Privacy Policy (Web Version) - SAS Max

1. Introduction

Snono Systems ("we", "our", or "us") operates the SAS Max web application (the "Web App"). This Privacy Policy specifically addresses how we collect, use, store, and protect your personal information when you use SAS Max via web browsers (Progressive Web App or standard web version).

This policy is tailored to the web platform and its unique data collection methods, including cookies, browser storage, and web APIs. For mobile app privacy information, please refer to our standard Privacy Policy.

By using the SAS Max Web App, you agree to the collection and use of information in accordance with this policy and applicable data protection laws (GDPR, CCPA).

                Key Difference from Mobile: The web version operates in a sandboxed browser
                environment and does NOT have access to native device features like camera, Bluetooth, or file system.
                All data is stored securely in browser storage (localStorage, IndexedDB) with encryption.
            

2. Information We Collect

The SAS Max Web App collects and processes the following types of information:

2.1 Account & Authentication Data

License codes
Usernames and passwords (encrypted using AES-256-CBC)
Manager permissions and access control lists (ACL)
Authentication tokens (JWT, stored in browser localStorage)
Multi-account credentials for switching between accounts

2.2 Browser Storage Data

localStorage: User preferences, theme settings, language selection, account list
sessionStorage: Temporary session data (cleared when browser tab closes)
IndexedDB: Offline cache for dashboard data, card templates, print jobs (max 7 days)
Cookies: Session cookies for authentication, analytics cookies (see Section 13)

2.3 Service Provider & Operational Data

Internet Service Provider (ISP) account credentials (encrypted in browser storage)
ISP usage data, quotas, subscription information, and billing records
Network Access Server (NAS) configurations
User management data (online users, profiles, groups)

2.4 Card Printing Data

Card generation records (series, batches, print jobs)
Card template designs and configurations (stored in browser + backend)
PDF generation history and distribution records
Print audit logs (90-day retention)

2.5 Technical & Analytics Data

Browser Information: Browser type, version, operating system, screen resolution
IP Address: Server logs for API requests (used for rate limiting and security)
Usage Analytics: Firebase Analytics (Web SDK) for app usage patterns
Performance Metrics: Firebase Performance for page load times and API latency
Error Logs: JavaScript errors and stack traces (no personal data included)

2.6 Web APIs Used

Clipboard API: For copy/paste functionality (user-initiated only)
Web Share API: For sharing reports and templates (user-initiated only)
Notification API: Browser push notifications (only if user grants permission)
Service Workers: For PWA offline functionality and background sync

                Web Limitations: The web version does NOT access: Camera, Bluetooth, native file system,
                biometric authentication, or device location. All features requiring these capabilities are disabled in the web version.
            

3. How We Use Your Information

We use the collected information for the following purposes:

Service Delivery: Authenticate users, manage access permissions, and provide core WISP management functionality
Offline Functionality: Cache data in IndexedDB for PWA offline mode (configurable retention)
ISP Management: Monitor usage, track quotas, send alerts for ISP accounts
Card Printing: Generate PDF cards, track print jobs, provide audit trails
Analytics: Improve web app performance, identify bugs, and enhance user experience (via Firebase Web SDK)
Support: Troubleshoot technical issues and provide customer assistance
Security: Detect unauthorized access, prevent fraud, enforce rate limiting
Personalization: Remember your preferences (theme, language, dashboard layout) using localStorage

4. Data Storage and Security

4.1 Browser Storage

Credentials are stored in browser localStorage with AES-256-CBC encryption
Sensitive data (passwords, API tokens) are NEVER stored in plain text
Session data is cleared when you close the browser tab (sessionStorage)
Offline cache is stored in IndexedDB with configurable retention (default 7 days)
All browser storage is sandboxed per-origin (max.pro-service.link)

4.2 Data Transmission

All data is transmitted via HTTPS (TLS 1.3) with end-to-end encryption
POST request payloads are encrypted using AES-256-CBC (CryptoJS-compatible)
JWT tokens are used for authentication (short expiration, auto-refresh)
Backend servers use industry-standard security measures (Laravel security best practices)

