Privacy Policy

Privacy Policy

Effective Date: February 4, 2025
Last Updated: February 4, 2025

Contents

  1. 1. Overview
  2. 2. Information We Collect
  3. 3. Information We Do Not Collect
  4. 4. How We Use Information
  5. 5. Information Sharing and Disclosure
  6. 6. Data Security
  7. 7. Cookies and Tracking Technologies
  8. 8. Data Retention
  9. 9. Your Rights
  10. 10. Children's Privacy
  11. 11. International Data Transfers
  12. 12. California Residents' Rights (CCPA)
  13. 13. EU Residents' Rights (GDPR)
  14. 14. Third-Party Links
  15. 15. Privacy Policy Updates
  16. 16. Contact Us

1. Overview

Welcome to our SaaS subscription and license management service ("the Service", "we", "us"). We value your privacy and have established this policy to explain how we collect, use, and protect your personal information.

By using the Service, you agree to the terms of this Privacy Policy.

2. Information We Collect

2.1 Information You Provide

  • Email Address: For login and service notifications.
  • Password: Stored using Argon2 hashing; we cannot see your raw password.
  • Device Name: To identify your logged-in devices.
  • 2FA Info: TOTP keys and recovery codes (if enabled).

2.2 Automatically Generated Identifiers

  • User ID: UUID to identify your account.
  • Session ID: UUID to manage your login session.

2.4 Subscription and Payment

Payments are processed via Stripe. We do not store your full credit card number or CVV. We only store order history and Stripe customer IDs.

3. Information We Do Not Collect

  • ❌ IP Addresses
  • ❌ Browser or OS details
  • ❌ Geolocation data
  • ❌ User behavior analytics
  • ❌ Third-party tracking cookies

4. How We Use Information

We use the collected information solely for the following purposes:

4.1 Providing Service

  • Create and manage your account
  • Process subscriptions and license activations
  • Manage your login sessions
  • Provide customer support

4.2 Payment Processing

  • Process payment transactions via Stripe
  • Manage subscription renewals and refunds
  • Generate invoices and receipts

4.3 Service Notifications

  • Send subscription confirmations and renewal reminders
  • Notify you of account security events (e.g., password changes)
  • Send service updates and maintenance notifications

4.4 Security and Compliance

  • Prevent fraud and abuse
  • Audit administrator operations
  • Comply with legal and regulatory requirements

We will NOT use your information for:

  • ❌ Third-party advertising
  • ❌ Marketing promotions (unless you explicitly consent)
  • ❌ Data brokerage or selling
  • ❌ User behavior analytics

5. Information Sharing and Disclosure

5.1 Third-Party Service Providers

We share necessary information with the following third-party service providers:

Stripe (Payment Processing)

  • Purpose: Process payment transactions and manage subscriptions
  • Data: Email address, order amounts, subscription information
  • Compliance: PCI DSS Level 1 certified
  • Privacy Policy: https://stripe.com/privacy

AWS (Cloud Services)

  • Purpose: Data hosting and email delivery (SES)
  • Data: Account information, order records
  • Compliance: SOC 2, ISO 27001 certified
  • Privacy Policy: https://aws.amazon.com/privacy/

Email Service (AWS SES or other SMTP providers)

  • Purpose: Send transactional and service notifications
  • Data: Email addresses, email content (transactional/security/service notifications)

5.2 Legal Requirements

We may disclose your information in the following circumstances:

  • To comply with applicable laws, regulations, court orders, or government requests
  • To protect our legal rights and safety
  • To prevent fraud or security threats
  • With your explicit consent

5.3 Business Transfers

If we undergo a merger, acquisition, or asset sale, your information may be transferred as part of our business assets. We will notify you before the transfer and ensure the new entity complies with this Privacy Policy.

