Saasis
PrivacyTermsDashboard

Privacy Policy

Last Updated: March 2026

Introduction

Saasis ("we," "our," or "us") operates a Discord/Telegram bot and an accompanying web dashboard. This privacy policy explains how we collect, use, and protect your information when you use the Saasis bot service and dashboard at dashboard.saasis.net.

This policy covers the bot service and web dashboard only. For privacy information about the marketing website at saasis.net (which does not store personal data), see the website privacy policy.

Contact Information

Information We Collect

Core Bot Data

When you use the Saasis bot, we collect:

  • User Identifiers: Your Discord or Telegram user ID and username
  • Platform Information: Which platform you use (Discord or Telegram)
  • Message Content: Messages you send to the bot and bot responses
  • Usage Data: Timestamps of interactions and command usage patterns
  • Chat History: Recent message context for AI processing (configurable, default 10 messages, range 5-50)

Conversation History

The bot maintains recent conversation history to provide context-aware AI responses. You can configure how many messages are retained in your settings.

Telegram

Due to Telegram Bot API limitations, messages are stored locally in our database. They are automatically rotated - the oldest messages are deleted when new ones arrive, up to your configured limit.

Discord

Messages are accessed through Discord's own API on demand and not stored locally by us.

Memory & Personalization

To improve your experience, the bot may extract and store information from your conversations:

  • What's Stored: Facts, preferences, goals, and context extracted from your conversations (e.g., "prefers metric units," "works in marketing")
  • How It Works: Your conversation content is processed by an AI service to identify relevant information, which is stored as structured memories
  • Embeddings: Stored memories are sent to an AI provider to generate numerical representations, which are stored in a vector database on our servers for efficient retrieval
  • Expiration: Memories have automatic expiration periods based on type: transient state (3 days), patterns (30 days), preferences/goals/context (no automatic expiry, deleted on request) - all periodically cleaned up
  • Isolation: Your memories are private to your account and not shared with other users

User Settings

We store your preferences:

  • History Limit: Your configured conversation history length
  • Language: Your preferred language for bot responses
  • Theme: Your dashboard visual theme preference

Dashboard Data

When you use the web dashboard at dashboard.saasis.net, we collect:

  • IP Address: Your IPv4 and/or IPv6 address, used for security and audit purposes
  • User Agent: Your browser and device information (browser name and version, OS and version, device type and model)
  • Session Data: Session creation time, last activity time, and session duration
  • Authentication Cookie: A single HTTP-only, secure session cookie (dashboard_session) used solely for authentication. This cookie is strictly necessary for the dashboard to function and does not require consent under GDPR/ePrivacy Directive.

Why No Cookie Consent Banner?

The dashboard uses only a single strictly necessary authentication cookie. Under the ePrivacy Directive and GDPR, cookies that are essential for the service you have requested (such as login session cookies) are exempt from consent requirements. We do not use any analytics, tracking, or advertising cookies on the dashboard.

Onboarding Data

When you first use the bot, we record:

  • Terms Acceptance: That you agreed to these terms, and when
  • Onboarding Progress: Which setup steps you have completed
  • Onboarding Messages: Your messages during the setup flow and the bot's analysis of them, used to process your acceptance and preferences

Cross-Platform Account Linking

If you choose to link your Discord and Telegram accounts:

  • Link Records: Which accounts are linked and when the link was created
  • Audit Log: A record of linking and unlinking actions for security
  • Data Merging: When linked, one account becomes the primary and all plugin data (reminders, notes, memories, etc.) is accessed through it from both platforms
  • Account linking is optional and reversible at any time. Unlinking restores separate data access per platform

Plugin-Specific Data

The bot uses a modular plugin system. Each plugin may collect and store additional data specific to its functionality (e.g., reminders store your reminder text and schedule; the password manager stores encrypted credentials).

Plugin Privacy Policies

Each plugin has its own privacy addendum describing what additional data it stores, any third-party services that receive your data, and proactive notifications it may send. These addenda cover only what is unique to each plugin - this policy covers all core system behavior.

