Privacy Policy

1. Introduction

Signuply.io Sp. z o.o. with registered office in Łódź at ul. Semaforowa 9, 92-632 Łódź, Poland, Tax ID (NIP): 7282889300, REGON: 529657839, KRS: 0001127475 (hereinafter referred to as "we," "our," or "Signuply") provides AI-powered business automation services, including: AI website chat and lead capture (Signuply Chat), AI voice agents (Signuply Voice), email routing and classification, workflow automation, and related tools.

This Privacy Policy explains how we collect, use, and protect your personal data when you use any of our services — whether through our platform, integrations, or directly via our website.

We operate in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "GDPR").

2. Data Controller

The controller of your personal data is:

If you have any questions regarding the processing of personal data, you can contact us at:contact@signuply.io

3. What Data We Collect

3.1 OAuth Authorization

When connecting your email account using OAuth 2.0 protocol, we receive:

3.2 Email Message Data

As part of providing the service, we process the following data from your email messages:

• Message content (subject, body, sender, recipients)
• Message metadata (date, time, size, message ID)
• Message attachments (file names, content)
• Message headers (From, To, Subject, Date, Message-ID, Reply-To)
• Message status (read/unread, flagged)

3.3 Technical Data

We automatically collect the following technical data:

• IP address
• Browser type and operating system
• Authorization timestamps and system activity
• Error logs and system activity logs
• User Agent (browser identifier)

3.4 Signuply Chat Widget Data

When the Signuply Chat widget is deployed on a customer's website, we process the following data about website visitors who interact with the widget (on behalf of the customer — as a data processor):

• Conversation content: messages sent by visitors and responses generated by the AI assistant
• Contact details voluntarily provided: email address, phone number, name (when entered by the visitor)
• IP address and approximate location of the visitor's device
• Browser / User Agent — type and version of the browser used
• Session metadata: timestamps, conversation duration, page URL where the widget is embedded
• Hot lead score: AI-generated classification of conversation intent (cold / warm / hot), based on conversation signals

Retention: Chat conversation data is retained for the duration of the customer's active subscription, plus 30 days after termination for export purposes, unless earlier deletion is requested.

3.5 Voice AI Data (Vapi)

For customers using Signuply Voice Agent services, we process the following data via our voice AI infrastructure provider (Vapi AI, Inc.):

• Phone numbers: caller and callee phone numbers involved in AI-handled calls
• Voice recordings: audio recordings of calls handled by the AI voice agent
• Transcriptions: text transcriptions generated from call recordings
• Call metadata: timestamps, duration, call status, outcome classification
• AI-generated summaries: brief summaries of call content and detected intent

Retention: Voice recordings are retained for up to 7 days by default. Transcriptions and metadata are retained for the duration of the customer's subscription. Customers may request earlier deletion via contact@signuply.io.

Voice infrastructure is provided by Vapi AI, Inc. (USA). Data transfers are covered by Standard Contractual Clauses. See our Subprocessors List for details.

3.6 Authentication Data (Clerk)

User authentication and account management for Signuply SaaS products is provided by Clerk, Inc. The following data is processed:

• Email address and username used to register
• Password hash (Clerk stores a salted hash — we do not have access to plaintext passwords)
• Multi-factor authentication (MFA) data: TOTP secrets, backup codes (encrypted)
• Session tokens: used to maintain authenticated sessions; stored securely and rotated on each login
• OAuth social login tokens: if you sign in via Google or other providers
• Login history: timestamps and IP addresses of authentication events

Retention: Authentication data is retained for the duration of your account. Upon account deletion, Clerk purges authentication records within 30 days.

Authentication infrastructure is provided by Clerk, Inc. (USA). See our Subprocessors List.

3.7 Payment Data (Stripe)

Payment processing for Signuply subscriptions is handled entirely by Stripe, Inc. We do not store payment card data. The following data is processed by Stripe on our behalf:

• Payment card details (card number, expiry, CVV) — collected and tokenized by Stripe directly; Signuply never has access to raw card data
• Billing name and address
• Transaction history: subscription payments, refunds, failed charges
• Stripe customer ID — a reference token stored by Signuply to link your account to Stripe records
• Invoice data: amounts, dates, subscription plan details

Retention: Transaction records and invoices are retained for 5 years to comply with Polish accounting law. Stripe may retain data longer in accordance with their own policies and applicable regulations.

