Saha Sales Inc., a California corporation doing business as Saha Lighting Solutions ("Company," "we," "us," or "our"), operates the Lighting Studio platform ("Service"). This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding it.
This Policy applies to: (1) Client administrators who use the admin panel, and (2) end users (your customers) who access the public-facing lighting layout tools hosted through the Service. The Service is a B2B platform - we do not sell to or knowingly collect data from children under 13.
| Category | What We Collect | Who It Applies To |
|---|---|---|
| Account Data | Email address, hashed password, role, account creation date | Client admin users |
| Client Content | IES photometric files, logos, branding images, category names uploaded by the Client | Client admins |
| Billing Metadata | Billing email, Stripe customer/subscription identifiers, selected plan, subscription status, renewal/cancellation dates, and terms acceptance metadata | Client administrators and billing contacts |
| Usage Analytics | Fixture selections, tool type used, session ID (random, non-persistent), page URL, referrer URL, job name (if entered), timestamp - collected only if the Client enables tracking for their account | End users of public tools |
| Technical / Log Data | IP addresses, browser type, request timestamps, error logs - collected automatically by server infrastructure | All visitors |
| Audit Log Data | Admin action records (e.g., tenant created, file uploaded, user reset) - associated with admin account, not end users | Client admins |
We do not collect names, physical addresses, phone numbers, or payment card numbers from end users of the public tools. Payment information is collected and processed by Stripe and is never stored on our servers.
We do not sell your data to third parties. We do not use Client Data or end-user data for advertising.
We use only essential, functional cookies necessary to operate the Service. No analytics, advertising, or third-party tracking cookies are set by this platform.
| Cookie Name / Type | Purpose | Duration |
|---|---|---|
| Session cookie | Maintains authenticated admin sessions (httpOnly, Secure, SameSite=Strict) | Session (expires on browser close or logout) |
| CSRF token | Protects state-mutating requests from cross-site request forgery | Session |
The public-facing tools do not set persistent tracking cookies. If usage analytics are enabled by a Client, a random, non-persistent session identifier is generated in browser memory for the duration of the session only — it is not stored in a cookie and does not follow the user across sessions or sites.
We engage the following sub-processors to operate the Service. Each sub-processor is contractually required to handle data only as directed by us and in compliance with applicable data protection law.
| Sub-Processor | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Stripe | Payment processing, subscription billing, and billing portal | Billing email, payment details, customer/subscription identifiers, selected plan, and subscription status | stripe.com/privacy |
| Resend | Transactional email delivery (password resets, account setup, billing notices) | Email address, reset/setup URLs, and account/billing message content | resend.com/privacy |
| Railway | Cloud application hosting and managed infrastructure | All application data, including database records and uploaded files, resides on Railway-managed servers | railway.app/legal/privacy |
| Cloudflare R2 / AWS S3 | Object storage for uploaded files (IES files, logos, branding assets) and backup archives | Uploaded file content and backup archives; no end-user PII beyond file metadata | cloudflare.com/privacypolicy / aws.amazon.com/privacy |
| Sentry | Application error monitoring and diagnostics | Error stack traces, request metadata, and environment context; personally identifiable data is scrubbed before transmission where possible | sentry.io/privacy |
We do not integrate with advertising networks, social media platforms, or data brokers. We will update this sub-processor list when we add or change sub-processors and will notify active Clients of material changes.
All data is stored on servers hosted by Railway (see above). We implement reasonable technical and organizational security measures including:
No security measure is 100% foolproof. In the event of a data breach that affects Client account data, we will notify affected Clients within 72 hours of becoming aware of the breach, as required by applicable law.
We retain personal data only as long as necessary for the purposes described in this Policy or as required by applicable law.
| Data Type | Retention Period |
|---|---|
| Admin account data (email, hashed password, role) | Retained while the subscription is active. Upon cancellation, account data is retained for 30 days to allow data export, then deleted unless a longer period is required by law. |
| Client content (IES files, logos, branding assets) | Retained while the subscription is active plus 30 days after cancellation. After 30 days, content is permanently deleted unless export is requested before then. |
| Billing metadata | Retained for a minimum of 7 years from the transaction date for tax, accounting, dispute, and legal compliance purposes, as required by applicable financial regulations. |
| Usage analytics events | Rolling window configurable by Client (7–365 days); events older than the configured window are pruned automatically. Default retention is 90 days. |
| Audit logs | 2 years from creation, then deleted automatically. |
| Server / infrastructure logs | Up to 30 days, as managed by Railway infrastructure. We do not retain separate application-level access logs beyond 30 days. |
| Backup archives | Local on-server backups are kept to the admin-configured retention count (default: last 3) and older copies are pruned automatically. Offsite backup copies (Cloudflare R2 / AWS S3) are automatically deleted 30 days after creation by a storage lifecycle policy, so no backup — and no data it contains — is retained offsite beyond 30 days. |
| Password reset tokens | 60 minutes from generation, then expired and deleted regardless of use. |
When a Client enables usage analytics, their end users' fixture interactions are tracked and stored. Clients are responsible for:
The Company acts as a data processor with respect to end-user analytics data. The Client is the data controller. Clients in the EU or processing EU resident data should contact us to execute a Data Processing Agreement (DPA).
Depending on your jurisdiction, you may have the following rights regarding your personal data:
To exercise these rights, contact us at the address below. We will respond within 30 days (or as required by applicable law).
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information.
We do not sell personal information. We do not sell or share personal information with third parties for cross-context behavioral advertising purposes.
California residents have the right to:
To exercise these rights, contact us at edmond@sahalighting.com. We will verify your identity before processing your request and respond within 45 days as required by law.
We may update this Privacy Policy from time to time. When we make material changes, we will notify active Clients via the email address on file at least 30 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
Enterprise and EU-based Clients who require a Data Processing Agreement for GDPR compliance may download our standard DPA template. The DPA covers Controller/Processor obligations, security measures, sub-processor disclosure, Standard Contractual Clauses for international transfers, breach notification, and data deletion upon termination.
For privacy-related questions, requests, or to execute a DPA, contact:
Saha Sales Inc. (d/b/a Saha Lighting Solutions)
1823 N Solano Ave
Ontario, California 91764, USA
Email: edmond@sahalighting.com