1. Information We Collect

1.1 Information You Provide

• Account data: Name, email address, company name, job title, password (hashed)
• Payment data: Billing information processed by Stripe. We do not store credit card numbers.
• Campaign data: Email addresses, names, and other contact data you upload for campaigns
• Platform inputs: Data you enter into AI features — company names, pipeline data, signals, notes

1.2 Information Collected Automatically

• Usage data: Features used, queries run, pages visited, time spent on Platform
• Technical data: IP address, browser type, device type, operating system
• Cookie data: Session cookies, tracking cookies (see Cookie Policy)
• Campaign tracking: Email open events, link click events, UTM parameters

1.3 Information from Third Parties

• OAuth providers: If you sign in with Google or LinkedIn, we receive your name, email, and profile picture
• CRM integrations: If you connect HubSpot, Salesforce, or Pipedrive, we access data per your authorization scope

2. How We Use Your Information

3. How We Share Your Information

We do not sell your personal information. We share data only in the following circumstances:

3.1 Service Providers

• Anthropic: AI query processing (your inputs are transmitted to generate outputs)
• Stripe: Payment processing
• Supabase: Database hosting and authentication
• Netlify: Platform hosting and edge services

3.2 At Your Direction

When you connect CRM integrations (HubSpot, Salesforce, Pipedrive) or communication tools (Slack, Teams), you authorize data sharing with those services per your integration settings.

3.3 Legal Requirements

We may disclose information if required by law, subpoena, court order, or to protect our rights, property, or safety, or that of our users or the public.

3.4 Business Transfers

If Signal Engine is acquired, merged, or sold, your data may be transferred as part of that transaction. We will notify you before such a transfer and give you the opportunity to delete your account.

4. Your Rights and Choices

You have the following rights regarding your personal data:

• Access: Request a copy of all personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your account and all associated personal data
• Portability: Request your data in a machine-readable format
• Opt-out of marketing: Unsubscribe from marketing emails at any time via the unsubscribe link
• Cookie preferences: Adjust cookie settings via the cookie consent banner

To exercise these rights, email [email protected]. We will respond within 30 days.

5. GDPR (European Users)

If you are located in the European Economic Area, United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) applies to our processing of your data.

• Data Controller: AI Growth Signal Engine, Stockbridge, Georgia, USA
• Lawful bases: Contract performance, legitimate interests, and consent (as detailed in Section 2)
• International transfers: Your data is processed in the United States. We rely on Standard Contractual Clauses for transfers from the EEA.
• Right to lodge complaint: You have the right to lodge a complaint with your local data protection authority

6. CCPA (California Users)

California residents have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect, use, and disclose
• Right to delete personal information (with certain exceptions)
• Right to opt-out of the "sale" of personal information — we do not sell personal information
• Right to non-discrimination for exercising CCPA rights

To submit a CCPA request, email [email protected] with "CCPA Request" in the subject line.

7. United Kingdom (UK GDPR & DUAA)

If you are located in the United Kingdom, your data is governed by the UK General Data Protection Regulation (UK GDPR) as amended by the Data (Use and Access) Act 2025 (DUAA), which came into force on 5 February 2026.

• Automated decision-making: Signal Engine uses AI to generate lead scores, signal scores, and strategic recommendations. These outputs constitute profiling under UK GDPR. You have the right to request human review of any AI-generated output that significantly affects you, to object to profiling, and to receive a meaningful explanation of the logic involved.
• Lawful basis: We process UK user data on the basis of contract performance and, for marketing communications, legitimate interest (as now explicitly permitted under the DUAA). A Legitimate Interests Assessment (LIA) is on file and available on request.
• PECR compliance: All marketing emails sent to UK contacts include a working unsubscribe mechanism, our business name, and a postal address. We do not send marketing SMS to UK contacts without prior express consent.
• EU AI Act (Article 50): For content delivered to users in the European Economic Area from 2 August 2026, AI-generated text outputs are disclosed as AI-generated where required. UK users are afforded the same disclosure standard voluntarily.
• Data transfers: Data is processed on servers in the United States. We rely on the UK International Data Transfer Agreement (IDTA) as our transfer mechanism for UK-to-US data flows.
• Your rights: Access, rectification, erasure, portability, restriction, and objection. File complaints with the Information Commissioner's Office (ICO) at ico.org.uk.