Stripe, Inc. is PCI-DSS Level 1 certified. See Stripe Privacy Policy and our Subprocessors List.

3.8 Analytics Data (Cookies)

Using Google Analytics 4 (GA4), we collect analytics data about website usage:

• Traffic source (where you came from)
• Time spent on site
• User actions (clicks, scrolling)
• Anonymous session ID
• Approximate geographic location (country, city)

GA4 data is processed by Google LLC based in the USA. More information:Google Privacy Policy

4. Purpose and Legal Basis for Data Processing

4.1 Service Provision (Art. 6(1)(b) GDPR)

Purpose: Automatic categorization of incoming emails, sending automatic responses, saving attachments, generating reports.

Legal basis: Performance of a contract for the provision of services.

Retention period: For the duration of the contract and until the expiry of the statute of limitations for claims (in accordance with the Civil Code).

4.2 Compliance with Legal Obligations (Art. 6(1)(c) GDPR)

Purpose: Issuing invoices, maintaining accounting records, archiving documents.

Legal basis: Compliance with legal obligations (Accounting Act, tax regulations).

Retention period: 5 years from the end of the year in which the tax obligation arose.

4.3 Legitimate Interests (Art. 6(1)(f) GDPR)

Purposes:

• Establishing, pursuing, and defending claims
• Ensuring IT security (monitoring, security logs)
• Analyzing service usage for improvement purposes (GA4)
• Direct marketing of our services (for existing customers)

Retention period: Until the expiry of the statute of limitations for claims or until a valid objection is raised.

4.4 Consent (Art. 6(1)(a) GDPR)

Purpose: Newsletter, marketing of partner products, analytics cookies (GA4), profiling.

Retention period: Until consent is withdrawn.

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

5. How We Use Your Data

We use your data only to the extent necessary to provide the service:

• Automatic categorization: Analyzing message content using artificial intelligence (AI) to assign the appropriate category
• Automatic responses: Sending initial responses based on the identified category
• Attachment management: Automatically saving attachments in designated locations (e.g., Google Drive, OneDrive)
• Reporting: Generating summaries and statistics about processed messages
• Service improvement: Analyzing anonymized data to optimize categorization algorithms
• Website analytics: Tracking traffic on connect.signuply.io using Google Analytics 4

6. Sharing Data with Third Parties (Subprocessors)

To provide our services, we engage third-party companies — called subprocessors — that process personal data on our behalf. In accordance with Art. 28 GDPR, we enter into a Data Processing Agreement (DPA) with each subprocessor to ensure an appropriate level of security.

We use subprocessors in the following categories:

• Cloud infrastructure & hosting — application hosting, database, CDN (e.g. Vercel, Supabase, Hostinger)
• AI processing — conversation analysis, email analysis, automated response generation (e.g. OpenAI, Google Gemini, Anthropic)
• AI Chat widget — processing visitor conversations, lead scoring (Signuply Chat infrastructure)
• Voice AI infrastructure — AI phone calls, call recording, transcription (Vapi AI, Inc., USA)
• Authentication — user account management, session tokens, MFA (Clerk, Inc., USA)
• Payment processing — subscription billing, invoicing (Stripe, Inc., USA)
• Workflow automation — orchestration of integrations between systems (e.g. Make, n8n)
• Email & calendar integrations — OAuth access to Gmail and Outlook (Google LLC, Microsoft)
• Analytics — anonymous website traffic analysis (Google Analytics 4)

All subprocessors operate under data processing agreements in accordance with Art. 28 GDPR. For transfers of data outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCC) approved by the European Commission and additional technical safeguards (encryption, pseudonymisation) pursuant to Chapter V GDPR.

7. Data Transfers to Third Countries

Some of our subprocessors have headquarters or servers located in the United States or other third countries outside the European Economic Area (EEA), which are third countries under GDPR.

To ensure an adequate level of protection for all such transfers, we rely on:

• Standard Contractual Clauses (SCC) adopted by the European Commission pursuant to Art. 46(2)(c) GDPR
• Additional technical and organisational measures (encryption, pseudonymisation, access controls)
• Data Processing Agreements (DPAs) with each subprocessor, incorporating GDPR Chapter V requirements

Detailed information about the safeguards applied by each individual subprocessor — including their location, certifications (ISO 27001, SOC 2, etc.), and applicable transfer mechanisms — is available in our Subprocessors List.

