SayWall

Privacy Policy

Last Updated: December 19, 2025

Effective Date: December 19, 2025

1. Introduction

Saywall ("we," "us," or "our") operates https://saywall.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

By using Saywall, you agree to the collection and use of information in accordance with this Privacy Policy. This policy is designed to comply with global privacy regulations including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

  • Email address (required for authentication)
  • User ID (automatically generated)

Project Information:

  • Project name
  • Website domain
  • Favicon URL
  • Branding preferences (colors, typography, appearance settings)

Testimonial Information:

  • Testimonial content (text)
  • Author name and role
  • Author avatar images (JPEG, PNG, or WebP format, max 5MB)
  • Star ratings (1-5 stars)
  • Source information (manual entry, Twitter, LinkedIn, or public form submission)

Billing Information:

  • Stripe customer ID (created when you purchase a subscription)
  • Subscription status and plan type
  • No payment card details are stored on our servers—all payment information is processed and stored securely by Stripe

Public Form Submissions:

  • When someone submits a testimonial through your public testimonial form (if enabled), we collect their name, role, testimonial content, rating, and optional avatar URL. These submissions are marked as "pending" until you approve them.

2.2 Information Collected Automatically

Authentication Cookies:

  • We use cookies to maintain your login session
  • Cookie names: sb-[project-id]-auth-token, sb-[project-id]-auth-token.0, sb-[project-id]-auth-token.1
  • These cookies are essential for the Service to function

Usage Analytics:

  • We use Vercel Analytics to collect:
  • Page views and navigation paths
  • Performance metrics (Core Web Vitals)
  • Browser type and version
  • Device information
  • Geographic location (country/region level)
  • Referring website

Technical Data:

  • IP address (temporarily processed for security and analytics)
  • Browser and device information
  • Operating system

2.3 Information from Third Parties

Twitter/LinkedIn Integration:

  • If you choose to import testimonials from Twitter or LinkedIn, we may collect publicly available information from those platforms, including author names, profile images, and post content

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Service Provision

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage your account
  • Process and manage your projects and testimonials
  • Generate and display testimonial widgets on your website
  • Store and serve avatar images through our content delivery network

3.2 Billing and Subscriptions

  • Process payments through Stripe
  • Manage your subscription plan (Starter or Pro)
  • Send billing-related notifications
  • Provide access to Stripe's Customer Portal for subscription management

3.3 Communication

  • Send you magic link emails for authentication
  • Notify you of changes to the Service or your account
  • Respond to your requests, questions, and feedback
  • Send important service announcements

3.4 Analytics and Improvement

  • Analyze usage patterns to improve the Service
  • Monitor and analyze trends, usage, and activities
  • Detect and prevent technical issues and abuse
  • Understand user preferences and optimize user experience

3.5 Legal Compliance

  • Comply with legal obligations
  • Enforce our Terms of Service
  • Protect our rights, privacy, safety, or property
  • Resolve disputes

4. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

4.1 Service Providers

Supabase (Database & Authentication):

  • Hosts all application data including user profiles, projects, testimonials, and subscription records
  • Provides authentication services (magic link email delivery)
  • Located in: EU North (Stockholm, Sweden)
  • Privacy Policy: https://supabase.com/privacy

Stripe (Payment Processing):

  • Processes all payment transactions
  • Manages subscription billing and customer portal
  • Stores payment method information (we never see or store card details)
  • Located in: United States
  • Privacy Policy: https://stripe.com/privacy
  • PCI DSS Level 1 certified

Vercel (Hosting & Analytics):

  • Hosts the application and serves content
  • Provides analytics on website usage
  • Stores avatar images via Vercel Blob Storage
  • Located in: Global edge network
  • Privacy Policy: https://vercel.com/legal/privacy-policy

4.2 Public Display

Embeddable Widgets:

  • When you create a testimonial widget, approved testimonials are displayed on your website through an embedded iframe
  • This includes: testimonial content, author names, roles, avatars, ratings, and your branding settings
  • Widget URLs are publicly accessible (e.g., https://saywall.com/w/[widget-id])
  • Only testimonials you explicitly approve are made public

Public Testimonial Forms:

