Privacy Policy

Effective: 2 May 2026

What we collect

  • Account info: your email and a bcrypt-hashed version of your password. We never see your plaintext password.
  • Billing info: handled entirely by our payment processor (Stripe). We store the subscription status and the last 4 digits of your card; we never see the full card number, CVC, or expiry.
  • Usage data: anonymous request logs (IP address, user agent, requested URL, response code) kept for up to 30 days for debugging and abuse prevention.

What we don't collect

  • No third-party advertising trackers.
  • No analytics tracking individual users (we may use aggregate, privacy-preserving server-side counts).
  • No cookies beyond an httpOnly session cookie required for login.

How we use it

  • To authenticate you and provide the Service.
  • To bill you for the plan you selected.
  • To detect abuse (rate-limiting, scraping detection).
  • To send transactional emails (receipts, password resets, account notices).

We do not sell your data. We do not share it with advertisers.

Where it's stored

  • User accounts: Supabase Postgres in the EU (Zurich region).
  • Application servers: Railway (EU region for EU customers).
  • Payment data: Stripe (their privacy policy at stripe.com/privacy).

Your rights (GDPR / UK GDPR)

If you're in the EU or UK, you have the right to:

  • Access the data we hold about you
  • Have it corrected
  • Have it deleted (“right to be forgotten”)
  • Export it (data portability)
  • Object to its processing
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@signalidx.app. We will respond within 30 days.

Retention

  • Account data: kept while your account is active. Deleted within 30 days of account closure (some financial records kept for 7 years to satisfy tax law).
  • Logs: 30 days, then deleted.

Security

Passwords are hashed with bcrypt (cost factor 11). Sessions use signed JWTs in httpOnly, secure cookies. The database is locked down with row-level security; only our service-role key (kept in the deploy environment) can read user records. We use HTTPS exclusively (HSTS preload). We follow a defense-in-depth posture: rate limiting, security headers, and input validation on all auth routes.

If you spot a security issue, please email security@signalidx.app. We'll respond within 72 hours.

Children

The Service is not directed at children under 16. If you believe a child has created an account, email us and we'll delete it.

Changes

We may update this policy. Material changes will be notified via email at least 14 days before they take effect.

Contact

Questions: privacy@signalidx.app