Privacy Policy

This Privacy Policy explains how Saaslinks ("Saaslinks", "we", "us", or "our") collects, uses, shares, and protects personal data when you visit saaslinks.net, create an account, fund a wallet, place orders, or contact us. It applies to buyers, prospective buyers, site owners, and visitors. Funding a wallet and placing orders are governed by our Terms of Service and Refund and Wallet Policy; how we set and read cookies is covered in our Cookie Policy.

Serpbays LLC, which operates the Saaslinks brand, is the data controller for the personal data described here. Saaslinks is a product of Serpbays LLC. If you have a question about this policy or want to exercise a right, contact us using the details in Section 12.

1. Who this policy covers

This policy covers personal data we process about:

• Account holders who sign up, log in, fund a wallet, and place link-building orders.
• Prospective customers who browse the marketplace, start a sign-up, or contact sales or support.
• Site owners and publishers whose properties are listed or who submit sites for vetting.
• Website visitors who load our pages, where we set cookies and collect limited analytics.

2. The personal data we collect

We collect only the data we need to run the marketplace. The categories are:

• Account and identity data: name, email address, password (stored only as a salted hash), company name, country, and your communication preferences.
• Wallet and billing data: wallet balance, top-up amounts, transaction history, invoices, billing name and address, VAT or tax identifiers, and the last four digits and card type returned by our payment processor. We do not store full card numbers or CVV codes. Card details are entered directly with our payment processor.
• Order data: the listings you view and order, target URLs, anchor text, order status, delivery and indexation tracking records, and any briefs or notes you submit.
• Support and communications data: the contents of emails, support tickets, and messages you send us, plus our replies.
• Technical and usage data: IP address, device and browser type, pages viewed, referring URLs, timestamps, and cookie or similar identifiers. See our Cookie Policy for detail.

We do not intentionally collect special category data (such as health, biometric, or political data) and we ask that you do not submit it through briefs, notes, or support messages.

3. How we collect it

We collect personal data:

• Directly from you when you create an account, fund a wallet, place an order, or contact us.
• Automatically through cookies, server logs, and analytics when you use the site.
• From our processors, such as tokenized billing confirmations from our payment processor and deliverability events from our email provider.

4. Why we use your data and our legal bases

Under the EU GDPR and UK GDPR we must have a lawful basis for each use. The table below maps each purpose to its basis.

Purpose	Legal basis
Create and administer your account and authenticate logins	Performance of a contract
Process wallet top-ups, orders, refunds, and invoicing	Performance of a contract
Detect, prevent, and investigate fraud and abuse	Legitimate interests; legal obligation
Provide support and respond to your messages	Performance of a contract; legitimate interests
Keep the service secure and operational	Legitimate interests
Comply with tax, accounting, and anti-money-laundering law	Legal obligation
Send service and transactional emails (order, indexation, billing)	Performance of a contract
Send marketing emails about our services	Consent, or legitimate interests where permitted, with an opt-out in every message
Analytics and non-essential cookies	Consent

Where we rely on legitimate interests, we have balanced those interests against your rights and you can object at any time (see Section 9).

5. Payment processing

Wallet top-ups are processed by Stripe, Inc., our payment processor. When you add funds, your card details are transmitted directly to Stripe and handled under Stripe's own privacy notice. We receive only a payment token, the outcome of the transaction, and limited metadata such as the last four digits and card type. Stripe is responsible for PCI DSS compliance on the card data it processes. You can review how Stripe handles personal data in the Stripe Privacy Policy.

6. Who we share data with (processors and subprocessors)

We do not sell your personal data. We share it only with vendors who process it on our behalf under contract, and only as needed to run the service. Our categories of processors are:

• Payment processing: Stripe, for wallet top-ups, refunds, and billing.
• Hosting and infrastructure: our cloud hosting and database providers.
• Email delivery: our transactional and marketing email provider.
• Analytics and error monitoring: providers that help us understand usage and diagnose issues.
• Customer support: our helpdesk and ticketing tools.

Each of these acts as a processor or subprocessor under a data processing agreement. The current list of subprocessors and our data processing terms are maintained in our Data Processing Agreement and Subprocessors. We may also disclose data where legally required, to enforce our Terms of Service, or in connection with a merger, acquisition, or sale of assets, in which case we will notify you of any change in controller.

7. International data transfers

We and our processors may process personal data outside your country, including in the United States. Where we transfer personal data out of the European Economic Area or the United Kingdom, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, together with supplementary measures where needed.

8. How long we keep data (retention)

We keep personal data only as long as we need it:

• Account data: for as long as your account is open, then deleted or anonymized within a reasonable period after closure, unless a longer period is required.
• Wallet, billing, and invoice records: retained for the period required by tax and accounting law, which is typically up to seven years.
• Order and indexation records: for as long as needed to honor the 30-day indexation guarantee and resolve disputes, then archived or deleted.
• Support communications: retained for a reasonable period to provide continuity of support.
• Technical logs: retained for a short period for security and troubleshooting.

When a retention period ends, we securely delete or irreversibly anonymize the data.

9. Your rights

EU and UK GDPR

If you are in the European Economic Area or the United Kingdom, you have the right to: access your data; correct inaccurate data; erase data; restrict or object to processing; data portability; and withdraw consent at any time without affecting prior processing. You also have the right to lodge a complaint with your supervisory authority. In the UK that is the Information Commissioner's Office. EU residents can contact their national authority via the European Data Protection Board.

California (CCPA and CPRA)

If you are a California resident, you have the right to know what personal information we collect and how we use it, the right to delete it, the right to correct it, and the right to limit certain uses, subject to exceptions. We do not sell or share your personal information for cross-context behavioral advertising as those terms are defined under the CCPA, as amended by the CPRA. We will not discriminate against you for exercising your rights. To submit a request, see Section 12 or visit Your Privacy Choices.

How to exercise your rights

Use the contact details in Section 12. We will verify your identity before acting, respond within the timeframe required by applicable law, and will not charge a fee unless a request is excessive or repetitive. You may use an authorized agent where the law allows.

10. Security

We use technical and organizational measures appropriate to the risk, including encryption in transit, hashed passwords, access controls, and tokenized payment handling through our processor. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your data and to notify you and the relevant authority of a qualifying breach as required by law.

11. Children

Saaslinks is a business-to-business service and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.

12. Contact us and changes to this policy

For any privacy request or question, email [email protected]. You can reach our support team through our Contact and Support page.

We may update this Privacy Policy to reflect changes in our practices or the law. When we make material changes we will update the date below and, where appropriate, notify you. Your continued use of Saaslinks after an update means you accept the revised policy.