SignalKit
Sign inGet Started

Data Protection

Last updated: April 2026

1. Scope

This page explains how SignalKit handles personal data under GDPR (EU/UK) and equivalent laws. It supplements our Privacy Policy.

2. Data Controller

For accounts you create on signalkit.ai, SignalKit acts as the data controller for account data (email, billing details, settings) and as a data processor for the prompts and brand data you submit for tracking.

3. Lawful Basis

We process personal data on the basis of: (a) contract performance — to deliver the service you signed up for; (b) legitimate interest — for product analytics, fraud prevention, and security; (c) consent — where required for marketing communications.

4. Subprocessors

SignalKit uses the following subprocessors. We review each annually and require equivalent data protection commitments.

  • Supabase — database, auth, storage
  • Hetzner — application hosting (Germany)
  • Upstash — Redis cache and rate limiting
  • Stripe — payment processing
  • OpenAI, Anthropic, Google, Perplexity, xAI, DeepSeek, Microsoft — LLM query execution
  • PostHog — product analytics
  • Sentry — error monitoring
  • Resend — transactional email

5. Data Retention

Account data is retained for as long as your account is active. After deletion, account data is purged within 30 days. LLM query results follow the retention window for your plan (5 years on all plans). Backups are retained for 30 days.

6. International Transfers

Our primary infrastructure (Supabase, Hetzner) is hosted in the EU. LLM providers may process query text in the US under Standard Contractual Clauses. We send only the prompt text — never your account email or identifiers — to LLM providers.

7. Your Rights (EU/UK)

You have the right to access, rectify, erase, restrict processing, object to processing, and request portability of your personal data. To exercise these rights, email [email protected] and we will respond within 30 days.

8. Data Processing Agreement

We sign DPAs on request for paid plans. Email [email protected] with your company name and we'll send our standard DPA for counter-signature.

9. Security

All data is encrypted in transit (TLS 1.2+) and at rest. API keys are stored as one-way hashes. Production access is limited to a small set of engineers using SSH keys with 2FA. We review security incidents publicly via our status page.

10. Contact

For data protection inquiries: [email protected].