← Back to home

Privacy Policy

Last updated: 14 April 2026

1. Who We Are

SaaSValidatr is operated by Agentic Consciousness ABN 13 679 488 272, based in Australia. We are the data controller for personal information collected through the Service. For EU/UK users, our data protection contact is hello@saasvalidatr.com.

1a. Lawful Basis (GDPR)

Where GDPR applies, we rely on the following lawful bases (Art. 6):

  • Contract — to create and operate your account, process scoring, and deliver Service features.
  • Legitimate interests — to keep the Service secure, detect abuse, and send transactional emails (score alerts, invites, password resets, after-action reports).
  • Consent — for analytics cookies (PostHog) and marketing emails (drip sequence, weekly digest, nudges). You can withdraw consent at any time via the cookie banner or Settings > Notifications.
  • Legal obligation — to retain billing records and respond to valid legal requests.

Data is hosted in Tokyo (Japan) and Northeast Asia; transfers out of the EU rely on Standard Contractual Clauses or equivalent safeguards offered by our sub-processors.

2. Information We Collect

Account information: Email address, full name, and organisation name when you sign up.

Content you submit: Ideas, descriptions, scores, comments, chat messages, and reactions you create within the Service.

Usage data: Pages visited, features used, timestamps, browser type, and device information. Collected via PostHog analytics.

Payment information: Billing details are collected and processed by Stripe. We do not store credit card numbers on our servers.

3. How We Use Your Information

We use your information to: (a) provide and operate the Service; (b) send your ideas to AI providers (Anthropic) for analysis; (c) send transactional emails (scoring notifications, invitations, digests) via Resend; (d) improve the Service through anonymised usage analytics; (e) communicate service updates and billing information.

4. Third-Party Services

We share data with the following providers, each with their own privacy policies:

  • Supabase — Database hosting and authentication (ap-northeast-1 region)
  • Anthropic — AI analysis of submitted ideas (data is not used for model training per Anthropic's API terms)
  • Vercel — Application hosting (hnd1 Tokyo region)
  • Stripe — Payment processing
  • Resend — Transactional email delivery
  • PostHog — Product analytics and session recording (passwords and sensitive fields are masked)

5. Data Isolation

All data is scoped to your organisation through PostgreSQL row-level security policies. Your ideas, scores, and discussions are invisible to other organisations. Even our support team accesses data only through scoped queries.

6. Anonymous Scoring

When team members score ideas, their identity is hidden from other team members (including the idea submitter) until all votes are in. Score notifications do not reveal who scored.

7. Data Retention

Your data is retained for as long as your account is active. If you delete your account or organisation, we will delete your data within 30 days. Anonymised, aggregated analytics data may be retained indefinitely.

8. Your Rights

Under GDPR/UK GDPR and Australian privacy law you have the right to: (a) access your personal data; (b) correct inaccurate data; (c) request deletion (right to erasure); (d) export your data (portability); (e) object to or restrict processing; (f) withdraw consent; (g) lodge a complaint with your supervisory authority (e.g. your national DPA in the EU, the ICO in the UK, or the OAIC in Australia). Most of these are self-serve: export via Settings > Download my data, delete via Settings > Danger Zone, or email hello@saasvalidatr.com. We respond to requests within 30 days.

9. Cookies

We use essential cookies for authentication and session management. PostHog analytics cookies only load with your consent via the cookie banner. We do not use third-party advertising cookies. Full details in our Cookie Policy.

10. Security

We implement industry-standard security measures including: encrypted connections (TLS), row-level database security, hashed passwords, rate limiting on all API endpoints, and regular security audits. Despite these measures, no system is 100% secure.

11. Children

The Service is not intended for users under 18. We do not knowingly collect data from minors.

12. Changes

We may update this policy from time to time. Material changes will be notified via email to registered users.

13. Contact

For privacy questions or data requests, email hello@saasvalidatr.com.