Privacy Policy
Effective: 2026-07-10 · Version 2026-07-10
SignalSnitch, owned and operated by Tse Capital, a California corporation ("we", "us"), takes privacy seriously. This Policy describes what personal data we collect, how we use it, who we share it with, and your rights.
1. What we collect
1.1 Account data
Email, optional display name, hashed password (managed by our self-hosted GoTrue auth service), and TOTP factor info if you enable 2FA.
1.2 Subscription and billing data
Plan tier, billing status, invoice history, and payment-method tokens. Card numbers are handled by Stripe and never reach our servers.
1.3 Product usage
Watchlists, followed influencers, notification preferences, MFA state, redeemed codes. Audit logs of admin actions and authentication events.
1.4 Notification delivery channels
Email address (always) and Web Push subscription tokens (if you opt into push). Push subscriptions are tied to a specific browser/device.
1.5 Public market data
We do not scrape social platforms directly. We receive publicly-posted social-media content from third-party data providers. The content is third-party-authored and is processed under fair-use / public-interest bases. Per-post evidence is retained for at most 7 days; aggregate metrics persist longer.
1.6 Network metadata
Your IP address and browser user-agent are captured and stored alongside (a) your legal-acceptance record, (b) audit-log entries for security-sensitive actions — including admin operations, authentication events, discount-code redemptions, and any GDPR data-export or deletion request you submit, (c) standard webserver access logs on our origin server (rotated on each deployment, typically within 14 days), and (d) your account record at sign-up, retained to detect and prevent same-IP multi-account abuse (such as trial farming). We do not use your IP for advertising, behavioral profiling, or cross-site tracking.
1.7 AI assist messages
When you type a message into our in-product AI Assist (a Pro and Elite feature), we store the message text along with the plan you were on, the classified intent (e.g. follow-callers, watchlist, backtest, feedback, or "unknown"), and a timestamp. We use this log only to improve the product — specifically to discover which features users are looking for and which questions point at unclear UI. Messages are capped at 280 characters at the point of submission. We do not use AI Assist messages for advertising or sell them to third parties; the only third party that ever sees the text is the language-model provider we use to classify the intent (currently DeepSeek), and they receive the message text alone with no account identifier. AI Assist messages are retained for up to 180 days and then deleted.
1.8 Product analytics
When you are signed in, we record the pages you open and the cards you act on. Acting on a card means clicking it, expanding it, dismissing it, or following one of its links. For a page we store only the path, such as /dashboard/leaderboard; your browser strips the query string and anything after the # before the event is sent, so those never reach us. For a card we store the card's name, what you did to it, and sometimes what it referred to, such as a ticker symbol. We also store a random identifier for each browser tab so we can count sessions, and the account type you held at the time (for example free or paid), so we can tell which parts of the product each kind of member uses. That identifier is not tied to your device and does not follow you between browsers or onto other websites. We use all of this to work out which parts of the product people actually use and which are dead weight. We do not use it for advertising, we do not sell it, and no outside company ever receives it; the data stays in our own database. Raw events are deleted after 90 days. Only anonymous daily totals are kept longer, and those carry no account identifier. You can download or delete everything we hold about you from Dashboard → Privacy.
2. How we use it
- To operate the Service (auth, billing, notifications, dashboard);
- To deliver alerts you've opted into (email, push);
- To detect abuse, debug issues, and improve the product;
- To comply with legal obligations and enforce our Terms.
We do not sell your personal data. We do not use it for advertising profiling or third-party marketing.
3. Legal bases (GDPR)
For users in the EEA/UK, our legal bases are: contract performance, legitimate interest (security, abuse prevention, product analytics), consent (push, optional features), and legal obligation (tax, audit).
4. Third-party processors
We rely on the following sub-processors. Each is bound by a data processing agreement and processes data only on our instructions:
| Provider | Purpose | Data |
|---|---|---|
| Hetzner | VPS hosting (we self-host our database, auth, storage, and application server on a single Hetzner Cloud VPS) | All account and product data, request logs, IP addresses |
| Cloudflare | CDN, DDoS protection, TLS termination and edge caching for all traffic; also Workers (proxy routing + secondary cron failover) | Request metadata and IP addresses (all traffic is proxied); no account data stored at the edge |
| cron-job.org | Primary cron scheduler | None — fires HTTP triggers, no user data sent |
| Stripe | Payment processing | Card details, billing email, invoices |
| Resend | Transactional email | Email address, message content |
| Apple | Sign in with Apple (optional login) | Apple-relay email address and authentication token — only if you use Apple sign-in |
| Web Push (browser vendor) | Push delivery | Encrypted notification payload (only if push enabled) |
| GetXAPI, Arctic Shift | Public-post retrieval (X/Twitter, Reddit) | List of public handles and subreddits we track — never your account data |
| OpenAI, Anthropic, Groq, Google | LLM analysis of public posts | Public post text only — never your account data |
| FMP, Finnhub, Stooq, Coingecko, Yahoo | Market price and fundamentals data | Ticker symbols only — no user data |
5. Data retention
- Account data: retained while your account is active; deleted within 30 days of account deletion.
- Billing records: retained for 7 years to comply with tax/accounting obligations.
- Per-tweet signal evidence: 7 days, then auto-deleted by a daily cleanup job.
- Pipeline run logs and finalized notifications: 90 days.
- Audit logs: 1 year.
- AI Assist messages: up to 180 days, then deleted.
- Product-analytics events: raw page-view and card-interaction rows are deleted after 90 days; anonymous daily totals are kept longer and carry no account identifier.
6. Cookies and tracking
We use only essential cookies for session management and authentication. We do not use third-party advertising or behavioral tracking cookies.
7. Your rights
Depending on your jurisdiction, you may have rights to:
- Access the personal data we hold about you;
- Correct inaccurate data;
- Request deletion of your account and data (right to be forgotten);
- Receive a portable export of your data;
- Object to or restrict certain processing;
- Withdraw consent for opt-in features (push) at any time;
- Lodge a complaint with your local data protection authority.
Exercise these rights directly from your privacy dashboard: download a JSON export of your data, schedule account deletion (with a 30-day grace period), and manage your marketing-email consent. For other requests email [email protected]; we respond within 30 days.
8. Security
We use TLS in transit, hashed passwords, row-level security on the database, and least-privilege access for staff. We support optional TOTP-based 2FA. No system is perfectly secure; please report suspected vulnerabilities to [email protected].
9. International transfers
Our primary infrastructure (Hetzner Cloud VPS) is located in Nuremberg, Germany (EU). Stripe, Resend, Apify, Anthropic, OpenAI, Finnhub, and Cloudflare Workers are US-based providers. If you are outside the EU/UK, your data may be transferred to the EU and the US under appropriate safeguards (standard contractual clauses where applicable).
10. Children
SignalSnitch is not directed to children under 18. We do not knowingly collect data from children. If you believe we have, contact us and we will delete it.
11. Changes
We may update this Policy. Material changes will be communicated by email or in-product notice with at least 14 days' notice.
12. Contact
Privacy questions or data-access requests: [email protected].