Trust, verified

Every deal page on SaaSTweaks ships with a "verified on" timestamp. That date isn't decorative — it's the day a member of our editorial team last opened the vendor's checkout, applied the discount, and confirmed it landed at the price we publish. If a coupon goes dark or a vendor changes plan structure, the deal moves to "needs review" and disappears from the homepage until a human re-runs the check.

For pricing breakdowns and case studies, we read every word of the vendor's plan grid (including the asterisks). Hidden costs we surface — overage fees, mandatory add-ons, seat-tier traps — come from the same checkout walkthrough. We re-verify pricing pages on a 30-day rotation; deals on a 14-day rotation. The buyers who trust us deserve a freshness floor, not a "last updated 2 years ago" footnote.

Our reviewers sign their names. Bylines on every deal page link back to a profile that lists what they actually use day-to-day — so when a CFO recommends a finance tool, you can verify she runs a finance team.

SaaSTweaks earns commission when a buyer clicks through to a partner vendor and converts. That's how the lights stay on. Every outbound link to a partner runs through our /go redirector so we can attribute the click — but the redirect is transparent, uses a 302, and never strips the URL the buyer ultimately lands on.

What commissions don't buy: editorial placement, ranking, or favorable copy. Our deal sort order is governed by verification freshness, savings size, and editor consensus — not commission rate. We've turned away vendors who tried to pay for higher rankings; we've also flagged tools we earn from when they pulled shady billing tactics. If a vendor relationship goes sideways, we publish that too.

Where required by jurisdiction (US FTC, UK ASA, EU national regulators), we disclose the affiliate relationship inline on the page, not buried in the footer.

SaaSTweaks runs entirely on Cloudflare's edge. Every request hits a Workers runtime; data sits in D1 (SQLite at the edge) and R2 (asset storage). TLS is enforced everywhere with HSTS preload, and we don't terminate user traffic on origin servers we have to keep patched ourselves.

Admin access is gated by a PBKDF2-hashed password and a signed session cookie. We never see, store, or transmit a buyer's payment information — purchases happen entirely on the partner vendor's checkout. We don't sell, lease, or share buyer data with advertisers, brokers, or list resellers.

Found a vulnerability? Email security@saastweaks.com. Responsible disclosure earns a public credit and a thank-you.

EU and UK buyers visiting SaaSTweaks have rights under GDPR (and the UK GDPR equivalent) to access, correct, export, and delete personal data we hold about them. If you've created an account, the data we hold is your email, an optional display name, your saved stacks, and your verification timestamps — nothing else.

We use Cloudflare Web Analytics for traffic stats, which is cookie-free and aggregates at the edge — no individual session tracking, no cross-site fingerprinting. Newsletter sign-ups go through a double opt-in, and unsubscribe is one click from any email.

To exercise any GDPR right, email privacy@saastweaks.com. We respond within 30 days, usually within 72 hours.

California buyers have additional rights under the California Consumer Privacy Act (CCPA) and its CPRA amendments. SaaSTweaks does not sell personal information as defined by the CCPA — we don't share buyer data with third-party advertisers, data brokers, or analytics platforms that profile individuals.

You have the right to know what categories of personal information we've collected (above: email, display name, saved stacks), the right to request deletion, and the right to opt out of sale (we don't sell, but the toggle is honored regardless).

To exercise any CCPA right, email privacy@saastweaks.com. Verification is by reply-to-confirm to the email on file. No fee, no friction, no dark patterns.