8. United Arab Emirates (UAE)

If you are located in the UAE, your data is governed by the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (UAE PDPL). Users within the Dubai International Financial Centre (DIFC) are additionally governed by the DIFC Data Protection Law (DIFC Law No. 5 of 2020).

• Lawful basis: We process UAE user data on the basis of contractual necessity and consent. Consent is obtained at signup and can be withdrawn at any time.
• Marketing communications: All commercial communications to UAE contacts include a clear opt-out mechanism. We do not send unsolicited SMS marketing to UAE contacts.
• Data transfers: UAE law permits cross-border data transfers where adequate protection is ensured. We ensure US-based processing meets the protection standards required under UAE PDPL.
• Your rights: Access, correction, deletion, and objection to processing. Contact [email protected] to exercise your rights. We respond within 30 days.
• DIFC users: Users within the DIFC may additionally file complaints with the DIFC Commissioner of Data Protection.

9. India (DPDPA)

If you are located in India, your data is governed by the Digital Personal Data Protection Act 2023 (DPDPA), which became effective in late 2025. Full enforcement by the Data Protection Board of India (DPBI) is expected around May 2027.

• Consent basis: Unlike GDPR, India's DPDPA does not recognize legitimate interest as a lawful basis for data processing. All personal data processing for Indian users is performed on the basis of explicit, informed, revocable consent obtained at signup.
• Consent notice: Before collecting any personal data, we provide a clear notice in English explaining what data we collect, why we collect it, and how it will be used. This notice is available in any Eighth Schedule language on request.
• Data Principal rights: You have the right to access, correct, and erase your personal data, and to withdraw consent at any time. Withdrawal of consent will result in account termination.
• Grievance redressal: Our Data Protection Officer (DPO) can be reached at [email protected]. We resolve grievances within 90 days. Unresolved grievances may be escalated to the DPBI.
• Children: We do not knowingly collect personal data from anyone under 18 in India. The DPDPA prohibits tracking, profiling, and targeted advertising directed at children, and we comply absolutely with this requirement.
• Cross-border transfers: Your data is processed on US-based servers. As of the date of this policy, the Indian government's country restriction list (negative list) has not been finalized. We will update this section and notify affected users if the US is placed on the restricted list.

10. Saudi Arabia (PDPL)

• Lawful basis: Processing of personal data of Saudi residents is performed on the basis of explicit, informed, and revocable consent or contractual necessity. Consent must be specific to the purpose for which data is collected.
• Sensitive data: We do not process sensitive personal data (religious beliefs, health, biometric, genetic, or criminal data) of Saudi residents under any circumstances.
• Cross-border transfers: Data of Saudi residents is processed on US-based servers. We apply Standard Contractual Clauses (SCCs) as approved by SDAIA for cross-border transfers and maintain a documented Transfer Risk Assessment. We do not transfer Saudi personal data to countries without adequate protection measures.
• Marketing communications: All commercial email and SMS communications to Saudi contacts require prior express opt-in consent as required by PDPL and the Communications, Space & Technology Commission (CST) anti-spam framework. Every commercial message includes our business name and a working opt-out mechanism.
• Controller registration: We have assessed our obligations under PDPL's controller registration requirements and will register with SDAIA's National Data Governance Platform as required.
• Data subject rights: Saudi data subjects have the right to access, correct, and request deletion of their personal data. We respond within 30 days. Contact [email protected] with "PDPL Request" in the subject line.
• Fines: Violations of PDPL carry fines up to SAR 5,000,000 (~$1.3M USD). We take compliance obligations seriously and maintain documented records of all processing activities involving Saudi personal data.

Note: The above summary is for informational purposes. Signal Engine is not a licensed Saudi legal advisor. Enterprise buyers in KSA should engage qualified Saudi counsel to assess their own compliance obligations before procurement.