8. Cookies and Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files stored on your device (computer, phone, tablet) when visiting a website. They allow the site to "remember" your actions and preferences.

8.2 What Cookies Do We Use?

8.3 Managing Cookies

Cookie Banner: On your first visit, we display a banner allowing you to choose which cookies to accept.

Browser Settings: You can block cookies in your browser settings:

• Chrome: Settings → Privacy and security → Cookies
• Firefox: Settings → Privacy & Security → Cookies
• Safari: Preferences → Privacy → Manage Website Data
• Edge: Settings → Cookies and site permissions

Note: Blocking strictly necessary cookies may prevent OAuth authorization.

8.4 Google Analytics 4 - Details

Google Analytics 4 collects the following data:

• Anonymous user identifier (not linked to specific individuals)
• Device and browser type
• Approximate location (country, city)
• Traffic source (where you came from)
• Pages visited and time spent
• Button and link clicks

IP Anonymization: IP addresses are anonymized (last octet masked).

Opt-out: You can opt out of GA4 by installing:

• Google Analytics Opt-out Browser Add-on
• Or by rejecting analytics cookies in our banner

9. Data Storage and Security

9.1 Retention Period

• OAuth tokens (Google/Microsoft): Until authorization is revoked or contract termination
• Message content: Not permanently stored - real-time processing only
• System logs: 30 days (for diagnostics and security)
• Categorization metadata: 12 months (for reporting purposes)
• Invoices and accounting documents: 5 years (legal requirement)
• GA4 data: 14 months (Google's default setting)

9.2 Security Measures

We implement the following technical and organizational measures:

• Encryption: TLS 1.3 for data transmission, AES-256 for token storage
• Access control: Data access only for authorized employees (principle of least privilege)
• Monitoring: 24/7 infrastructure security monitoring
• Backups: Automated OAuth token backups (encrypted)
• Security testing: Regular audits and penetration tests
• Procedures: Documented security incident response procedures
• Multi-factor authentication (MFA): Required for administrative access

10. Your Rights (GDPR)

As a data subject, you have the following rights:

How to Exercise Your Rights?

To exercise the above rights, contact us at:

• Email: contact@signuply.io
• Subject line: "GDPR - [type of request]"

We will respond to your request without undue delay, but no later than one month from receiving it. In case of complex requests, we may extend this period by an additional two months, informing you beforehand with reasons.

11. Revoking Email Access

You can revoke our authorization to your email account at any time:

After revoking access:

• We will immediately stop processing your email messages
• We will delete stored OAuth tokens within 24 hours
• The service will stop working
• We will retain accounting data (invoices) for the legally required period

Revoking OAuth access is equivalent to terminating the service agreement.

12. Profiling and Automated Decisions

As part of our services, we use automated processing (AI) in the following ways:

Email Categorization

We use AI to automatically categorize incoming email messages. This is a purely operational function and does not affect contract terms, service access, or the legal rights and obligations of any party.

Hot Lead Scoring (Signuply Chat)

Signuply Chat uses AI to automatically classify visitor conversations as cold, warm, or hotbased on intent signals detected during the conversation (e.g. asking about pricing, requesting contact, leaving details).

This classification is provided as a tool to assist our customers in prioritizing follow-up. We do not make automated decisions that directly produce legal effects concerning visitors (Art. 22 GDPR). The lead score is a recommendation — the customer's team makes all final decisions regarding follow-up or business action.

Customers deploying Signuply Chat are responsible for informing their website visitors about automated processing, and for ensuring a lawful basis for such processing under GDPR.

Profiling by Google Analytics 4

GA4 may create user profiles based on website behavior (so-called "audience segments"). This data is anonymous (not linked to specific individuals), used only for site optimization, and does not affect service terms. You can withdraw consent at any time (see section 8.3).

13. Contact with Supervisory Authority

If you believe that the processing of your personal data violates GDPR provisions, you can file a complaint with the supervisory authority:

14. Changes to Privacy Policy

We may periodically update this Privacy Policy to reflect changes in our practices or for legal reasons.

We will inform you of significant changes through:

• Email notification (sent to the email address associated with the service)
• Notice on the signuply.io website
• At least 14 days before the changes take effect

The date of the last update is always visible at the top of this document.

15. Contact

If you have questions about this Privacy Policy or the processing of your personal data, please contact us: