Privacy Policy

1. Introduction

Signuply.io Sp. z o.o. with registered office in Łódź at ul. Semaforowa 9, 92-632 Łódź, Poland, Tax ID (NIP): 7282889300, REGON: 529657839, KRS: 0001127475 (hereinafter referred to as "we," "our," or "Signuply") provides AI-powered business automation services, including email routing and classification, AI voice agents, workflow automation, and related tools.

This Privacy Policy explains how we collect, use, and protect your personal data when you use any of our services — whether through our platform, integrations, or directly via our website.

We operate in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "GDPR").

2. Data Controller

The controller of your personal data is:

If you have any questions regarding the processing of personal data, you can contact us at:contact@signuply.io

3. What Data We Collect

3.1 OAuth Authorization

When connecting your email account using OAuth 2.0 protocol, we receive:

3.2 Email Message Data

As part of providing the service, we process the following data from your email messages:

• Message content (subject, body, sender, recipients)
• Message metadata (date, time, size, message ID)
• Message attachments (file names, content)
• Message headers (From, To, Subject, Date, Message-ID, Reply-To)
• Message status (read/unread, flagged)

3.3 Technical Data

We automatically collect the following technical data:

• IP address
• Browser type and operating system
• Authorization timestamps and system activity
• Error logs and system activity logs
• User Agent (browser identifier)

3.4 Analytics Data (Cookies)

Using Google Analytics 4 (GA4), we collect analytics data about website usage:

• Traffic source (where you came from)
• Time spent on site
• User actions (clicks, scrolling)
• Anonymous session ID
• Approximate geographic location (country, city)

GA4 data is processed by Google LLC based in the USA. More information:Google Privacy Policy

4. Purpose and Legal Basis for Data Processing

4.1 Service Provision (Art. 6(1)(b) GDPR)

Purpose: Automatic categorization of incoming emails, sending automatic responses, saving attachments, generating reports.

Legal basis: Performance of a contract for the provision of services.

Retention period: For the duration of the contract and until the expiry of the statute of limitations for claims (in accordance with the Civil Code).

4.2 Compliance with Legal Obligations (Art. 6(1)(c) GDPR)

Purpose: Issuing invoices, maintaining accounting records, archiving documents.

Legal basis: Compliance with legal obligations (Accounting Act, tax regulations).

Retention period: 5 years from the end of the year in which the tax obligation arose.

4.3 Legitimate Interests (Art. 6(1)(f) GDPR)

Purposes:

• Establishing, pursuing, and defending claims
• Ensuring IT security (monitoring, security logs)
• Analyzing service usage for improvement purposes (GA4)
• Direct marketing of our services (for existing customers)

Retention period: Until the expiry of the statute of limitations for claims or until a valid objection is raised.

4.4 Consent (Art. 6(1)(a) GDPR)

Purpose: Newsletter, marketing of partner products, analytics cookies (GA4), profiling.

Retention period: Until consent is withdrawn.

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

5. How We Use Your Data

We use your data only to the extent necessary to provide the service:

• Automatic categorization: Analyzing message content using artificial intelligence (AI) to assign the appropriate category
• Automatic responses: Sending initial responses based on the identified category
• Attachment management: Automatically saving attachments in designated locations (e.g., Google Drive, OneDrive)
• Reporting: Generating summaries and statistics about processed messages
• Service improvement: Analyzing anonymized data to optimize categorization algorithms
• Website analytics: Tracking traffic on connect.signuply.io using Google Analytics 4

6. Sharing Data with Third Parties (Subprocessors)

To provide our services, we engage third-party companies — called subprocessors — that process personal data on our behalf. In accordance with Art. 28 GDPR, we enter into a Data Processing Agreement (DPA) with each subprocessor to ensure an appropriate level of security.

We use subprocessors in the following categories:

• Cloud infrastructure & hosting — application hosting, database, CDN (e.g. Vercel, Supabase, Hostinger)
• AI processing — email analysis and automated response generation (e.g. Google Gemini, OpenAI, Anthropic)
• Workflow automation — orchestration of integrations between systems (e.g. Make, n8n)
• Email & calendar integrations — OAuth access to Gmail and Outlook (Google LLC, Microsoft)
• Analytics — anonymous website traffic analysis (Google Analytics 4)

All subprocessors operate under data processing agreements in accordance with Art. 28 GDPR. For transfers of data outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCC) approved by the European Commission and additional technical safeguards (encryption, pseudonymisation) pursuant to Chapter V GDPR.

