Draft. Written by the operator as a transparent baseline, not yet
reviewed by counsel. Final policy will be published before the product is
opened to paying customers. The product is currently mock-data only and
has no real backend; this document describes intent for the production
system as designed.
The short version
We collect the minimum needed to run the Service.
We don't sell your data.
We don't surveil you across the web. There are no marketing trackers on this site as of the date above; the only first-party telemetry is anonymised request metrics from Cloudflare and (when wired) privacy-first product analytics.
You can delete your account and the data tied to it at any time.
1. What we collect
Account data
Email address. Required to sign in and to send transactional notifications (drift alerts, fracture alerts, billing receipts).
Authentication provider identifier if you sign in with Apple or Google (Apple's relay address counts as your email for our purposes).
Plan and billing status (active, trialing, cancelled). Card data is handled by Stripe; we never see your full card number.
Usage data
Which questions and assets you view. We use this to compute personalised "saved" lists and to trigger alerts you've opted into.
Your portfolio entries, if you choose to track holdings. These are not transmitted to any broker; thesignals is read-only. You can clear them at any time in Settings.
Notification preferences and tracked-model toggles.
Technical data
Request metadata (IP address, user agent, requested path) as logged by Cloudflare's edge. Cloudflare retains these for short windows for abuse and DDoS protection.
Error reports sent to our error-tracking provider (Sentry) when the app crashes. We strip URLs of user-identifying segments where reasonable.
Aggregate product metrics (page views, conversion-funnel events) collected by a privacy-first analytics provider that does not set cross-site tracking cookies. We do not ship a Facebook Pixel, Google Analytics, or similar.
2. What we do not collect
We do not buy or enrich your identity from data brokers.
We do not link your usage to your real-world social profiles.
We do not record your screen, keystrokes, or session replays.
3. How we use it
To run your account and bill you.
To send you alerts and notifications you have opted into.
To debug, secure, and improve the Service.
To compute aggregate, anonymised statistics about which questions and assets are most viewed.
We do not use your account data to train AI models. We do not sell or
rent your personal information.
4. Who we share it with
Service providers we use to run the product. Each is bound by a Data
Processing Agreement (or equivalent) and only processes data on our
instructions:
Cloudflare — hosting and edge delivery
Stripe — payment processing (when wired)
An auth provider (TBD between Clerk, Auth0, or self-hosted) — sign-in flow
An email provider (TBD between Resend / Postmark / SendGrid) — transactional email
Sentry — application error tracking
The Model Providers (OpenAI, Anthropic, Google, etc.) — only the fixed corpus questions are sent. Your personal data is never sent to a Model Provider.
5. Where it lives
Primary application data is stored in the United States. We may use
Cloudflare's global edge network to deliver static content and cache
public responses; that content travels through many regions.
6. How long we keep it
Account data — for as long as your account is active, plus 90 days after deletion for accounting and compliance.
Usage logs — 30 days, then aggregated.
Backups — up to 30 days; deletion requests propagate to backups at the next rotation.
7. Your rights
You can request the following at any time by writing to the contact
address on the About page:
Access — a copy of the personal data we hold about you.
Correction — fix anything inaccurate.
Deletion — remove your account and the data tied to it.
Portability — your data in a machine-readable format.
Opt-out — of any non-essential email (you can also unsubscribe directly from any email we send).
If you are in the EU or UK we treat these as GDPR/UK-GDPR rights and
respond within 30 days. If you are in California we treat these as
CCPA rights.
8. Children
thesignals is not intended for anyone under 18. We do not knowingly
collect personal information from children.
9. Changes
We may update this policy. Material changes are announced in-app and
by email at least 14 days before taking effect.
10. Contact
For privacy questions, see the contact channel on
/about.