your workspace, contact us, or otherwise interact with the Services.
Automatically from your use of the Services — service and usage data such as log data, approximate device and browser information, IP address, presence, and diagnostic telemetry (see Section 2.4).
From your workspace organisation or its administrator — where an administrator adds you to a workspace, or another member invites you, we receive your email address and any profile details they provide to set up your membership.
From our payment processor — tokenised payment-method references and billing status, as described in Section 2.3.

2.9 When is provision of data required?

Some personal information is necessary to enter into or perform our contract with you and to provide the Services. In particular, your email address and password are required to create and secure an account, and your name and workspace details are required to set up and operate a workspace. If you do not provide this information, we cannot create your account or provide the Services to you. Other details, such as your job title, avatar, phone number, and postal address, are optional and provided at your discretion; declining to provide them will not prevent you from using the core Services.

2.10 Information about people added by a workspace

Where we obtain your personal information not from you directly but from a workspace organisation or its administrator (for example, when an administrator adds you to a workspace or a member invites you), the source of that data is the workspace organisation. The categories of data we receive in this way are typically your email address and, where provided, basic profile and role details. The workspace organisation is the controller of that data, and you can ask it about the information it has shared with us. We process it to set up your membership and provide the Services, as described in this policy.

3. How we use information

As a controller, we use personal information for the following purposes:

Provide and operate the Services — create and authenticate your account, set up and run your workspace, deliver the apps you use, and enable real-time communication.
Billing and payments — manage subscriptions and free allowances, meter usage, process payments through Flutterwave, issue invoices, and handle dunning for failed payments.
Maintain, secure, and improve the Services — monitor availability and performance, diagnose and fix problems, prevent and investigate fraud, abuse, and security incidents, and develop new features.
Communicate with you — send transactional and service messages (such as sign-in codes, invitations, billing notices, and important account or policy updates) and respond to your enquiries.
Personalise your experience — remember your preferences and presence and tailor non-content aspects of the interface.
Comply with law and protect rights — meet legal, accounting, and tax obligations, respond to lawful requests, and enforce our agreements and protect the rights, property, and safety of Saaslivery, our customers, and the public.

We process Customer Content only to provide the Services and on the documented instructions of the customer organisation, as set out in our DPA.

4. Legal bases for processing (EU/UK GDPR)

Where the GDPR or UK GDPR applies and we act as a controller, we rely on the following legal bases under Article 6(1):

Performance of a contract (Art. 6(1)(b)) — to create and authenticate your account, provide the Services you and your workspace have signed up for, process payments, and provide support.
Legitimate interests (Art. 6(1)(f)) — for clearly defined business interests, namely: keeping the platform and accounts secure and detecting, preventing, and investigating fraud, abuse, and security incidents; monitoring, troubleshooting, and improving the availability, performance, and reliability of the Services; developing and testing new features; administering, defending, and growing our business; and sending service-related communications about your account and the Services. We have carried out a legitimate-interests balancing assessment for each of these interests, weighing them against your rights and freedoms, and we keep a record of that assessment which you may request using the contact details in Section 17. You may object to this processing as described in Section 11.
Consent (Art. 6(1)(a)) — for any optional analytics or communications that require it, where you have given consent. You may withdraw consent at any time, without affecting processing carried out before withdrawal.
Legal obligation (Art. 6(1)(c)) — to comply with applicable law, including tax, accounting, and record-keeping requirements, and to respond to lawful requests from authorities.

For Customer Content we process as a processor, the customer organisation (as controller) is responsible for establishing the applicable legal basis.

5. Cookies & similar technologies

We keep our use of cookies and local storage deliberately minimal and first-party only:

Strictly-necessary session & authentication cookies — required to sign you in, keep you signed in, route requests to the correct workspace, and protect against cross-site request forgery. The Services cannot function without these.
Preference storage — remembers settings such as interface preferences so your experience is consistent.
Minimal first-party analytics — helps us understand aggregate usage and improve the Services. We do not build advertising profiles.

We do not use third-party advertising or cross-site tracking cookies, and we do not allow third parties to place advertising cookies through the Services.

