Privacy Policy

• Account data. Name, email, organization, role, and authentication identifiers provided through our identity provider (WorkOS).
• Workspace content. Research themes, briefings, signals, sources, reports, collections, and related configuration created within your workspace.
• Scan requests and inbound forms. When you request a free scan, join a waitlist, or contact us, we collect the email and other details you provide.
• Usage and technical data. IP address, browser and device information, and product usage events (page views, feature interactions) used to operate and improve the Service.
• AI processing data. When you generate signals, your prompts and the relevant workspace context are sent to third-party AI providers for processing.

• to provide, secure, and improve the Service;
• to process scan requests, send confirmations, and follow up on inbound interest;
• to authenticate users, enforce roles, and bill paid plans;
• to route prompts to the AI providers required to fulfill your requests;
• to monitor usage and reliability, and prevent abuse;
• to comply with legal obligations.

• Sub-processors. We rely on a small set of infrastructure providers — including WorkOS (identity), Convex (application database and functions), Vercel (hosting), and the AI Gateway routing to third-party model providers such as OpenAI, Anthropic, and Google.
• AI providers. When you generate signals, prompts and relevant context are transmitted to the provider servicing the request. Each provider operates under its own privacy and data retention terms.
• No sale of personal data. We do not sell personal data, and we do not share it for cross-context behavioral advertising.
• Legal. We may disclose information if required by law or to protect the rights, safety, and integrity of the Service.

We retain account and workspace data for as long as your organization maintains an active subscription, plus a short grace period for export. Scan-request and inbound-form data are retained for operational follow-up and may be deleted on request. Logs and aggregated usage data are retained for a limited operational window.

Signals is operated from infrastructure that may process data outside your country of residence. Where personal data is transferred internationally, we rely on appropriate safeguards consistent with applicable law.

• Access and correction. You may request access to or correction of your personal data by contacting us.
• Deletion. You may request deletion of your account and personal data, subject to legal and operational retention requirements.
• Communications. You may opt out of non-essential communications at any time.
• EEA/UK/CA residents. Where applicable, you have additional rights under GDPR, UK GDPR, or state-level US privacy laws, including the right to object to processing and to lodge a complaint with your supervisory authority.

We use reasonable technical and organizational measures to protect personal data — including SSO-based authentication, role-based access controls, encryption in transit, and least-privilege backend access. See our security page for details. No method of transmission or storage is fully secure, and we cannot guarantee absolute security.

Signals is not directed to children under 16, and we do not knowingly collect personal data from them.

We may update this Policy from time to time. Material changes will be communicated through the Service or by email. Continued use after changes constitutes acceptance.

For privacy questions or to exercise your rights, contact signals@envisioning.io.