Privacy

Who is the data controller

mintedsaas.com is operated independently. Questions about this policy or requests under GDPR / UK GDPR / CCPA / CPRA go to [email protected].

What we collect, and when

• Account email. Required to sign in (passwordless magic link via email, or Google OAuth). We store the address, when you verified it, and your assigned role (user / editor / admin).
• Listing submissions. The product info you submit (name, tagline, description, website URL, optional logo image, optional pricing). Tied to your account. We also retain the IP address you submitted from to help moderators identify coordinated spam — visible only to admin/editor users in the moderation panel, never published or shared with third parties.
• Comments. Plain text + the account they were posted from. Public.
• Outbound-click events. When a visitor clicks a listing's external link, we record the referrer domain and UTM parameters. We do not store IP addresses with these events.
• Newsletter opt-in (if you choose). Email + the timestamp + which form you opted in from. One-click unsubscribe in every email. We keep an audit history of opt-ins and opt-outs as required by GDPR.
• Session cookies. One HTTP-only session cookie (30-day rolling expiry) and a CSRF token cookie. Both are strict-necessary under GDPR/ePrivacy — no consent banner required. The site does not set third-party analytics or advertising cookies. If self-hosted Umami is enabled by the operator, it runs cookieless by design.
• Bot-protection signals. Comment and newsletter forms use Cloudflare Turnstile, which generates a short-lived token client-side. We pass the token to Cloudflare for verification; we don't store it.
• Server logs. Standard request logs (timestamp, path, status, duration, request id). Retained ~30 days for debugging.
• Public crawl of your product site (only if you submit a listing). Our backlink checker fetches your declared homepage daily to verify the badge link is in place and the site is reachable. It identifies itself in the User-Agent and links to /about/our-bot.

What we do NOT collect

• We do not run third-party advertising or analytics that fingerprint visitors. If analytics are enabled, they use self-hosted Umami — no cookies, no cross-site identifiers, IPs are not retained.
• We do not sell personal information. We don't share email lists.
• We do not track which listings you read while signed out. Click tracking is aggregated per listing, not per visitor.

Why we process what we process

• Email + session cookie: to sign you in and keep you signed in (legal basis: contract — necessary to provide the service).
• Listing + comment content: to publish the directory you submitted to (legal basis: contract).
• Newsletter: to send you the newsletter you opted in to (legal basis: consent; revocable any time).
• Outbound clicks: to compute aggregate "Momentum" signals on each listing (legal basis: legitimate interest in operating the directory; aggregated only).
• Bot protection + rate limits: to defend the service against spam and abuse (legal basis: legitimate interest).
• Backlink crawl: to enforce the listing-exchange policy that keeps the directory honest (legal basis: legitimate interest; we crawl public web pages, identify ourselves, and respect robots.txt rules outside our verification target).

Sub-processors we share data with

We use the minimum number of third parties needed to run the service. Each one processes the specific category of data noted; none gets the full dataset.

• Resend — transactional email (magic-link sign-in, notifications, newsletter). Receives recipient address + message body.
• Google — only if you choose "Continue with Google". Standard OAuth handshake; we receive your email + name + profile picture URL.
• Cloudflare Turnstile — bot challenge widget on comment + newsletter forms. Cloudflare receives the page URL + the challenge response per their privacy policy. Disable JavaScript on those forms to skip the challenge (you can't submit them in that case).
• Cloudflare R2 — if the operator has enabled remote uploads, logo and screenshot images are stored in an R2 bucket and served via CDN.
• Anthropic — if you click "Fill with AI" when drafting a submission, we send the candidate URL's page content to Anthropic's API to extract a starting draft. Used at most once per submission.
• Sentry — only if the operator has configured an error-tracking endpoint. Receives un-PII'd exception stacks + request ids.

How long we keep things

• Account + listings + comments: kept while your account exists. Submit a deletion request and we'll remove them (and anonymise comments that quote other users).
• Newsletter consent records: kept indefinitely (this is the audit trail proving you opted in — required by GDPR Art. 7).
• Outbound-click events: ~90 days at row level, aggregated Momentum signals indefinitely.
• Server logs: ~30 days.

Your rights

If you're in the EU / UK / California / similar regimes, you can ask us to:

• Confirm what data we have about you, and give you a copy
• Correct anything wrong
• Delete your account and the data attached to it
• Export your submissions and comments in a portable format
• Withdraw newsletter consent (one-click in every email)
• Object to our processing on legitimate-interest grounds
• Complain to your local supervisory authority if you think we've handled your data poorly

Email [email protected]. We aim to respond within 30 days.

Security

Database access is restricted to the directory's own services. Auth.js sessions are HTTP-only + same-origin + signed. Admin and editor accounts are configured via environment-variable allowlists, not self-promotion. We use parameterised queries (Prisma) throughout.

International transfers

Resend, Cloudflare, Google, Anthropic, and Sentry are US-based. When we share data with them we rely on their published Data Processing Agreements and Standard Contractual Clauses.

Children

The directory is not directed at children under 13. If you become aware that a child has provided us personal information, contact us and we'll remove it.

Changes to this policy

We'll update the "last updated" date at the top whenever this changes. For material changes we'll notify newsletter subscribers and accountholders by email.