May a SaaS tool use my customer data for product improvement?

SaaS suppliers (HubSpot, Salesforce, Mailchimp, Slack, Zoom) often use customer data for own "product improvement" + AI training + benchmark aggregation. Processor basis (GDPR Art. 28) does NOT automatically cover that. Requirements for lawful mining: (1) Explicitly in DPA — not part of general terms. Specific per use case: model training, benchmarking, feature development. (2) Anonymisation — k-anonymity or differential privacy, not pseudonymisation (see pseudonymisation). (3) Opt-out option for controller (you). (4) Purpose limitation — not "anything we want". (5) Transparency in SaaS privacy statement to end users. What do you do as controller (you)? (1) Get DPA + read thoroughly. (2) On vague "service improvement" clause: ask specific scope. (3) Opt-out if possible. (4) Inform your end users in privacy statement. Examples 2024-2025 problems: Zoom training-data affair, HubSpot AI-feature rollout without opt-in, Slack workspace data for AI training. Fine risk: SaaS supplier fine under Art. 28 violation + you as controller also liable. Not "it was in the general terms" = your responsibility.