4.3 Backend Storage

User data is stored in MySQL databases with encrypted passwords (bcrypt hashing)
ISP credentials are encrypted using Laravel Crypt (AES-256-CBC) and never exposed in API responses
Database backups are encrypted and stored securely

4.4 Data Retention

Account data is retained while your license is active
ISP usage history: 90 days
Print audit logs: 90 days
Browser cache: 7 days (configurable, cleared automatically)
Deleted accounts are permanently removed within 30 days
Cookies: Session cookies expire on browser close, analytics cookies expire after 2 years (see Section 13)

5. Cookies and Similar Technologies

We use cookies and similar technologies to provide, protect, and improve our services. You can control cookie settings through your browser preferences.

5.1 Types of Cookies Used

Cookie Type	Purpose	Expiration	Required?
Session Cookies	Maintain authentication state, prevent CSRF attacks	Browser close	Yes (Essential)
Preference Cookies	Remember theme, language, font size preferences	1 year	No (Functional)
Analytics Cookies	Firebase Analytics (usage patterns, page views)	2 years	No (Analytics)
Performance Cookies	Firebase Performance (page load times, API latency)	2 years	No (Performance)

5.2 Third-Party Cookies

Firebase (Google): Analytics and performance monitoring cookies
You can opt out of Firebase Analytics in app settings or via browser Do Not Track

5.3 Managing Cookies

You can control cookies through:

Browser Settings: Most browsers allow you to block or delete cookies
In-App Settings: Disable analytics and performance tracking in app settings
Do Not Track: We respect browser Do Not Track signals for analytics cookies

                Note: Blocking essential session cookies will prevent you from logging in.
                Non-essential cookies (analytics, performance) can be disabled without affecting core functionality.
            

6. Data Sharing and Disclosure

We do not sell, rent, or share your personal information with third parties, except in the following cases:

Service Providers: Firebase (Google) for web analytics, performance monitoring, and crash reporting
Legal Requirements: When required by law, court order, or government regulations
Business Transfers: In the event of a merger, acquisition, or sale of assets (you will be notified in advance)

We NEVER share:

Your passwords or ISP credentials with anyone (encrypted in browser, never sent to third parties)
Card generation data with unauthorized parties
Personal information with advertisers or marketing companies

7. Your Rights (GDPR & CCPA Compliance)

Under GDPR (European Union) and CCPA (California), you have the following rights:

7.1 GDPR Rights (EU Users)

Right to Access: Request a copy of your data stored in our systems
Right to Rectification: Update or correct inaccurate information
Right to Erasure ("Right to be Forgotten"): Request deletion of your account and associated data via https://max.pro-service.link/delete-account (7-day grace period, permanent deletion within 30 days)
Right to Data Portability: Download your data in a portable format (JSON/CSV)
Right to Restrict Processing: Limit how we process your data
Right to Object: Object to analytics and performance tracking
Right to Withdraw Consent: Withdraw cookie consent at any time

7.2 CCPA Rights (California Users)

Right to Know: What personal information we collect and how it's used
Right to Delete: Request deletion of your personal information via https://max.pro-service.link/delete-account
Right to Opt-Out: Opt out of data sale (we do NOT sell your data)
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

7.3 How to Exercise Your Rights

To exercise these rights:

Data Deletion: Submit a request at https://max.pro-service.link/delete-account
Other Requests: Contact us at englishh7366@gmail.com

We will respond within 30 days for GDPR requests and 45 days for CCPA requests.

                Clear Your Data: You can manually clear browser data (localStorage, IndexedDB, cookies)
                by clicking "Clear All Data" in app settings or using browser developer tools.
            