  • If you enable public testimonial submission, anyone can submit testimonials via your public form
  • Submissions remain "pending" until you review and approve them
  • Unapproved testimonials are never displayed publicly

4.3 Legal Requirements

  • We may disclose information if required by law, regulation, legal process, or governmental request
  • To protect our rights, users' safety, or investigate fraud
  • In connection with a merger, acquisition, or sale of assets (with user notification)

5. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy:

Account Data:

  • Retained until you delete your account
  • After account deletion, data is permanently removed within 30 days

Testimonial Data:

  • Retained as long as your project exists
  • Deleted when you delete the project or individual testimonials

Billing Records:

  • Subscription history retained for 7 years to comply with tax and accounting regulations
  • Payment information is stored and retained by Stripe according to their policies

Analytics Data:

  • Aggregated analytics data may be retained indefinitely
  • Individual usage data retained for up to 24 months

Avatar Images:

  • Stored in Vercel Blob Storage as long as the testimonial exists
  • Deleted when the associated testimonial is deleted

6. Your Privacy Rights

Depending on your location, you may have the following rights:

6.1 Access and Portability

  • Request a copy of your personal information in a machine-readable format
  • Access your data through your account dashboard

6.2 Correction and Updating

  • Update your account information, projects, and testimonials at any time through your dashboard
  • Request corrections to inaccurate information

6.3 Deletion (Right to be Forgotten)

  • Delete your account and associated data at any time
  • Request deletion of specific testimonials or projects
  • Note: Some information may be retained for legal compliance

6.4 Objection and Restriction

  • Object to processing of your personal information
  • Request restriction of processing in certain circumstances

6.5 Withdraw Consent

  • Withdraw consent for cookie usage (though this may limit Service functionality)
  • Opt out of non-essential cookies

6.6 Data Portability

  • Request transfer of your data to another service provider (where technically feasible)

6.7 Lodge a Complaint

  • Right to lodge a complaint with your local data protection authority

To exercise your rights, contact us at: hello@saywall.io

We will respond to requests within 30 days (GDPR) or 45 days (CCPA) as required by law.

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

7.1 Right to Know

  • Categories of personal information collected
  • Sources from which information was collected
  • Business or commercial purposes for collection
  • Categories of third parties with whom we share information

7.2 Right to Delete

  • Request deletion of personal information we have collected
  • Subject to certain exceptions under CCPA

7.3 Right to Opt-Out

  • We do not sell or share your personal information for cross-context behavioral advertising
  • We do not sell personal information of minors under 16

7.4 Right to Non-Discrimination

  • You will not receive discriminatory treatment for exercising your CCPA rights

7.5 Authorized Agent

  • You may designate an authorized agent to make requests on your behalf

To submit a CCPA request: Contact us at hello@saywall.io with "CCPA Request" in the subject line.

8. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

8.1 Legal Basis for Processing

We process your personal information based on:

Contractual Necessity:

  • To provide the Service you requested
  • To process payments and manage subscriptions

Legitimate Interests:

  • To improve and optimize the Service
  • To detect and prevent fraud
  • To analyze usage patterns

Consent:

  • For non-essential cookies and analytics (where required)
  • For marketing communications (if applicable)

Legal Obligations:

  • To comply with tax, accounting, and legal requirements

8.2 Data Controller

Saywall acts as the data controller for your personal information. For GDPR-related inquiries, contact: hello@saywall.io

8.3 International Transfers

Your data may be transferred to and processed in countries outside the EEA. We ensure adequate safeguards through:

  • Standard Contractual Clauses (SCCs)
  • Data Processing Agreements with service providers
  • Adherence to GDPR principles by our processors

8.4 Right to Lodge a Complaint

You may lodge a complaint with your local supervisory authority:

  • UK: Information Commissioner's Office (ICO) - https://ico.org.uk
  • EU: Find your authority at https://edpb.europa.eu/about-edpb/board/members_en

9. Children's Privacy

Saywall is not intended for use by individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children.

If you believe we have inadvertently collected information from a child, please contact us immediately at hello@saywall.io, and we will promptly delete such information.

