1. Scope and Governance This Privacy Policy governs how Saerosoft collects, uses, stores, discloses, transfers, and protects personal information and commercially relevant business data in connection with the Services and all account administration, billing, and support functions.
2. Controller, Processor, and Responsibility Model Saerosoft acts as data processor for Merchant-provided data and may additionally act as processor for operational data where authorized in Commercial Documents. The Merchant remains responsible for the legal basis, accuracy, and lawful collection of end-customer data in its storefront operations.
3. Definitions - Personal Information means any information that identifies or can identify an individual. - Personal Data includes records related to payment, access, support, and usage within the Service. - Merchant Data refers to business records, account records, store data, catalog and order data, and operational content provided by the Merchant. - User means any individual authorized by the Merchant to access the Service on behalf of the Merchant.
4. Information We Process Saerosoft may process account identities, administrator credentials (hashed or tokenized where appropriate), store configuration data, product and order records, shipping records, invoices, support tickets, audit logs, payment and settlement references, device metadata, and integration payloads required for operation.
5. Data from Third-Party Systems Data may be ingested through APIs, webhooks, uploaded files, SFTP/CLI tools, and service connectors. Saerosoft processes only the data necessary to deliver the contracted services and documented integrations.
6. Lawful Bases and Authorization Processing is based on: (a) performance of the commercial contract; (b) legal obligations; (c) security and fraud prevention under legitimate interests; (d) explicit instruction from Merchant where required; and (e) consent when a legal framework explicitly requires it.
7. Processing Purposes Personal and business data is used for provisioning, onboarding, troubleshooting, invoice generation, payment operations, anti-abuse monitoring, security incident handling, support, audit readiness, system optimization, and dispute handling.
8. Cookies, Identifiers, and Technical Logs Operational logs may include IP addresses, request IDs, session identifiers, browser details, device fingerprints, request timing, and endpoint access patterns. This data supports abuse prevention, authentication verification, outage analysis, and performance monitoring.
9. Data Security Controls Saerosoft implements role-based access control, segregation of duties, least-privilege administration, credential management, encryption in transit, access logging, backup integrity controls, vulnerability management, and incident triage playbooks with documented escalation paths.
10. Sub-Processors and Service Vendors Saerosoft may use cloud providers, payment processors, CDN, alerting/monitoring platforms, communication tooling, and backup providers. All sub-processors are subject to written agreements requiring confidentiality, purpose limitation, security standards, and processing restrictions.
11. International and Cross-Border Processing Cloud operations or delegated support may involve transfer of data outside the Merchant's country of operation. Transfers are made under binding contractual terms, transfer impact assessments where required, and the legal basis set out in the applicable Commercial Documents or law.
12. Retention and Deletion Data is retained for the contractual term, lawful retention periods, tax/regulatory obligations, and reasonable dispute-defense periods. Upon expiry of retention requirements, records are deleted, anonymized, or archived in a secure and auditable manner.
13. Accuracy and Data Quality The Merchant is responsible for the accuracy and timeliness of Merchant Data, pricing, product descriptions, legal notices, and end-customer collection notices that it introduces into the Service. Saerosoft may suspend processing if required data is materially inaccurate or non-compliant.
14. Access, Correction, and Merchant Assistance Requests for access, correction, processing limitations, objection, or deletion should be submitted by the Merchant or lawful legal contact specified in the Commercial Documents with sufficient verification details. Saerosoft will respond in commercially reasonable timelines, subject to law and contractual deadlines.
15. Incident Detection and Breach Management When a suspected security incident occurs, Saerosoft investigates root causes, contains impact, preserves evidence, performs risk assessment, notifies required authorities within legal deadlines, and informs affected commercial parties as required.
16. Data Segmentation and Environment Controls Saerosoft uses environment separation and access isolation to prevent cross-tenant leakage. Access pathways are continuously reviewed and high-risk actions require re-authentication and audit logging.
17. End-of-Contract Data Handling After termination, Saerosoft may retain records for legal hold, dispute resolution, and required audit periods. The Merchant may request secure export and structured shutdown handover where technically feasible and contractually covered.
18. Children's Data The Service is not designed for unlawful collection of information from children under applicable minimum-age thresholds. If such information is received in connection with illegal or non-conforming operations, Saerosoft may refuse processing and enforce account remediation.
19. Rights of Request and Legal Inquiries Information requests from law enforcement, financial compliance teams, or regulators are handled through validated legal channels. In all cases, Saerosoft prioritizes lawful process, preservation orders, and documented handoff protocols.
20. Marketing and Communications Saerosoft may send account and support notices, security notices, billing notices, maintenance notices, and legal notices related to the Service operation. Marketing communications require applicable legal basis and consent where required.
21. Policy Changes Saerosoft may revise this policy if processing purpose, retention model, security architecture, legal basis, or vendor architecture changes. Material changes are communicated with effective date and version history in published legal channels.