How to control cookies. When you first visit our public site we show a cookie consent banner where you can accept all cookies, reject everything that isn't strictly necessary, or choose individual categories. Optional cookies stay off until you opt in, and you can change or withdraw your choice at any time using the Cookie settings link in our page footer. You can also block or delete cookies through your browser settings. Blocking strictly-necessary cookies will prevent you from signing in and using the Services. Because we do not engage in cross-context behavioural advertising, we do not act on third-party "Do Not Track" or advertising opt-out signals for that purpose; we do, however, honour recognised opt-out preference signals as described in Section 12 where they apply.

7. Sub-processors

We engage the following sub-processors to help us provide the Services. We require each to maintain appropriate security and confidentiality and to process personal data only as needed to provide their service to us. Our internal event bus is first-party Saaslivery infrastructure and is not a third party.

Sub-processor	Purpose	Data processed	Primary region
Amazon Web Services (AWS)	Cloud hosting & infrastructure	All platform and customer data at rest and in transit	EU (Ireland)
Cloudflare, Inc.	CDN, edge security, object storage (files, avatars, attachments), and TURN relay for calls	Files, attachments, avatars, media, and network/connection data	Global / EU
LiveKit, Inc.	Real-time audio & video for group calls and audio rooms	Audio/video streams, participant and room metadata	Global
Flutterwave	Payment processing	Cardholder and payment data, billing contact details	Global
Resend	Transactional email delivery (sign-in codes, invitations, notifications)	Recipient email address and message content	United States / Global
New Relic	Application performance monitoring & observability	Technical logs, request traces, limited technical metadata	United States / Global

We may update this list from time to time as our service providers change. Business customers may request advance notice of new sub-processors under our DPA.

8. International data transfers

We host platform and customer data in the European Union (AWS, Ireland). However, Saaslivery is operated by Cloudcamp Co. (a United States company) and its Nigerian subsidiary Microcessor, both established outside the European Economic Area and the United Kingdom, and some of our sub-processors operate in the United States or globally. As a result, your personal information may be transferred to, stored in, or accessed from countries outside the European Economic Area and the United Kingdom, whose data-protection laws may differ from those of your country.

We identify the specific transfer mechanism we rely on for each destination or category of recipient as follows:

Transfers to the United States (for example, to sub-processors such as Flutterwave, Resend, and New Relic, and to globally operated providers such as LiveKit and Cloudflare to the extent data is processed in the US) are covered by the European Commission's Standard Contractual Clauses (SCCs) and, for transfers from the United Kingdom, the UK International Data Transfer Addendum (IDTA) or the UK Addendum to the SCCs. Where a US recipient is certified under the EU-US Data Privacy Framework (together with its UK Extension and the Swiss-US Data Privacy Framework), we may also rely on that recipient's certification as the basis for the transfer.
Transfers to other countries with an adequacy decision — where the destination country has been recognised by the European Commission (or, for the UK, by UK adequacy regulations) as providing an adequate level of protection, we rely on that adequacy decision and no additional safeguard is required.
Transfers to any other country — we rely on the SCCs, the UK IDTA, or another lawful Article 46 transfer mechanism.

Where required, we also carry out transfer impact assessments and apply supplementary technical and organisational measures. You have the right to obtain a copy of the safeguards we rely on — including the relevant Standard Contractual Clauses — by contacting us at hello@saaslivery.com or using the contact details in Section 17.

9. Data retention

We keep personal information only for as long as necessary for the purposes set out in this policy, and then delete or anonymise it. How long we keep data depends on its type and purpose:

Account & profile data is kept while your account is active. After your account is closed, we delete or anonymise it within 90 days, except where we need to retain limited information longer to resolve a dispute or meet a legal obligation.
Billing, invoice, and tax records are retained for the period required by applicable tax and accounting law — generally 7 years from the end of the relevant financial year.
Service & usage logs and telemetry are retained for up to 12 months for security, troubleshooting, and reliability, and are then deleted or aggregated into non-identifiable statistics.
Communications with us (support, sales, and legal correspondence) are kept for up to 24 months after the matter is closed, unless a longer period is needed to handle a recurring issue or a legal claim.
Customer Content is retained according to the customer organisation's settings and instructions. When a workspace is closed or content is deleted by the customer, we delete or anonymise it within 30 days, subject to backup cycles (which are overwritten on a rolling basis within 90 days) and any legal-hold requirements.