11. Canada (PIPEDA & CASL)

• PIPEDA: Canadian users are protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). We collect, use, and disclose personal information only for purposes that a reasonable person would consider appropriate, and we obtain meaningful consent before or at the time of collection.
• CASL — Commercial Email: Canada's Anti-Spam Legislation (CASL) is among the strictest email marketing laws in the world. All commercial electronic messages sent to Canadian contacts require express consent (not implied consent) unless a specific exemption applies. Every message includes our full business name, mailing address, and a working unsubscribe mechanism that is honored within 10 business days. CASL violations carry penalties up to CAD $10,000,000.
• CASL — Users of our Campaign Tools: If you use Signal Engine's Email Automation or SMS Campaign features to contact Canadian recipients, you are solely responsible for obtaining and documenting express consent from each recipient before sending. Signal Engine's campaign tools do not verify Canadian consent records. CASL compliance is your legal responsibility as the sender.
• Bill C-27 (Consumer Privacy Protection Act): Canada's privacy law reform (Bill C-27) is expected to take effect in 2027 and will strengthen data subject rights and consent requirements. We are monitoring this legislation and will update our practices accordingly before its effective date.
• Data transfers: Your data is processed on US-based servers. Under PIPEDA, transfers to third parties in other jurisdictions are permitted where we have contractual protections in place ensuring equivalent protection.
• Your rights: Access to your personal information and the right to challenge its accuracy. Contact [email protected]. Unresolved complaints may be escalated to the Office of the Privacy Commissioner of Canada.

12. Data Retention

We retain your personal data for as long as your account is active and for 30 days following account termination, after which it is permanently deleted. Campaign analytics data may be retained in anonymized/aggregated form for longer periods for product improvement purposes.

13. Security

We implement industry-standard security measures including encryption in transit (TLS), encrypted storage, access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure. You accept the inherent security risks of providing information online.

14. Children's Privacy

Signal Engine is not directed at children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, contact us immediately.

This Acceptable Use Policy ("AUP") governs how you may use the AI Growth Signal Engine platform. Violations of this AUP may result in immediate suspension or termination of your account.

1. Permitted Uses

Signal Engine is designed for legitimate B2B sales, marketing, and revenue intelligence activities. Permitted uses include:

• Generating AI-powered insights about business accounts and prospects
• Creating and sending compliant commercial email campaigns to consenting recipients
• Sending SMS messages to recipients who have provided prior express written consent
• Tracking engagement on your own marketing campaigns
• Analyzing your own pipeline and revenue data
• Generating content for legitimate business outreach

2. Prohibited Uses

2.1 Illegal Activities

• Sending unsolicited SMS messages without prior express written consent (TCPA violation)
• Sending spam or unsolicited bulk email (CAN-SPAM / CASL violation)
• Using the Platform for any purpose that violates applicable local, state, national, or international law
• Engaging in phishing, fraud, or deceptive practices
• Collecting or using personal data in violation of GDPR, CCPA, or other privacy laws
• Impersonating another person or entity in outreach campaigns

2.2 Harmful and Abusive Conduct

• Harassment, threatening, or abusive outreach to any individual
• Using AI features to generate defamatory, discriminatory, or hateful content
• Generating content that facilitates violence, illegal activity, or harm to individuals
• Targeting vulnerable populations for predatory marketing

2.3 Platform Abuse

• Attempting to circumvent query limits, feature gates, or billing controls
• Reverse engineering, decompiling, or attempting to extract source code
• Automated scraping of Platform data or AI outputs at scale
• Sharing account credentials across multiple organizations
• Using the Platform to build a competing product
• Attempting to interfere with or disrupt Platform infrastructure

2.4 AI Misuse

• Using AI features to generate false testimonials, fake reviews, or fabricated case studies
• Generating AI content intended to deceive recipients about its AI origin where disclosure is legally required
• Attempting to manipulate AI outputs to circumvent Anthropic's usage policies
• Using AI-generated market data or financial projections as the sole basis for investment decisions without independent verification

3. Email and SMS Campaign Rules

When using Signal Engine's campaign features, you must:

