Legal

Privacy Policy

Effective May 2, 2026

1. Introduction

SignaKit (“we”, “us”, “our”) operates signakit.com (the “marketing site”) and the dashboard at app.signakit.com (the “app”). This Privacy Policy explains what personal data we collect across both properties, how we use it, and the choices available to you.

Where this policy distinguishes between the marketing site and the app, different data practices apply to each.

2. Information We Collect

Account data (app)

  • Full name and email address — collected at registration and used to identify your account.
  • Password — stored as a salted cryptographic hash using a modern hashing algorithm. We never store or have access to your plaintext password.
  • Billing information — payment processing is handled entirely by Stripe. We store only a Stripe customer ID and subscription status; card numbers and payment details are never transmitted to or stored on our servers.
  • Dashboard usage data — pages visited within the app, features used, and settings changed, to help us understand and improve the product.

SDK event data (app)

When you integrate a SignaKit SDK into your application, your application sends feature flag exposure events and custom metric events to our ingestion API. These events may include user identifiers and targeting attributes that you choose to pass from your own application. This data is associated with your SignaKit project and is used to power experiment results in your dashboard. See Section 7 (Data Processor Role) for how responsibility is allocated between you and us for this data.

Marketing site data (signakit.com only)

  • Analytics data — page views, session duration, referral source, and browser/device type collected via Google Analytics. See Section 5 for details.
  • Ad interaction data — if you arrive via a Google Ads campaign, conversion and click data may be collected. See Section 5.

Technical data (both properties)

  • IP address, browser type, operating system, and referring URL collected automatically in server access logs.
  • Server logs are retained for up to 90 days for security and debugging purposes, then deleted.

3. How We Use Your Information

We use the information we collect to:

  • Create and manage your account, authenticate sessions, and enforce subscription limits.
  • Process payments and manage subscription billing through Stripe.
  • Send transactional emails via Resend — account setup confirmation, password resets, team invitations, and billing notifications.
  • Display feature flag analytics, experiment results, and usage metrics in your dashboard.
  • Improve the product by analyzing aggregate usage patterns within the app.
  • Measure marketing effectiveness via Google Analytics and Google Ads on the marketing site.
  • Respond to support requests and communicate service-related updates.

We do not sell, rent, or share your personal data with third parties for their advertising or marketing purposes.

4. Data Retention

  • Account data — retained for as long as your account is active. On deletion, account data is removed within 30 days.
  • SDK event data — retained for the duration of your subscription. Raw event data older than 12 months may be aggregated or purged at our discretion.
  • Billing records — Stripe retains payment records in accordance with their own retention policies and applicable financial regulations.
  • Server logs — retained for up to 90 days.
  • Backups — encrypted database backups may persist for up to 30 days after account deletion before being overwritten.

5. Cookies & Local Storage

We use cookies and browser local storage in two distinct contexts.

Marketing site (signakit.com)

  • Google Analytics — sets _ga, _gid, and _gat cookies to measure page views, session duration, and traffic sources. Data is sent to Google and governed by Google's Privacy Policy. These cookies are not set within the app.
  • Google Ads — if you arrive via a paid search or display ad, Google sets conversion tracking and remarketing cookies to measure campaign performance. You can opt out via Google's Ads Settings.

App (app.signakit.com)

  • Session cookie — set by Better Auth to keep you signed in across page loads. This is an HTTP-only, secure cookie containing a session token. It expires when you sign out or after a period of inactivity.
  • Organisation and project preference — stored in browser local storage to remember your last-selected organisation and project, so the app opens to the right context on your next visit.
  • Banner / dismissal state — stored in local storage to record whether you have dismissed informational banners or notices, so they are not shown repeatedly.

No third-party analytics, advertising, or tracking scripts are loaded within the app.

6. Third-Party Services

SignaKit relies on the following third-party providers to deliver the service. Each operates under its own privacy policy and data processing terms.

  • AWS — cloud infrastructure, PostgreSQL database hosting (RDS), object storage (S3), and serverless compute (Lambda). Account data, event data, and experiment results are stored on AWS infrastructure in the United States.
  • Stripe — payment processing and subscription billing. Stripe receives your billing email address and payment details directly. SignaKit stores only a Stripe customer ID and subscription status.
  • Resend — transactional email delivery. Resend receives your name and email address to deliver account notifications, password resets, and team invitations.
  • Google Analytics — website analytics on the marketing site only. Google receives anonymised usage data including page views, session data, and IP-derived location. Not used within the app.
  • Google Ads — advertising platform used for paid campaigns on the marketing site. Google may receive conversion event data when you complete a signup originating from an ad click. Not used within the app.

7. Data Processor Role

When you use SignaKit SDKs in your own application, your application may transmit data about your end-users to our event ingestion API — such as user identifiers, targeting attributes, and custom event properties. In this context:

  • You are the data controller.You determine what data is passed to the SDK and are responsible for having a lawful basis to process your end-users' data and for disclosing SignaKit's involvement in your own privacy policy.
  • We are a data processor. We process end-user data only as necessary to provide the SignaKit service to you — powering feature flag evaluation, experiment results, and usage analytics within your dashboard.
  • We do not use your end-users' data for our own advertising, marketing, or profiling purposes.

We recommend avoiding passing directly identifying information (such as email addresses or full names) as targeting attributes unless necessary. Use opaque user IDs where possible.

8. Data Storage & Security

  • Account and project data is stored in PostgreSQL databases on AWS RDS infrastructure.
  • SDK event data is stored in Amazon S3 and used for analytics processing and experiment results.
  • All data in transit is encrypted using TLS 1.2 or higher.
  • Data at rest is encrypted using AWS-managed encryption keys.
  • Access to production systems is restricted by role-level permissions and requires authentication.

While we implement industry-standard safeguards, no method of transmission or storage is completely secure. We cannot guarantee the absolute security of your data.

9. Your Rights

You have the following rights with respect to your personal data:

  • Access: You may request a copy of the personal data we hold about you.
  • Correction: You may update your name and email address at any time through the dashboard settings.
  • Export: You may export your project configuration and data from the dashboard settings at any time.
  • Deletion: You may request deletion of your account and all associated data by emailing privacy@signakit.com. We will process deletion requests within 30 days, subject to any retention obligations.
  • Objection: You may object to processing of your data for analytics or marketing purposes by contacting us. Opting out of Google Analytics is also possible via the Google Analytics opt-out browser add-on.

To exercise any of these rights, email privacy@signakit.com. We aim to respond within 5 business days.

10. Age Restriction

SignaKit is not directed at children under the age of 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information, please contact us at privacy@signakit.com and we will delete it promptly.

11. International Data Transfers

SignaKit's infrastructure is hosted in the United States. If you are accessing the service from outside the United States — including from the European Economic Area (EEA) — your data will be transferred to and processed in the US. We rely on appropriate safeguards, including standard contractual clauses where required, to ensure such transfers comply with applicable data protection laws.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make significant changes, we will notify registered users by email at least 14 days before the changes take effect. The effective date at the top of this page will always reflect the most recent revision. Continued use of SignaKit after the effective date constitutes acceptance of the updated policy.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us at privacy@signakit.com. We aim to respond to all inquiries within 2 business days.