We may retain certain information for longer where required by law or to establish, exercise, or defend legal claims.

10. Security

We use technical and organisational measures designed to protect personal information, including:

encryption of data in transit (TLS) and at rest;
passwords stored only as bcrypt hashes, never in plain text;
strict per-workspace data isolation enforced on every request and every database query, so one workspace's data is never exposed to another;
tokenised payments, so we never store full card numbers;
role-based access control limiting access to data on a need-to-know basis; and
continuous monitoring of the platform for performance, availability, and security.

No method of transmission or storage is 100% secure. While we work hard to protect your information, we cannot guarantee absolute security. If you believe your account or data has been compromised, please contact us immediately at hello@saaslivery.com.

11. Your privacy rights — EU & UK GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights in relation to your personal data, subject to applicable conditions and exceptions:

Access — to obtain confirmation of whether we process your data and a copy of it.
Rectification — to have inaccurate or incomplete data corrected.
Erasure ("right to be forgotten") — to have your data deleted in certain circumstances.
Restriction — to limit how we process your data in certain circumstances.
Portability — to receive data you provided in a structured, commonly used, machine-readable format and, where feasible, have it transmitted to another controller.
Objection (legitimate interests) — to object, on grounds relating to your particular situation, to processing based on our legitimate interests, including any profiling. Where this right applies, we will stop the processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.
Objection to direct marketing — where we process your personal data for direct marketing purposes, you have an absolute, unconditional right to object at any time, after which we will no longer process your data for that purpose. You do not need to give any reason.
Withdraw consent — to withdraw consent at any time where we rely on it, without affecting the lawfulness of earlier processing.
Lodge a complaint — to complain to a supervisory authority (see below).

How to exercise your rights

Contact us at hello@saaslivery.com. We will respond within the timeframes required by law. We may need to verify your identity before acting on a request.

Controller vs processor routing

For data where Saaslivery is the controller (website, account, and billing data), we will handle your request directly. For Customer Content, where Saaslivery is a processor and your workspace organisation is the controller, please direct your request to your workspace administrator. If you contact us about such content, we will refer the request to the relevant controller and assist them in responding.

Supervisory authorities

You may lodge a complaint with your local data protection supervisory authority. In the United Kingdom this is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom — helpline +44 (0)303 123 1113, ico.org.uk. In the EEA it is the supervisory authority of your country of residence, place of work, or the place of the alleged infringement; you can find the relevant authority and its contact details via the European Data Protection Board's list of members at edpb.europa.eu. If you are in Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC), edoeb.admin.ch; for transfers from Switzerland we rely on the Standard Contractual Clauses together with the Swiss addendum recognised by the FDPIC. We would, however, appreciate the chance to address your concerns first.

12. Your privacy rights — California (CCPA/CPRA)

If you are a California resident, the CCPA, as amended by the CPRA, gives you specific rights regarding your personal information. The categories of personal information we collect, the purposes for which we use them, and the categories of recipients with whom we share them are described in Sections 2, 3, 6, and 7. The categories we may collect include identifiers (such as name, email, IP address), commercial information (such as subscription and billing records), internet and network activity (such as usage and log data), geolocation (approximate, from IP address), audio and visual information (call and room media), professional information (such as job title and workspace role), and the contents of communications with us.

Sources of personal information. We collect personal information directly from you, automatically from your use of the Services, from your workspace organisation or its administrator, and from our payment processor (see Section 2.8). We collect and use each category for the business and commercial purposes described in Sections 3 and 6.

Sensitive personal information. The CPRA treats certain information as "sensitive". We collect a limited amount of sensitive personal information, namely account log-in credentials (your email and password) and the contents of communications such as messages and call or room media. We use sensitive personal information only as necessary to provide and secure the Services and for the limited purposes permitted by the CPRA — we do not use or disclose it to infer characteristics about you or for any purpose that would require offering a right to limit its use.