• Only send to recipients who have opted in or who you have a legitimate business reason to contact
• Include a clear, working unsubscribe mechanism in all marketing emails
• Include your physical mailing address in all commercial emails
• Honor unsubscribe requests within 10 business days
• Not use deceptive subject lines or sender information
• Obtain documented prior express written consent before sending marketing SMS
• Maintain your own suppression lists and apply them before each send
• Not send more than 3 follow-up messages to a recipient who has not responded

4. Data Usage Rules

• Only upload contact data that you have the legal right to use for marketing purposes
• Do not upload personal data of EU/UK residents without a lawful basis under GDPR
• Do not use the cookie tracking features on websites you do not own or operate
• Do not use behavioral tracking data to discriminate against individuals based on protected characteristics

5. Enforcement

We reserve the right to investigate suspected violations of this AUP. Consequences of violations may include:

• Warning and required corrective action
• Temporary suspension of account features
• Permanent account termination without refund
• Reporting to law enforcement or regulatory authorities
• Civil legal action for damages

This Cookie Policy explains how AI Growth Signal Engine uses cookies and similar tracking technologies on our Platform, including the four-layer behavioral tracking system built into our campaign tools.

1. What Are Cookies

Cookies are small text files stored on your device when you visit a website. They allow websites to recognize your device, remember preferences, and track behavior across visits. Signal Engine uses cookies both on our own Platform and (when you use our campaign tools) on your own websites/properties.

2. Cookies We Set on Our Platform

3. The Four Campaign Tracking Layers

Signal Engine's campaign retention module sets four types of tracking cookies on your behalf when recipients click links in your campaigns. These cookies are set on your own domain/properties — not on ours. You are responsible for disclosing and obtaining consent for these cookies in your own privacy policy.

4. Technical Cookie Standards

All Signal Engine cookies are set with the following technical standards:

• SameSite=Lax: Cookies are not sent on cross-site requests, reducing CSRF risk
• HttpOnly: Session and auth cookies are not accessible via JavaScript
• Secure: Cookies are only transmitted over HTTPS
• No third-party cookie sharing: We do not share cookie data with advertising networks or data brokers

5. Managing Your Cookie Preferences

You can control cookies through:

• Cookie consent banner: On first visit to our Platform, you can accept or decline non-essential cookies
• Browser settings: Most browsers allow you to block or delete cookies via settings
• Opt-out request: Email [email protected] to opt out of analytics cookies

Note that disabling strictly necessary cookies will prevent you from logging in and using the Platform.

6. Do Not Track

Signal Engine respects Do Not Track (DNT) browser signals. If you have DNT enabled, we will not set analytics or behavioral tracking cookies on our own Platform. Note that this does not affect tracking cookies set by our campaign tools on your own properties — that is controlled by your own cookie consent implementation.

1. Definitions

"Controller" means the Signal Engine customer who determines the purposes and means of processing personal data through the Platform.

"Processor" means AI Growth Signal Engine, which processes personal data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person processed through the Platform, including prospect names, email addresses, company affiliations, behavioral data, and campaign engagement data.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Subject Matter and Nature of Processing

The Processor processes Personal Data solely to provide the Signal Engine platform services as described in the Terms of Service. Processing activities include:

• Storing account data, campaign contacts, and engagement events entered by the Controller
• Transmitting AI query prompts to Anthropic's API for processing and returning responses
• Tracking campaign click events, session behavior, UTM attribution, and return visits where the Controller has enabled these features
• Processing payment and billing data via Stripe and/or Paddle as payment sub-processors

3. Controller's Instructions

The Processor shall process Personal Data only on documented instructions from the Controller. The Controller's instructions are set out in this DPA and the Terms of Service. If the Processor is required by applicable law to process Personal Data otherwise, the Processor shall notify the Controller unless prohibited by law.