Plugin privacy policies are available on our website at saasis.net/plugins under each plugin's Privacy tab, and in the dashboard under each plugin's info panel.

AI Processing

To provide AI-powered responses, your messages are processed by third-party AI service providers. Providers may be added or removed at any time as the service evolves. As of March 2026, the providers we use include:

  • Google Gemini
  • OpenAI
  • Anthropic Claude
  • Mistral
  • Groq

Not all providers are used simultaneously - the active set depends on configuration. Each provider acts as an independent data controller for the data they receive and processes it under their own privacy policy and terms.

Provider selection policy: We only use providers whose API terms explicitly prohibit using your data to train their AI models. We periodically review each provider's terms and data policies. If a provider changes their terms to allow training on API data, they will be removed from the service.

  • Data Sent: Your message content and recent conversation context
  • Purpose: Understanding your intent, routing to the appropriate plugin, and generating responses
  • Logging: In production, your message content is never written to log files - only character counts and system prompt hashes are logged for debugging

Bring Your Own Key (BYOK)

You may optionally provide your own API keys for supported AI providers, including providers not listed above (such as DeepSeek). If you do:

  • Your keys are stored in our encrypted database (see Data Storage below)
  • Keys are sent only to the respective AI provider, never logged or exposed
  • You can deactivate or delete your keys at any time
  • When using your own key, your data is processed under that provider's terms and privacy policy - including any model training or data retention practices specific to your account with that provider

Usage Analytics & Credits

To manage service costs and credit allocation, we track:

  • Token Usage: Number of AI tokens consumed per request (prompt and completion counts)
  • Model Used: Which AI model processed your request
  • Plugin Attribution: Which plugin initiated the AI request
  • Credit Balance: Your current credit balance and transaction history
  • Subscription Tier: Your current tier (free or premium)

In production dashboards and logs, your user identity in analytics data is displayed as a shortened hash derived from your user ID, not your actual user ID.

How We Use Your Information

We use collected information to:

  • Provide Bot Services: Process commands, maintain conversations, and deliver requested functionality
  • Improve AI Responses: Maintain conversation context for coherent interactions
  • Dashboard Access: Authenticate your sessions and display your plugin data
  • Security: Detect abuse, enforce rate limits, and maintain audit trails
  • Technical Operations: Maintain databases, handle errors, and ensure system reliability

Legal Basis (GDPR)

We process your data under the following legal bases, applied per processing activity:

  • Contract Performance (Art. 6(1)(b)): Core service delivery - processing messages, routing to plugins, maintaining conversation history, memory and personalization, usage analytics, credit management, BYOK key storage, and providing bot responses
  • Legitimate Interest (Art. 6(1)(f)): Security and abuse prevention - IP logging, session tracking and history, rate limiting, audit trails, onboarding records (as proof of terms acceptance), and flow tracking for debugging. We have assessed that these interests do not override your rights given the security benefits and data minimization measures in place
  • Consent (Art. 6(1)(a)): Cross-platform account linking - an optional feature that merges your data across Discord and Telegram. You can unlink your accounts at any time to stop cross-platform data sharing

During onboarding, you accept our Terms of Service (which establishes the contractual basis) and are informed of this privacy policy. Providing your data is necessary to use the service - if you choose not to, you will not be able to use the bot.

Automated Decision-Making

The bot uses AI to process your messages, route them to appropriate plugins, and extract memories for personalization. This is automated processing to deliver the service. Extracted information (preferences, goals, context) is used solely to personalize future responses - it does not affect your access to the service, pricing, or produce any legal effects. No automated decision-making with legal or significant effects (as defined in GDPR Art. 22) is performed.

Data Sharing

Third-Party AI Service Providers

Message content, conversation context, and memory extraction are processed by the third-party AI providers listed in the AI Processing section above. Each provider has their own privacy policy and data handling practices.

Plugin-Specific Third Parties

Some plugins connect to third-party services via OAuth on your behalf (e.g., the Google Calendar plugin uses the Google Calendar API). When you authorize such a connection, we store encrypted OAuth tokens to maintain it, fetch data on-demand without permanent storage, and allow you to revoke access at any time through the plugin or the third party's account settings. These are documented in each plugin's individual privacy policy, available at saasis.net/plugins.