You have the right to:

Know and access the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of recipients.
Data portability — to obtain a copy of the personal information you provided in a portable and, to the extent technically feasible, readily usable format that allows you to transmit it to another entity.
Delete personal information we have collected from you, subject to exceptions.
Correct inaccurate personal information.
Opt out of the sale or sharing of personal information. We do not sell your personal information, and we do not share it for cross-context behavioural advertising, so there is nothing to opt out of.
Limit the use and disclosure of sensitive personal information. We do not use or disclose sensitive personal information for purposes that would trigger this right; we use such information only as necessary to provide the Services.
Non-discrimination — we will not discriminate against you for exercising your rights.

How to exercise. Submit a request to hello@saaslivery.com. Saaslivery operates exclusively online and has a direct relationship with the consumers whose information it collects; accordingly, as permitted by the CCPA, we designate this email address as our method for submitting consumer requests. We will verify your request, and where required will respond within the statutory timeframe. You may use an authorized agent to make a request on your behalf, provided they submit proof of authorisation and we can verify your identity.

Opt-out preference signals. Because we do not sell or share personal information and do not engage in cross-context behavioural advertising, there is no sale or share for an opt-out preference signal such as the Global Privacy Control (GPC) to act upon. We do not engage in cross-context behavioural advertising regardless of any such signal.

Where Saaslivery processes information as a service provider on behalf of a business customer (our processor role over Customer Content), we will direct your request to that business, which is responsible for responding.

Shine the Light. California's "Shine the Light" law (Civil Code § 1798.83) permits California residents to request information about disclosures of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

13. Other US state privacy rights

Residents of Virginia, Colorado, Connecticut, Utah, and Texas (and other states with comparable laws) have rights similar to those described above, which may include the right to confirm and access their personal data, to correct inaccuracies, to delete personal data, to obtain a portable copy, and to opt out of targeted advertising, the sale of personal data, and certain profiling. As noted, we do not sell personal data or use it for targeted advertising, and we do not engage in profiling that produces legal or similarly significant effects. To exercise these rights, contact hello@saaslivery.com. Where a state provides an appeal process for a declined request, we will inform you how to appeal.

14. Children's privacy

Saaslivery is a business-to-business service intended for organisations and their workforce. It is not directed to children, and we do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided us with personal information, please contact hello@saaslivery.com and we will take appropriate steps to delete it.

15. Automated decision-making

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or that similarly significantly affect you. Some features may use automation to support and improve the Services, but meaningful human involvement remains part of any decision that would have such effects.

16. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will update the "Last updated" date above and, where appropriate, provide additional notice (for example, by email or an in-product notice). We encourage you to review this policy periodically. Your continued use of the Services after an update takes effect constitutes acceptance of the revised policy, to the extent permitted by law.

17. Contact us

The controller responsible for the personal information described in this policy is Cloudcamp Co., a company incorporated in Delaware, United States, which operates the Saaslivery platform together with its subsidiary Microcessor (registered at 5 Lungi Street, Nigeria) for the African market. If you have questions, concerns, or requests regarding this policy or your personal information, please contact our privacy team:

Controller: Cloudcamp Co. (incorporated in Delaware, United States), operating as Saaslivery
African operations: Microcessor (registered in Nigeria)
Privacy & data protection: hello@saaslivery.com
Legal & terms: hello@saaslivery.com
General support: hello@saaslivery.com
Postal address: Microcessor, 5 Lungi Street, Nigeria

Data protection contact. Saaslivery is operated by Cloudcamp Co. in the United States. If you are in the EEA or UK, you can contact us about this policy or your personal information at hello@saaslivery.com, and we will respond in accordance with applicable data protection law.

Right to complain. If you are in the EEA or UK and believe we have not handled your personal information properly, you have the right to lodge a complaint with your local supervisory authority, including the UK Information Commissioner's Office (ICO). We would welcome the opportunity to resolve your concerns directly first.