SignalPanel

Privacy Policy

Effective date: 5 April 2026

Summary: We collect only what we need to run your account and deliver the Service. We do not sell your data. We rely on Supabase, Vercel, and Resend to operate the platform — all bound by data processing agreements. You have full GDPR rights including access, erasure, and portability.

1. Who We Are — Data Controller

SignalPanel Ltd ("we", "us", "SignalPanel") is the data controller for personal data processed through the SignalPanel platform at www.signalpanel.app.

SignalPanel Ltd

Privacy contact: privacy@signalpanel.app

For all data protection enquiries, please contact us at privacy@signalpanel.app. We will respond within 30 days.

2. Personal Data We Collect

We collect the following categories of personal data:

CategoryExamples
Account dataFull name, work email address, hashed password, account creation date
Organisation dataOrganisation name, organisation slug, plan tier
Profile dataDisplay name, avatar URL (if provided), organisational role
Usage dataPages visited, features used, simulation runs, archetype and persona counts, timestamps of actions
Content dataArchetype definitions, uploaded research documents, persona configurations, simulation prompts and results, conversation transcripts
Technical dataIP address, browser type and version, operating system, referring URL, session identifiers
CommunicationsEmails we send you (invitations, notifications), support messages you send us

Data you upload. If you upload research documents or customer interview notes to define archetypes, those documents may contain personal data of third parties. You are responsible for ensuring you have a lawful basis to process and upload that data. SignalPanel acts as a data processor for such third-party data.

No sensitive data. We do not knowingly collect special category data (health, race, religion, biometrics, etc.). Please do not upload documents containing such data.

3. Lawful Basis for Processing (GDPR Article 6)

We rely on the following lawful bases:

Contract performance (Art. 6(1)(b))

Processing your account data, organisation data, and usage data is necessary to provide you with the Service under our Terms of Service.

Legitimate interests (Art. 6(1)(f))

We process technical and usage data to maintain service security, prevent abuse, improve the platform, and send you service-related notifications. Our legitimate interests do not override your fundamental rights.

Legal obligation (Art. 6(1)(c))

We may process data to comply with applicable laws, including tax, accounting, and regulatory obligations.

Consent (Art. 6(1)(a))

Where we send optional communications (product updates, newsletters), we rely on your consent. You can withdraw consent at any time.

4. How We Use Your Data

  • Creating and managing your account and organisation workspace;
  • Providing, operating, and improving the Service;
  • Processing AI-powered archetype structuring, persona generation, simulation runs, and insight synthesis;
  • Sending transactional emails — account invitations, password reset links, and important service notifications;
  • Diagnosing and resolving technical issues;
  • Complying with legal obligations and enforcing our Terms of Service;
  • Preventing fraud, abuse, and security incidents;
  • With your consent: sending product updates and announcements.

We do not sell your personal data to third parties. We do not use your data to train AI models belonging to third parties without your explicit consent.

5. Data Retention

Data typeRetention period
Account and profile dataFor the duration of your account, plus 30 days after deletion (to allow recovery from accidental deletion)
Organisation and workspace dataFor the duration of the organisation account, plus 30 days
Content data (archetypes, personas, simulations, reports)For the duration of your account; deleted within 30 days of account closure
Usage and technical logsUp to 90 days, then automatically purged
Financial / billing recordsAs required by applicable tax and accounting law (typically 7 years)
Backup snapshotsOverwritten on a rolling 30-day cycle

You may request earlier deletion of your personal data at any time — see Section 8.

6. Data Sharing and Sub-Processors

We share personal data only with the following categories of recipients:

Supabase Inc.

Database, authentication, and file storageUSA (EU data centre available)

Stores your account data, organisation data, and content data. Supabase provides data processing agreements (DPAs) and is SOC 2 Type II certified.

Vercel Inc.

Application hosting and edge infrastructureUSA (global CDN)

Hosts and serves the SignalPanel application. Processes IP addresses and request metadata. Vercel is compliant with GDPR and provides a DPA.

Resend Inc.

Transactional email deliveryUSA

Sends invitation and notification emails on our behalf. Processes recipient email addresses and email content. Resend provides a DPA.

