Privacy Policy
This is the policy describing what data Signal Mama collects, how we use it, and your rights. We aim to keep it short and plain-English. If anything reads as vague or contradictory to what we said on /security or /about, that's a bug — email [email protected] and we'll fix it.
The short version
This policy applies to signalmama.com, the Signal Mama application, and all related services operated by Signal Mama, Inc. By using Mama, you agree to this policy. If you don't agree, please don't use the product — and let us know which part you can't live with, since the goal is for this policy to actually be reasonable.
What we collect
Account & billing information
When you sign up: name, work email address, company name, and role. If you pay, billing details (handled by Stripe; we never see your card number directly). If you connect SSO, we receive the identity assertion from your IdP — no passwords stored on our side.
Product usage data
What you do inside Mama — briefs generated, accounts watchlisted, ICP rubric edits, integration credentials connected, audit-log events. Standard application telemetry (page views, feature usage, errors) collected via first-party logging. No third-party analytics scripts run on the authenticated app.
Account-research data
The accounts you research with Mama — domains, signals detected, briefs generated. All signal source data is pulled from publicly accessible sources (Crunchbase, LinkedIn, public job boards, BuiltWith, public review sites, etc.) or via licensed data partnerships. We do not collect private personal data about individuals at researched companies beyond what's publicly listed in professional contexts (e.g., a CEO's LinkedIn job title is in scope; their home address is not).
What we don't collect
- No private inboxes — Mama does not read your email, even if you connect your CRM
- No phone or address from individual contacts at the companies you research, beyond what's professionally public
- No browsing history from outside the Mama application
- No biometric data, location data, or special-category personal data as defined under GDPR Article 9
How we use it
Specifically:
- Operate Mama — generate briefs, run signal detection, score accounts against your ICP rubric, push data to your connected integrations
- Improve Mama — debug errors, fix bugs, identify which features get used (aggregated, anonymized)
- Send transactional email — account confirmations, billing receipts, security notices, important policy changes
- Send opt-in product emails — changelog updates, launch announcements (only if you explicitly subscribed via /changelog or a similar opt-in flow)
- Respond to support requests — when you email us, we read it and reply
- Comply with law — respond to lawful legal requests, defend against fraud, enforce our terms
What we don't do
- We don't sell your data. Not to data brokers. Not to ad networks. Not to anyone, ever. Selling customer data is not a revenue line we have or want.
- We don't share your data with marketers. Your CRM accounts, your briefs, your reply outcomes don't leave your account to be analyzed by anyone outside Signal Mama.
- We don't train external AI models on your data. When we use LLMs (Anthropic, OpenAI) for brief synthesis, we use zero-retention APIs and contractually exclude your data from any provider training. See sub-processors.
- We don't fingerprint your browser beyond what's needed for fraud prevention and to keep you logged in.
- We don't run ad-tech retargeting scripts on our authenticated app. Public marketing pages may use first-party analytics (see cookies) but the app itself is clean.
- We don't sell anonymized or aggregated customer data as a separate product. If we ever publish aggregate insights (e.g., "% of B2B SaaS adopted X tech"), they come from public-source data, not your specific data.
Sub-processors
We use sub-processors for cloud infrastructure (AWS), database (managed PostgreSQL), billing (Stripe), LLM inference (Anthropic, OpenAI — zero-retention APIs), transactional email (Resend), and a handful of internal tooling vendors that don't touch customer data (Slack, Linear, 1Password, Vanta).
We notify customers at least 14 days before adding a new sub-processor that handles customer data, via the security mailing list. Subscribe to changes.
Cookies & tracking
Inside the authenticated app we set only the cookies needed to keep you signed in (session authentication, CSRF token, workspace preference). On marketing pages we run Plausible Analytics — first-party, cookie-less, no IP collection, no fingerprinting, no cross-site tracking, no transfer outside the EU. Opt out with a Do Not Track header or by blocking plausible.io.
For the full per-cookie breakdown, opt-out instructions, and browser-by-browser controls, see the Cookie Policy.
Your rights (GDPR / CCPA / CPRA)
Depending on where you live, you have the right to:
- Access — request a copy of the personal data we hold about you
- Correct — request that we update inaccurate data
- Delete — request that we delete your account and personal data (we'll do this within 30 days; backup snapshots roll off within 90)
- Portability — request an export of your data in a machine-readable format (JSON)
- Object to certain uses, including direct marketing
- Restrict processing in certain circumstances
- Opt out of "sale" of personal information (we don't sell, so this is automatic, but you can confirm)
- Lodge a complaint with your local data protection authority
To exercise any of these, email [email protected] with the request and proof of identity (so we don't accidentally release data to the wrong person). We'll respond within 30 days as required by GDPR/CCPA. No fee unless your request is repetitive or excessive.
Data retention
Retention windows:
- Account & billing data — retained while your account is active; deleted within 30 days of account closure (some billing records retained 7 years for tax compliance)
- Brief history — 30 days on Solo, 12 months on Team, indefinite on Pro; user-configurable
- Audit log — 12 months on Pro; 90 days on Team
- Backups — 30-day rolling retention; encrypted at rest
- Support email — retained for as long as needed to provide ongoing support; archived after 24 months
If you delete your account, all of the above is purged from primary storage within 30 days and from backups within 90.
International transfers
us-east-1). EU residency available on Pro. Cross-border transfers are governed by Standard Contractual Clauses (SCCs).Signal Mama is a US-incorporated company. Data is stored by default in AWS us-east-1 (Northern Virginia). Pro-tier customers can elect eu-west-1 (Ireland) at workspace creation, or request custom regions (us-west-2, ap-southeast-2).
When personal data of EU/UK/Swiss residents is transferred to the US, we rely on the EU Standard Contractual Clauses (SCCs) approved by the European Commission and the UK addendum, as well as our Data Privacy Framework filing (where applicable). The clauses are incorporated into our Data Processing Agreement by reference.
Changes & contact
This policy may be updated as our product evolves. We'll always post the latest version at /legal/privacy with the "last updated" date at the top. For material changes affecting your rights, we'll notify the workspace admin at least 30 days in advance via email, and (where required) seek fresh consent.
Contact: for privacy questions, data subject requests, or anything about this policy — [email protected]. For security or breach notifications — [email protected]. Postal mail can be sent to Signal Mama, Inc. (mailing address available on request).