4. Processor Obligations

The Processor agrees to:

• Process Personal Data only for the purposes specified in this DPA and the Terms of Service
• Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures as described in Section 7
• Not engage sub-processors without prior written consent of the Controller (general consent is given in Section 6)
• Assist the Controller in responding to Data Subject requests within the timeframes required by applicable law
• Delete or return all Personal Data upon termination of the agreement, at the Controller's choice
• Provide all information necessary to demonstrate compliance with this DPA
• Notify the Controller without undue delay (and within 72 hours where required by GDPR) of any Personal Data breach

5. Controller Obligations

The Controller agrees to:

• Ensure there is a lawful basis for processing Personal Data entered into the Platform
• Obtain all necessary consents from Data Subjects whose data is uploaded to the Platform
• Comply with applicable data protection laws in each jurisdiction where the Controller operates
• Ensure that campaign recipients have consented to receive commercial communications where required by law (CAN-SPAM, CASL, TCPA, PDPL, PECR)
• Not upload sensitive personal data (health, biometric, religious, political, genetic data) to the Platform
• Notify the Processor of any Data Subject requests that require Processor action

6. Approved Sub-processors

The Controller provides general written consent to the Processor engaging the following sub-processors. The Processor shall notify the Controller of any intended changes to this list with reasonable advance notice.

7. Security Measures

The Processor implements the following technical and organisational measures to protect Personal Data:

• Encryption in transit: All data is transmitted over TLS 1.2 or higher. HSTS is enforced.
• Encryption at rest: Supabase encrypts all stored data at rest using AES-256.
• Access controls: Row Level Security (RLS) ensures users can only access their own data. Service role keys are never exposed client-side.
• API security: Anthropic API keys are stored as server-side environment variables and never transmitted to client browsers.
• Input validation: All user inputs are sanitised before processing to prevent injection attacks.
• Rate limiting: AI query limits are enforced per plan to prevent abuse.
• Security headers: HSTS, X-Frame-Options, CSP, and Permissions-Policy headers are applied to all platform pages.
• Incident response: The Processor maintains an incident response plan and will notify the Controller within 72 hours of discovering a Personal Data breach.

8. International Data Transfers

The Controller acknowledges that Personal Data may be transferred to and processed in the United States, where the Processor and its primary sub-processors (Anthropic, Supabase, Netlify, Stripe) are located.

• EU/UK transfers: Transfers from the EEA or UK to the US are conducted under Standard Contractual Clauses (SCCs) as applicable
• India (DPDPA): The US has not been placed on India's restricted country list as of the date of this DPA. The Processor will notify affected Controllers if this changes
• Saudi Arabia (PDPL): Cross-border transfers implement safeguards as required under PDPL Article 29 and the Processor's risk assessment
• UAE: Transfers comply with UAE PDPL cross-border transfer requirements

9. Data Retention and Deletion

The Processor retains Personal Data for the duration of the Controller's subscription plus 30 days following termination, after which it is permanently deleted. The Controller may request earlier deletion at any time by contacting [email protected]. The Processor will confirm deletion in writing within 30 days of the request.

Note: During the HTML-only phase of the Platform (before Supabase backend deployment), all Controller data is stored exclusively in the Controller's browser localStorage and the Processor holds no server-side copies of Personal Data.

10. Audit Rights

The Controller has the right to conduct audits or inspections of the Processor's data processing activities, or to commission an independent auditor to do so, with 30 days prior written notice. The Processor may charge reasonable costs for facilitating such audits. The Processor agrees to make available all information necessary to demonstrate compliance with this DPA.

11. Data Subject Rights Assistance

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests for access, rectification, erasure, portability, and restriction of processing. Controllers should submit Data Subject assistance requests to [email protected] with the subject line "DSR Assistance Request." The Processor will respond within 5 business days.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. The Processor shall be liable to the Controller for damages caused by processing that does not comply with this DPA or applicable data protection law. The Controller shall be liable for damages resulting from processing instructions that violate applicable law or this DPA.

13. Governing Law

This DPA is governed by the laws of the State of Georgia, United States, except where superseded by mandatory provisions of applicable data protection law in the Controller's jurisdiction. For EU/UK Controllers, this DPA is to be interpreted consistently with the requirements of GDPR and UK GDPR.

14. Precedence

In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters. In all other respects, the Terms of Service shall govern.