10. Security Measures

We implement industry-standard security measures to protect your information:

10.1 Technical Safeguards

  • Encryption: Data transmitted via HTTPS/TLS encryption
  • Database Security: Row Level Security (RLS) on all database tables
  • Authentication: Secure passwordless authentication via magic links
  • Access Control: Role-based access control for projects and data

10.2 Organizational Safeguards

  • Limited access to personal information (need-to-know basis)
  • Regular security audits and updates
  • Service role key protection (manual filtering patterns)
  • Webhook signature verification for external integrations

10.3 Third-Party Security

  • Stripe: PCI DSS Level 1 certified for payment processing
  • Supabase: ISO 27001, SOC 2 Type II compliant (verify at https://supabase.com/security)
  • Vercel: SOC 2 Type II compliant (verify at https://vercel.com/security)

Note: No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

11. International Data Transfers

Saywall operates globally and may transfer data across international borders:

Data Locations:

  • Supabase Database: EU North (Stockholm, Sweden)
  • Vercel Edge Network: Global (data replicated across regions)
  • Stripe: United States

Transfer Mechanisms:

  • Standard Contractual Clauses (SCCs) for EU transfers
  • UK International Data Transfer Agreement (IDTA) for UK transfers
  • Adequacy decisions where applicable
  • Data Processing Agreements with all processors

If you are located in the EEA, UK, or Switzerland, your data may be transferred to countries that do not have equivalent data protection laws. We ensure appropriate safeguards are in place.

12. Cookies and Tracking Technologies

12.1 Essential Cookies

Authentication Cookies (Required):

  • Purpose: Maintain your login session
  • Cookie Names: sb-[project-id]-auth-token, sb-[project-id]-auth-token.0, sb-[project-id]-auth-token.1
  • Duration: Session-based (cleared on logout)
  • Provider: Supabase
  • Can be disabled: No (required for Service functionality)

12.2 Analytics Cookies

Vercel Analytics (Optional):

  • Purpose: Understand usage patterns and improve the Service
  • Data Collected: Page views, performance metrics, device information
  • Duration: Up to 24 months
  • Provider: Vercel
  • Can be disabled: Yes (contact us to opt out)

12.3 Cookie Consent

We use essential cookies necessary for the Service to function. For non-essential cookies (analytics), we comply with:

  • GDPR (EU): Consent required before setting non-essential cookies
  • CCPA (California): Opt-out mechanism available
  • ePrivacy Directive: Prior consent for non-essential cookies

To manage cookie preferences: Contact us at hello@saywall.io to opt out of analytics cookies.

12.4 Third-Party Cookies

When you embed Saywall widgets on your website, the iframe may set cookies on your visitors' browsers. These are governed by this Privacy Policy.

12.5 Do Not Track Signals

We currently do not respond to "Do Not Track" (DNT) browser signals, as there is no industry standard for interpreting DNT signals.

13. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How we notify you:

  • Material Changes: Email notification to registered users at least 30 days before changes take effect
  • Minor Changes: Updated "Last Updated" date at the top of this policy
  • Continued Use: Your continued use of the Service after changes constitutes acceptance

Version History:

  • December 19, 2025: Initial version (v1.0)

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Saywall Support:

  • Email: hello@saywall.io
  • Address: Nagy-Eged utca 39, 3300 Eger, Heves, Hungary

Response Time: We aim to respond to all inquiries within 5 business days, and to formal data requests within 30 days (GDPR) or 45 days (CCPA).

15. Specific Jurisdictions

15.1 United States

State-Specific Privacy Rights:

  • California: CCPA/CPRA rights (see Section 7)
  • Virginia: Consumer Data Protection Act (VCDPA)
  • Colorado: Colorado Privacy Act (CPA)
  • Connecticut: Connecticut Data Privacy Act (CTDPA)
  • Utah: Utah Consumer Privacy Act (UCPA)

Residents of these states have similar rights to access, delete, correct, and opt-out of data processing. Contact us to exercise these rights.