5.4 What We Will NOT Do

Clear Commitments:

  • ❌ We will NOT sell your information to third-party advertisers
  • ❌ We will NOT share your information with data brokers
  • ❌ We will NOT use it for marketing partnerships
  • ❌ We will NOT engage in cross-site tracking

6. Data Security

We implement the following security measures to protect your information:

6.1 Technical Measures

  • Encryption in Transit: All data transmission is protected using HTTPS/TLS encryption
  • Password Protection: Passwords are hashed using the Argon2 algorithm
  • Session Management: Secure JWT and Refresh Token mechanisms
  • Database Security: Access control and encrypted storage

6.2 Administrative Measures

  • Audit logs for all administrator operations
  • Principle of least privilege (granting only necessary access)
  • Regular security reviews and updates
  • Employee security training

6.3 Payment Security

  • PCI DSS compliant
  • No storage of complete payment card information
  • Use of Stripe's secure payment gateway

Please Note: While we take reasonable security measures, no system is completely secure. If you discover any security issues, please contact us immediately.

7. Cookies and Tracking Technologies

7.1 Essential Cookies

We use the following essential cookies to provide the Service:

Cookie NamePurposeExpiryType
session-idSession management and authentication7 daysHttpOnly, Secure, SameSite
csrf-tokenPrevent cross-site request forgery attacksSessionSecure, SameSite

These cookies are necessary for the Service to function and cannot be disabled.

7.2 Third-Party Cookies

Stripe: During the payment process, Stripe may set cookies for fraud detection and payment processing. These cookies are governed by Stripe's privacy policy.

7.3 What We Do NOT Use

  • ❌ Analytics cookies (e.g., Google Analytics)
  • ❌ Advertising cookies
  • ❌ Social media tracking pixels
  • ❌ Third-party behavioral tracking

8. Data Retention

8.1 Retention Periods

Data TypeRetention PeriodReason
Account InformationDuration of accountProvide service
Session DataAuto-expires after 7 daysSecurity management
Order Records7 yearsTax and legal requirements
Audit Logs3 yearsCompliance requirements
Email Logs30 daysTroubleshooting

8.2 Backup Data

We may create encrypted backups of our database to prevent data loss. Backup data is rotated and deleted within a maximum of 90 days according to our backup policy.

8.3 Data Anonymization and De-identification

Where legal and compliance requirements permit, we may anonymize or de-identify data that needs to be retained long-term (e.g., order records, audit logs) to minimize privacy impact.

8.4 Account Deletion

When you delete your account:

  • Your account information will be marked for deletion
  • Personal identifiable information will be permanently deleted within 30 days
  • Order records will be retained as required by law (de-identified)
  • Audit logs will be retained as required for compliance (de-identified)

8.5 Data Cleanup

We automatically clean up:

  • Expired session data (after 7 days)
  • Revoked Refresh Tokens
  • Temporary files and caches

9. Your Rights

Under applicable data protection laws (such as GDPR and CCPA), you have the following rights:

9.1 Right to Access

You have the right to access the personal information we hold about you.

How to Exercise: Log into your account to view your personal information, or contact us to request a complete data copy.

9.2 Right to Rectification

You have the right to correct inaccurate or incomplete information.

How to Exercise: Update your information in your account settings, or contact us for assistance.

9.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal information.

How to Exercise: Contact us to request account deletion. Please note that certain information may need to be retained for legal requirements.

9.4 Right to Data Portability

You have the right to receive your data in a structured, commonly used format.

How to Exercise: Contact us to request data export. We will provide a JSON format data file within 30 days.

9.5 Right to Object

You have the right to object to our processing of your information for specific purposes.

How to Exercise: Contact us with your objection reasons.

9.6 Right to Restriction of Processing

You have the right to request restriction of processing your information.

How to Exercise: Contact us with the reasons for restriction.

9.7 Right to Withdraw Consent

If we process information based on your consent, you have the right to withdraw consent at any time.

How to Exercise: Contact us to withdraw consent. Withdrawal does not affect the lawfulness of processing before withdrawal.

9.8 Right to Complain

You have the right to lodge a complaint with a data protection authority.

EU Users: Contact the data protection authority in your country
California Users: Contact the California Privacy Protection Agency

9.9 Right Not to be Subject to Automated Decision-Making

We do not use automated decision-making (including profiling) that produces legal effects or similarly significantly affects you.