Saasis's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

BYOK Provider Choice

If you use the Bring Your Own Key feature, your data is additionally sent to whichever provider you configure (which may include providers not listed above). This is your choice and the provider's terms apply directly to your account with them.

No Other Sharing

We do not sell, rent, or share your personal data with other third parties except as described above, or as required by applicable EU/EEA law (e.g., in response to valid court orders or binding legal requests from competent authorities).

Data Storage & Security

  • Storage Location: Your data is stored on our servers in Europe
  • Database Encryption: Plugin databases are encrypted using industry-standard AES-256 encryption (SQLCipher). Each plugin has its own encryption key derived from a master key
  • Vector Database: Memory embeddings are stored in a separate vector database (Qdrant) on our servers, used for efficient memory retrieval
  • User Isolation: All plugin data is automatically scoped to your user account. Plugins cannot access other users' data
  • Production Logging: Your message content is never logged in production - only character counts and system prompt hashes are logged for debugging
  • Session Security: Dashboard cookies are HTTP-only, secure (in production), and SameSite=strict

Data Retention

  • Telegram Message History: Rolling limit based on your settings (oldest deleted when new ones arrive)
  • Discord Message History: Not stored locally - accessed via Discord API on demand
  • Memories: Transient state memories expire after 3 days, patterns after 30 days. Preferences, goals, and context do not auto-expire but can be deleted on request
  • Dashboard Sessions: Active sessions expire after 7 days of inactivity. Expired sessions are automatically cleaned up every 10 minutes
  • Session History: Historical session records (IP, device info) are retained for up to 180 days, then automatically deleted
  • Authentication Tokens: Magic link tokens expire after 15 minutes and are automatically deleted
  • Onboarding Records: Terms acceptance records are retained indefinitely as proof of consent
  • User Settings: Retained while you use the service, deleted upon account deletion request
  • Credit Usage Records: Retained for 90 days for billing reconciliation, then automatically deleted
  • Flow Tracking: Debugging data including user IDs (displayed as hashes in dashboards), automatically deleted after 7 days

International Data Transfers

While your data is stored in Europe (see Data Storage above), processing by third-party AI providers may involve transfers to countries outside the EU/EEA. We ensure appropriate safeguards are in place:

  • US-based providers (OpenAI, Google, Anthropic, Groq): Transfers are covered by the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs) as applicable, provided the provider is certified under the DPF
  • EU-based providers (Mistral): Data remains within the EU/EEA - no third-country transfer occurs

If you use the BYOK feature with a provider based outside the EU/EEA (such as DeepSeek, which is based in China), any resulting data transfers are governed by that provider's terms and occur under your own account relationship with them.

We periodically review our provider list and transfer safeguards. You may request information about the specific safeguards in place by contacting [email protected].

Your Rights (GDPR)

You have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your personal data
  • Restriction: Limit how we process your data
  • Data Portability: Receive your data in a portable format
  • Object: Object to processing based on legitimate interest
  • Withdraw Consent: Withdraw your consent at any time, without affecting the lawfulness of processing before withdrawal

Exercising Your Rights

To exercise these rights, contact us at: [email protected]

Data Deletion Requests: Email [email protected] with your Discord/Telegram user ID and username. We will delete your data within 30 days.

Children's Privacy

Our service is not intended for children under 16 (or the applicable minimum age in your country under GDPR Art. 8). We do not knowingly collect personal information from children under this age. If you believe a child has provided us with personal information, please contact us at [email protected].

Changes to This Policy

We may update this privacy policy to reflect changes in our practices or for legal reasons. We will notify users of material changes through:

  • Updated policy posted on this page
  • Bot announcement for significant changes
  • Re-acceptance may be required during onboarding for material changes

Related Policies

Complaints

If you have concerns about how we handle your personal data, you can:

  1. Contact us directly at [email protected]
  2. File a complaint with your local data protection authority