15.2 Brazil (LGPD)

If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD):

  • Right to confirmation of processing
  • Right to access your data
  • Right to correction of incomplete or inaccurate data
  • Right to anonymization, blocking, or deletion
  • Right to data portability
  • Right to information about public/private entities with whom we share data
  • Right to withdraw consent

15.3 Canada (PIPEDA)

Canadian residents have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) to:

  • Access personal information we hold
  • Challenge the accuracy and completeness of information
  • Request withdrawal of consent (subject to legal or contractual restrictions)

15.4 Australia (Privacy Act)

Australian residents have rights under the Privacy Act 1988, including:

  • Access to personal information
  • Correction of inaccurate information
  • Complaints to the Office of the Australian Information Commissioner (OAIC)

16. Business Transfers

If Saywall is involved in a merger, acquisition, asset sale, or bankruptcy:

  • Your personal information may be transferred to the acquiring entity
  • You will be notified via email and/or prominent notice on the Service
  • The acquiring entity will continue to honor this Privacy Policy unless you consent to a new policy
  • You may delete your account before the transfer is completed

17. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or significantly affects you.

18. Testimonial Approval Process

Important: Testimonials submitted through public forms or imported from social media are not publicly displayed until you explicitly approve them.

Approval Workflow:

  1. Testimonial submitted (status: "pending")
  2. You review in your dashboard
  3. You approve (status: "approved") or reject (status: "rejected")
  4. Only approved testimonials appear in public widgets

User Control:

  • You control which testimonials are displayed publicly
  • You can revoke approval at any time
  • Rejected/pending testimonials are never shown in widgets

19. Widget Embedding and Third-Party Websites

When you embed Saywall widgets on your website:

Data Shared with Widget Viewers:

  • Approved testimonials (content, author name, role, avatar, rating)
  • Your branding configuration (colors, fonts, appearance)
  • Widget type and layout settings

Widget Caching:

  • Widgets are cached for 5 minutes for performance
  • Updates to testimonials or branding may take up to 5 minutes to reflect

Third-Party Website Privacy:

  • Your website visitors are subject to your privacy policy
  • We recommend disclosing that you use Saywall to display testimonials
  • Iframe embedding may set cookies on visitors' browsers

20. Data Minimization

We practice data minimization by:

  • Collecting only information necessary for the Service
  • Not requiring phone numbers, physical addresses, or other unnecessary data
  • Using passwordless authentication (no password storage)
  • Allowing you to delete data at any time

21. Anonymization and Aggregation

We may use anonymized or aggregated data for:

  • Service improvement and analytics
  • Marketing and promotional purposes
  • Research and development
  • Industry benchmarking

Anonymized data cannot be used to identify you and is not subject to this Privacy Policy.

22. Your Responsibilities

As a Saywall user, you are responsible for:

  • Maintaining the security of your email account (used for magic link authentication)
  • Ensuring testimonials you approve comply with applicable laws
  • Respecting intellectual property rights when importing content from social media
  • Obtaining necessary consents from testimonial authors
  • Complying with your own privacy policy when embedding widgets

23. Accessibility

We are committed to making this Privacy Policy accessible to all users. If you require this policy in an alternative format, please contact us at hello@saywall.io.

Summary (Quick Reference)

What we collect:

  • Email address (for login)
  • Project and testimonial data you provide
  • Usage analytics (via Vercel Analytics)
  • Authentication cookies (essential)

How we use it:

  • Provide the Service
  • Process payments via Stripe
  • Display testimonial widgets
  • Improve the Service

Who we share with:

  • Supabase (hosting & database)
  • Stripe (payments only)
  • Vercel (hosting & analytics)
  • Public (approved testimonials only)

Your rights:

  • Access, correct, or delete your data
  • Export your data
  • Opt out of analytics
  • Lodge complaints with authorities

How to contact us:

  • Email: hello@saywall.io
  • Response time: 5 business days

Acknowledgment: By using Saywall, you acknowledge that you have read and understood this Privacy Policy.

Consent: You consent to the collection, use, and sharing of your information as described in this Privacy Policy.

Severability: If any provision of this Privacy Policy is found to be unenforceable, the remaining provisions will remain in full effect.

Governing Law: This Privacy Policy is governed by the laws of Hungary and the European Union, without regard to conflict of law provisions.

Questions? Contact us at hello@saywall.io

Last Updated: December 19, 2025