10. Children's Privacy

The Service is not directed to children under 16 years of age (or the higher legal age in your jurisdiction). We do not knowingly collect personal information from such individuals.

If you are a parent or guardian and discover that your child has provided us with personal information, please contact us. We will delete the information promptly upon verification.

11. International Data Transfers

11.1 Data Storage Location

Your data is stored in AWS data centers (specific location to be determined based on deployment).

11.2 Cross-Border Transfers

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred outside these regions. We implement the following safeguards:

  • Use of Standard Contractual Clauses (SCCs) approved by the European Commission
  • Ensuring data recipients provide adequate data protection
  • Compliance with GDPR Article 46 requirements

11.3 Privacy Shield

While the EU-U.S. Privacy Shield framework is no longer valid, we ensure lawful data transfers through Standard Contractual Clauses and other legitimate mechanisms.

12. California Residents' Rights (CCPA)

If you are a California resident, you have the following additional rights:

12.1 Right to Know

You have the right to know the categories and specific pieces of personal information we collect.

12.2 Right to Delete

You have the right to request deletion of personal information we have collected (subject to certain exceptions).

12.3 Right to Opt-Out of Sale

We do NOT sell your personal information. We have never sold, and will never sell, your personal information.

12.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights (e.g., denying service, charging different prices).

12.5 Authorized Agents

You may designate an authorized agent to exercise your CCPA rights on your behalf.

How to Exercise CCPA Rights: Email us at support@chengrouter.com. We will respond to your request within 45 days.

13. EU Residents' Rights (GDPR)

If you are an EU resident, we act as the data controller for your personal information.

13.1 Legal Basis for Processing

We process your information based on the following legal grounds:

  • Contract Performance: To provide the services you subscribe to (GDPR Article 6(1)(b))
  • Legitimate Interests: Fraud prevention and security protection (GDPR Article 6(1)(f))
  • Legal Obligation: Compliance with tax and audit requirements (GDPR Article 6(1)(c))
  • Consent: Sending marketing emails (if applicable) (GDPR Article 6(1)(a))

13.2 Data Protection Officer (DPO)

For GDPR-related questions, please contact our Data Protection Officer:
Email: dpo@chengrouter.com

13.3 Data Breach Notification

In the event of a data breach, we will notify the relevant supervisory authority within 72 hours, and notify affected users when necessary.

The Service may contain links to third-party websites (such as the Stripe payment page). We are not responsible for the privacy practices of these third-party websites.

Please review their privacy policies when visiting third-party websites.

15. Privacy Policy Updates

15.1 Update Notifications

We may update this Privacy Policy from time to time. For material changes, we will notify you through:

  • Prominent notice on our website
  • Email to your registered email address
  • In-app notification upon your next login

15.2 Effective Date

The updated Privacy Policy will become effective 30 days after publication. Continued use of the Service indicates your acceptance of the updated policy.

15.3 Version History

You may request previous versions of this Privacy Policy by contacting us.

16. Contact Us

If you have any privacy-related questions, comments, or requests, please contact us through the following methods:

Email: support@chengrouter.com
Mailing Address: [Your Company Address]
Data Protection Officer (DPO): dpo@chengrouter.com (GDPR-related questions only)

Response Time: We will respond to your request within 30 days (45 days for CCPA requests).

16.1 Complaint Channels

If you believe our data processing violates applicable data protection laws, you have the right to lodge a complaint with the relevant data protection supervisory authority.

Appendix: Definitions

  • Personal Information: Information that can identify you, such as email address
  • Processing: Any operation performed on personal information, including collection, storage, use, disclosure, etc.
  • Data Controller: The entity that determines the purposes and means of processing (i.e., us)
  • Data Processor: The entity that processes data on behalf of the data controller (e.g., Stripe, AWS)
  • Cookie: Small text files stored on your device
  • Session: The active period after you log in
  • UUID: Universally Unique Identifier, a randomly generated identifier format

Last Updated: February 4, 2025
Version: 1.0

Thank you for trusting our Service. Protecting your privacy is our top priority.