SayaOps
Sign in
LegalPrivacy Policy

Privacy Policy

Effective 2026-05-27 · v1.0
Download PDF

Data collected

We collect account registration data (name, email, company), financial documents you submit for processing (invoices, receipts, contracts, and their extracted fields), workspace configuration and workflow definitions, usage logs (actions taken, API requests, approval decisions), and standard web telemetry (IP address, browser type, page visits) via first-party cookies. We never collect cardholder data — payment processing is handled exclusively by Stripe, which is PCI DSS certified.

How we use it

We use your data to deliver the SayaOps service: extracting invoice fields, executing workflows, routing approval tasks, and generating the audit trail. We also use it to authenticate users, enforce plan limits, calculate billing, send transactional notifications (invoice processed, approval pending, incident alerts), and operate and improve the platform. We do not use your financial documents to train AI models, sell to third parties, or for advertising. Legal bases under GDPR: contract performance, legitimate interest (security, fraud prevention), and legal obligation (audit-log retention).

Sharing

We share data only with the sub-processors necessary to operate the service (see our Security page for the full list) and as required by law. We never sell personal data. If a law enforcement or regulatory request is received, we notify you unless legally prohibited. If SayaOps is acquired, customer data transfers to the acquirer subject to the same obligations. A Data Processing Addendum (DPA) is available for customers requiring GDPR Article 28 documentation — request via legal@saya-io.com.

Retention

Audit logs are retained per your plan: 30 days on Starter, 1 year on Growth, and up to 7 years on Enterprise. Account data is retained while your subscription is active and for 30 days after cancellation, during which you may export all data via Settings → Data export. After 30 days, data is permanently and irrecoverably deleted from all systems including backups. Anonymised aggregate usage statistics may be retained indefinitely.

Your rights

Depending on your jurisdiction, you may have the right to: access a copy of your personal data, correct inaccurate data, request erasure ("right to be forgotten"), restrict or object to processing, and receive your data in a portable format. EU/UK residents have these rights under GDPR; California residents under CCPA. To exercise any right, email privacy@saya-io.com. We respond within 30 days (CCPA) or one month (GDPR). Account owners can delete individual users from Settings → Team at any time.

Contact

Privacy questions, data subject requests, and DPA requests: privacy@saya-io.com. Security disclosures: security@saya-io.com. Legal notices: legal@saya-io.com. Mailing address: SayaOps, Inc. — available on request. This policy may be updated with 30 days notice via email; continued use after notice constitutes acceptance.