7. Data Transfers to Third Countries

Some of our subprocessors have headquarters or servers located in the United States or other third countries outside the European Economic Area (EEA), which are third countries under GDPR.

To ensure an adequate level of protection for all such transfers, we rely on:

• Standard Contractual Clauses (SCC) adopted by the European Commission pursuant to Art. 46(2)(c) GDPR
• Additional technical and organisational measures (encryption, pseudonymisation, access controls)
• Data Processing Agreements (DPAs) with each subprocessor, incorporating GDPR Chapter V requirements

Detailed information about the safeguards applied by each individual subprocessor — including their location, certifications (ISO 27001, SOC 2, etc.), and applicable transfer mechanisms — is available in our Subprocessors List.

8. Cookies and Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files stored on your device (computer, phone, tablet) when visiting a website. They allow the site to "remember" your actions and preferences.

8.2 What Cookies Do We Use?

8.3 Managing Cookies

Cookie Banner: On your first visit, we display a banner allowing you to choose which cookies to accept.

Browser Settings: You can block cookies in your browser settings:

• Chrome: Settings → Privacy and security → Cookies
• Firefox: Settings → Privacy & Security → Cookies
• Safari: Preferences → Privacy → Manage Website Data
• Edge: Settings → Cookies and site permissions

Note: Blocking strictly necessary cookies may prevent OAuth authorization.

8.4 Google Analytics 4 - Details

Google Analytics 4 collects the following data:

• Anonymous user identifier (not linked to specific individuals)
• Device and browser type
• Approximate location (country, city)
• Traffic source (where you came from)
• Pages visited and time spent
• Button and link clicks

IP Anonymization: IP addresses are anonymized (last octet masked).

Opt-out: You can opt out of GA4 by installing:

• Google Analytics Opt-out Browser Add-on
• Or by rejecting analytics cookies in our banner

9. Data Storage and Security

9.1 Retention Period

• OAuth tokens (Google/Microsoft): Until authorization is revoked or contract termination
• Message content: Not permanently stored - real-time processing only
• System logs: 30 days (for diagnostics and security)
• Categorization metadata: 12 months (for reporting purposes)
• Invoices and accounting documents: 5 years (legal requirement)
• GA4 data: 14 months (Google's default setting)

9.2 Security Measures

We implement the following technical and organizational measures:

• Encryption: TLS 1.3 for data transmission, AES-256 for token storage
• Access control: Data access only for authorized employees (principle of least privilege)
• Monitoring: 24/7 infrastructure security monitoring
• Backups: Automated OAuth token backups (encrypted)
• Security testing: Regular audits and penetration tests
• Procedures: Documented security incident response procedures
• Multi-factor authentication (MFA): Required for administrative access

10. Your Rights (GDPR)

As a data subject, you have the following rights:

How to Exercise Your Rights?

To exercise the above rights, contact us at:

• Email: contact@signuply.io
• Subject line: "GDPR - [type of request]"

We will respond to your request without undue delay, but no later than one month from receiving it. In case of complex requests, we may extend this period by an additional two months, informing you beforehand with reasons.

11. Revoking Email Access

You can revoke our authorization to your email account at any time:

After revoking access:

• We will immediately stop processing your email messages
• We will delete stored OAuth tokens within 24 hours
• The service will stop working
• We will retain accounting data (invoices) for the legally required period

Revoking OAuth access is equivalent to terminating the service agreement.

12. Profiling and Automated Decisions

As part of the service, we use automated processing (AI) to categorize email messages.

We do not make automated decisions that produce legal effects or similarly significantly affect you (Art. 22 GDPR).

Email categorization is purely auxiliary and does not affect:

• Contract terms
• Service access
• Rights and obligations of the parties

Profiling by Google Analytics 4

GA4 may create user profiles based on website behavior (so-called "audience segments"). This data is:

• Anonymous (not linked to specific individuals)
• Used only for site optimization
• Does not affect service terms

You can withdraw consent for GA4 profiling at any time (see section 8.3).

13. Contact with Supervisory Authority

If you believe that the processing of your personal data violates GDPR provisions, you can file a complaint with the supervisory authority:

14. Changes to Privacy Policy

We may periodically update this Privacy Policy to reflect changes in our practices or for legal reasons.

We will inform you of significant changes through:

• Email notification (sent to the email address associated with the service)
• Notice on the connect.signuply.io website
• At least 30 days before the changes take effect

The date of the last update is always visible at the top of this document.

15. Contact

If you have questions about this Privacy Policy or the processing of your personal data, please contact us: