Privacy Policy
Effective: 2026-05-17 · Version 2026-05-17
SignalSnitch, owned and operated by Tse Capital, a California S-corporation ("we", "us"), takes privacy seriously. This Policy describes what personal data we collect, how we use it, who we share it with, and your rights.
1. What we collect
1.1 Account data
Email, optional display name, hashed password (managed by our self-hosted GoTrue auth service), and TOTP factor info if you enable 2FA.
1.2 Subscription and billing data
Plan tier, billing status, invoice history, and payment-method tokens. Card numbers are handled by Stripe and never reach our servers.
1.3 Product usage
Watchlists, followed influencers, notification preferences, MFA state, redeemed codes. Audit logs of admin actions and authentication events.
1.4 Notification delivery channels
Email address (always), phone number (if you opt into SMS), and Web Push subscription tokens (if you opt into push). Push subscriptions are tied to a specific browser/device.
1.5 Public market data
We do not scrape social platforms directly. We receive publicly-posted social-media content from third-party data providers. The content is third-party-authored and is processed under fair-use / public-interest bases. Per-post evidence is retained for at most 7 days; aggregate metrics persist longer.
1.6 Network metadata
Your IP address and browser user-agent are captured and stored alongside (a) your legal-acceptance record, (b) audit-log entries for security-sensitive actions — including admin operations, authentication events, discount-code redemptions, and any GDPR data-export or deletion request you submit, and (c) standard webserver access logs on our origin server (rotated on each deployment, typically within 14 days). We do not use your IP for advertising, behavioral profiling, or cross-site tracking.
2. How we use it
- To operate the Service (auth, billing, notifications, dashboard);
- To deliver alerts you've opted into (email, push, SMS);
- To detect abuse, debug issues, and improve the product;
- To comply with legal obligations and enforce our Terms.
We do not sell your personal data. We do not use it for advertising profiling or third-party marketing.
3. Legal bases (GDPR)
For users in the EEA/UK, our legal bases are: contract performance, legitimate interest (security, abuse prevention, product analytics), consent (push, SMS, optional features), and legal obligation (tax, audit).
4. Third-party processors
We rely on the following sub-processors. Each is bound by a data processing agreement and processes data only on our instructions:
| Provider | Purpose | Data |
|---|---|---|
| Hetzner | VPS hosting (we self-host our database, auth, storage, and application server on a single Hetzner Cloud VPS) | All account and product data, request logs, IP addresses |
| Cloudflare Workers | Secondary cron scheduler (failover for scheduled jobs) | None — fires HTTP triggers, no user data sent |
| cron-job.org | Primary cron scheduler | None — fires HTTP triggers, no user data sent |
| Stripe | Payment processing | Card details, billing email, invoices |
| Resend | Transactional email | Email address, message content |
| Twilio | SMS delivery | Phone number, message content (only if SMS enabled) |
| Web Push (browser vendor) | Push delivery | Encrypted notification payload (only if push enabled) |
| Apify | Public-content scraping | List of tracked influencer handles |
| Anthropic / OpenAI | LLM analysis | Public tweet text only — never your account data |
| Finnhub | EOD price data | Ticker symbols only |
5. Data retention
- Account data: retained while your account is active; deleted within 30 days of account deletion.
- Billing records: retained for 7 years to comply with tax/accounting obligations.
- Per-tweet signal evidence: 7 days, then auto-deleted by a daily cleanup job.
- Pipeline run logs and finalized notifications: 90 days.
- Audit logs: 1 year.
6. Cookies and tracking
We use only essential cookies for session management and authentication. We do not use third-party advertising or behavioral tracking cookies.
7. Your rights
Depending on your jurisdiction, you may have rights to:
- Access the personal data we hold about you;
- Correct inaccurate data;
- Request deletion of your account and data (right to be forgotten);
- Receive a portable export of your data;
- Object to or restrict certain processing;
- Withdraw consent for opt-in features (push, SMS) at any time;
- Lodge a complaint with your local data protection authority.
Exercise these rights directly from your privacy dashboard: download a JSON export of your data, schedule account deletion (with a 30-day grace period), and manage your marketing-email consent. For other requests email support@signalsnitch.io; we respond within 30 days.
8. Security
We use TLS in transit, hashed passwords, row-level security on the database, and least-privilege access for staff. We support optional TOTP-based 2FA. No system is perfectly secure; please report suspected vulnerabilities to support@signalsnitch.io.
9. International transfers
Our primary infrastructure (Hetzner Cloud VPS) is located in Nuremberg, Germany (EU). Stripe, Resend, Twilio, Apify, Anthropic, OpenAI, Finnhub, and Cloudflare Workers are US-based providers. If you are outside the EU/UK, your data may be transferred to the EU and the US under appropriate safeguards (standard contractual clauses where applicable).
10. Children
SignalSnitch is not directed to children under 18. We do not knowingly collect data from children. If you believe we have, contact us and we will delete it.
11. Changes
We may update this Policy. Material changes will be communicated by email or in-product notice with at least 14 days' notice.
12. Contact
Privacy questions or data-access requests: support@signalsnitch.io.