Privacy Policy
This policy explains what Signals collects, why, and the choices you have. Signals is operated by Envisioning.
This Privacy Policy describes how Envisioning (“we”, “us”) handles personal information in connection with the Signals platform (the “Service”). It applies to our public website and the authenticated application. By using Signals, you agree to this Policy.
1. Data we collect
- Account data. Name, email, organization, role, and authentication identifiers provided through our identity provider (WorkOS).
- Workspace content. Research themes, briefings, signals, sources, reports, collections, chat messages, uploaded or generated images, Shared Link settings, activity history, and related configuration created within your workspace.
- Billing and checkout data. Buyer name, work email, company name, plan selection, subscription status, invoice and payment status, tax and billing details, and payment-provider identifiers. Payment card details are collected by Stripe, not stored directly by Signals.
- Scan requests and inbound forms. When you request a free scan, join a waitlist, or contact us, we collect the email, topic, message, scan theme, answers, generated briefing, source page, and other details you provide.
- Usage and technical data. IP address, browser and device information, and product usage events (page views, feature interactions), logs, anti-abuse checks, and AI usage metrics such as model, token, cost, latency, and error data used to operate and improve the Service.
- AI processing data. When you generate signals, reports, images, grounding, or chat responses, your prompts and relevant workspace context are sent to third-party AI providers for processing. Signals also stores AI request and response snapshots, including prompts, messages, tool calls, provider metadata, outputs, errors, token counts, and cost metadata for traceability, billing, debugging, and abuse prevention.
2. How we use data
- to provide, secure, and improve the Service;
- to process scan requests, send confirmations, and follow up on inbound interest;
- to authenticate users, enforce roles, provision organizations, and bill paid plans;
- to route prompts to the AI providers required to fulfill your requests;
- to provide exports, Shared Links, image uploads, transactional email, and support workflows;
- to monitor usage and reliability, and prevent abuse;
- to comply with legal obligations.
3. Sharing
- Sub-processors.We rely on a small set of infrastructure providers, including WorkOS (identity), Convex (application database and functions), Vercel (hosting and AI Gateway), Stripe (checkout, billing, tax, and payment processing), Resend (transactional email), Cloudinary (image storage), Cloudflare Turnstile (bot protection), Plausible (website analytics), Slack (operator notifications), and Envisioning’s CRM/core systems for inbound leads. AI Gateway routes requests to third-party model providers such as OpenAI, Anthropic, Google, Perplexity, and others depending on the model selected.
- AI providers. When you generate signals, prompts and relevant context are transmitted to the provider servicing the request. Some models may use provider-side web search or image-generation capabilities. Each provider operates under its own privacy and data retention terms.
- Billing, forms, and operations. Checkout and subscription data is shared with Stripe and WorkOS as needed to process payment, provision an organization, and invite the first administrator. Contact-form data is forwarded to our CRM. Free scan confirmations are sent through Resend. Operational events, such as checkout status, may be sent to Slack for internal follow-up.
- No sale of personal data. We do not sell personal data, and we do not share it for cross-context behavioral advertising.
- Legal. We may disclose information if required by law or to protect the rights, safety, and integrity of the Service.
4. Data retention
We retain workspace content while your organization maintains access to the Service, unless it is deleted earlier through the product or by request. Some records are retained longer where needed for security, billing, audit, support, fraud prevention, dispute handling, or legal obligations. This includes account mirrors, checkout and subscription records, revenue and plan-change history, AI usage and request/response logs, Shared Link history, activity events, and email-delivery records. Scan-request and inbound-form data are retained for operational follow-up and may be deleted on request, subject to those same operational and legal requirements. Aggregated usage data may be retained without identifying you.
5. International transfers
Signals is operated from infrastructure that may process data outside your country of residence. Where personal data is transferred internationally, we rely on appropriate safeguards consistent with applicable law.
6. Your rights
- Access and correction. You may request access to or correction of your personal data by contacting us.
- Deletion. You may request deletion of your account and personal data, subject to legal and operational retention requirements.
- Communications. You may opt out of non-essential communications at any time.
- EEA/UK/CA residents. Where applicable, you have additional rights under GDPR, UK GDPR, or state-level US privacy laws, including the right to object to processing and to lodge a complaint with your supervisory authority.
7. Security
We use reasonable technical and organizational measures to protect personal data, including SSO-based authentication, role-based access controls, encryption in transit, and least-privilege backend access. See our security page for details. No method of transmission or storage is fully secure, and we cannot guarantee absolute security.
8. Children
Signals is not directed to children under 16, and we do not knowingly collect personal data from them.
9. Changes
We may update this Policy from time to time. Material changes will be communicated through the Service or by email. Continued use after changes constitutes acceptance.
10. Contact
For privacy questions or to exercise your rights, use the contact page.