8. Third-Party Services

The SAS Max Web App integrates with the following third-party services:

8.1 Firebase Web SDK (Google LLC)

Firebase Analytics: Web usage analytics (page views, user flows)
Firebase Performance: Performance monitoring (page load times, API latency)
Data Collected: Browser info, IP address, page views, session duration
Privacy Policy: https://policies.google.com/privacy
Opt-Out: Disable in app settings or use Google Analytics Opt-out Browser Add-on

8.2 ISP Provider APIs

We connect to ISP provider APIs (e.g., WE Telecom Egypt) to retrieve usage data
Credentials are encrypted in browser localStorage and transmitted securely via HTTPS
We do NOT share ISP credentials with any third party
API requests are made directly from the web app (no proxy servers)

9. Children's Privacy

SAS Max is a business application intended for professional use only. We do not knowingly collect personal information from children under 13 (or 16 in the EU). If you believe a child has provided us with personal information, please contact us immediately at englishh7366@gmail.com.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your own (primarily Egypt). We ensure that such transfers comply with applicable data protection laws (GDPR, Privacy Shield):

Encryption in Transit: All data is encrypted using HTTPS (TLS 1.3)
Standard Contractual Clauses: We use EU-approved SCCs for data transfers
Adequate Safeguards: Backend servers follow GDPR security standards

11. Security Measures

We implement multiple security layers to protect your data:

11.1 Web Application Security

HTTPS Enforcement: All traffic is encrypted (TLS 1.3)
Content Security Policy (CSP): Prevents XSS attacks
CORS Protection: Restricts API access to authorized origins
CSRF Protection: Laravel CSRF tokens for all POST requests
Rate Limiting: Prevents brute force attacks (5 login attempts per minute)

11.2 Data Encryption

Browser Storage: AES-256-CBC encryption for sensitive data in localStorage
API Payloads: AES-256-CBC encryption for POST request bodies
Database: Bcrypt password hashing, encrypted ISP credentials (Laravel Crypt)

11.3 Authentication

JWT Tokens: Short expiration (60 minutes), auto-refresh, secure storage
Multi-Account Support: Account switching without re-entering credentials
Session Management: Automatic logout on inactivity (configurable)

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted in the web app and on our website at https://max.pro-service.link/privacy-policy/web.

You will be notified of significant changes via:

In-app banner notification
Email (if provided in your account settings)
Homepage announcement

Continued use of the web app after changes constitutes acceptance of the updated policy.

13. Cookie Policy (Detailed)

In compliance with GDPR and ePrivacy Directive, we provide this detailed cookie policy. By using the SAS Max Web App, you consent to the use of cookies as described below.

13.1 Cookie Consent

On first visit, you will see a cookie consent banner
You can accept all cookies, reject non-essential cookies, or customize settings
Your consent preferences are stored in localStorage
You can change cookie settings at any time via app settings

13.2 Cookie Duration

Session Cookies: Deleted when browser closes
Persistent Cookies: 1-2 years (analytics/performance)
Preference Cookies: 1 year (theme, language)

13.3 Disabling Cookies

Browser-specific instructions:

Chrome: Settings → Privacy and security → Cookies and other site data
Firefox: Preferences → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Manage Website Data
Edge: Settings → Cookies and site permissions → Cookies and site data

14. Contact Us

Snono Systems

Email: englishh7366@gmail.com

Website: https://max.pro-service.link

Web Privacy Policy URL: https://max.pro-service.link/privacy-policy/web

Data Protection Officer: englishh7366@gmail.com

Address: Egypt

15. Consent

By using the SAS Max Web App, you consent to:

Collection and processing of your personal information as described in this policy
Use of cookies and browser storage for app functionality (subject to your cookie preferences)
Encrypted transmission of data to our backend servers (HTTPS + AES encryption)
Storage of credentials in browser localStorage with encryption
Use of Firebase Web SDK for analytics and performance monitoring (opt-out available)

Platform-Specific Policy: This privacy policy is tailored for the web version of SAS Max. For mobile app privacy information, please refer to our standard Privacy Policy at https://max.pro-service.link/privacy-policy.