AI model providers (e.g. Ollama, OpenAI-compatible)

Large language model inferenceConfigurable — self-hosted or third-party

Processes prompt content to generate archetypes, personas, simulation responses, and insights. Prompts may contain content you have entered. We recommend using self-hosted Ollama for maximum data control.

We may also disclose personal data to law enforcement or regulatory authorities where required by law, or to enforce our Terms of Service.

7. International Data Transfers

Some of our sub-processors are based in the United States. When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to a country that does not have an equivalent level of data protection, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) — approved by the European Commission under Article 46 GDPR;
  • UK International Data Transfer Agreements (IDTAs) where applicable;
  • Adequacy decisions where the destination country has been recognised by the European Commission.

You may request a copy of the relevant safeguards by contacting us at privacy@signalpanel.app.

8. Your Rights Under GDPR

As a data subject under the UK GDPR and EU GDPR, you have the following rights. To exercise any of them, contact us at privacy@signalpanel.app. We will respond within 30 calendar days (extendable by a further 60 days for complex requests, with notice).

Art. 15

Right of Access

You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data together with information about how it is used (a "Subject Access Request").

Art. 16

Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete personal data completed without undue delay.

Art. 17

Right to Erasure ('Right to be Forgotten')

You have the right to request deletion of your personal data where: it is no longer necessary for the purposes for which it was collected; you withdraw consent (where consent is the basis); you object and there are no overriding legitimate grounds; or the data has been unlawfully processed. Certain data may be retained where required by law (e.g. financial records).

Art. 18

Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data in certain circumstances — for example, while you contest the accuracy of the data or while an objection is being assessed.

Art. 20

Right to Data Portability

Where processing is based on your consent or contract performance and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g. JSON or CSV), and to transmit it to another controller.

Art. 21

Right to Object

You have the right to object at any time to processing based on legitimate interests (Art. 6(1)(f)), including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for legal claims. You may also object at any time to processing for direct marketing purposes.

Art. 22

Rights Related to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects on you. SignalPanel does not currently make automated decisions of this nature. AI-generated personas and insights are tools for your own human decision-making, not automated decisions about you.

Withdrawal of consent. Where we rely on your consent as the lawful basis, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent, contact privacy@signalpanel.app or use the unsubscribe link in any marketing email.

9. Cookies and Similar Technologies

We use cookies and similar technologies only to the extent necessary to operate the Service. We do not use advertising cookies, third-party tracking cookies, or cross-site tracking technologies.

CookieTypePurpose
sb-[project]-auth-tokenEssential / SessionSupabase authentication session token. Required to keep you logged in. Deleted when you sign out.
__vercel_*Essential / InfrastructureVercel edge network routing. Required for application delivery. Not used to track individuals.

Because we only use strictly necessary cookies, no consent banner is required under the UK PECR / EU ePrivacy rules. If we introduce any non-essential cookies in the future, we will update this policy and seek your consent.

10. Security

We implement the following technical and organisational measures to protect your personal data:

  • All data in transit is encrypted using TLS 1.2 or higher;
  • Passwords are hashed using bcrypt via Supabase Auth (we never store plaintext passwords);
  • Database access is restricted to authenticated application processes with row-level security (RLS) enabled;
  • API endpoints enforce role-based access control — users can only access data belonging to their own organisation;
  • Admin API endpoints are restricted to super-admin accounts;
  • Infrastructure runs on SOC 2 certified providers (Supabase, Vercel).

Despite these measures, no internet-based system can be guaranteed completely secure. If you believe your account has been compromised, please contact us immediately at privacy@signalpanel.app.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR.

11. Children's Privacy

The Service is intended for business users aged 16 and over. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact privacy@signalpanel.app.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by email and update the effective date at the top of this page.

We encourage you to review this policy periodically. Continued use of the Service after the effective date of any update constitutes acceptance of the revised policy.

13. Complaints and Supervisory Authority

If you have concerns about how we handle your personal data, please contact us first at privacy@signalpanel.app. We take privacy complaints seriously and will do our best to resolve your concern within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO):

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline: 0303 123 1113

Website: ico.org.uk

For EEA residents, you may also contact your national data protection authority (listed at edpb.europa.eu).

© 2026 SignalPanel Ltd. All rights reserved.

Terms of ServiceBack to homepage