Legal · Privacy
Privacy Policy
First draft — pending attorney review. Not legal advice.
SignalCore service.
[ENTITY NAME] (Wyoming LLC), dba SignalCore. Effective: [DATE].Recommend generating the production version via Termly/iubenda from this data map, then counsel
review of the "sale/share" + sub-processor sections.
1. Who we are & the two roles we play ⚖ lawyer review
SignalCore provides B2B visitor intelligence: we help our business clients understand which companies visit their websites. We play two distinct roles, and this policy covers both:
- As a processor — when we process data on behalf of a client (the client's website event stream
- As a controller — we maintain a proprietary Identity Graph of world-facts (which company
and any CRM data they connect), the client is the controller and we act on its instructions. Those individuals should consult that client's privacy notice; we route data-subject requests to the client. This is governed by our Data Processing Addendum.
owns which IP address / network, plus public firmographics). We are the controller of that graph. It contains no individual person's data and no client's behavioral data.
This policy also covers data we collect from visitors to signal-core.app (our own site), where we are the controller.
2. Company-level, not person-level
We identify visitors at the level of the company, not the named individual. Our core resolution maps a (hashed) IP address to a business. We do not build profiles of identified natural persons from web browsing, and we do not merge area-level demographic data with any individual's identity.
3. What we collect
- From client websites (as processor): IP address (stored as a salted HMAC hash, per client),
- In the Identity Graph (as controller): IP/network→company mappings and public firmographics
- From signal-core.app visitors (as controller): standard web/analytics data, our own tracker
- Sources: directly from client sites (with the client's consent framework), public records and
pages viewed, time on page, and on-site events; a hashed email only where a visitor submits it with consent. Used to resolve the visiting company and score intent for that client.
(industry, size band, location). World-facts only.
data (company-level), and information you submit via forms (name, email, company — to respond to you).
registries, and licensed data providers (our sub-processors).
4. How we use data
To provide and improve the Service; to resolve companies and score intent for clients; to maintain the Identity Graph; to communicate with you; for security and legal compliance. We do not use any of this data for eligibility decisions (credit, employment, housing, insurance — see FCRA, below) and we do not sell client data.
5. Legal bases (GDPR/UK GDPR) ⚖ lawyer review
- Company-level resolution & the Identity Graph: legitimate interests (Art. 6(1)(f)) — B2B
- Cookies / any device-level tracking on signal-core.app: consent, via our cookie banner.
- Client-controlled processing: on the client's legal basis, under our DPA.
sales intelligence on business entities, supported by a documented Legitimate Interests Assessment. Company-level, cookieless identification is designed to be low-impact.
6. Cookies & tracking (signal-core.app)
We use necessary cookies and, with consent, analytics/marketing cookies. Non-essential cookies are blocked until you consent, and we honor Global Privacy Control (GPC) signals. Manage choices via our cookie banner.
7. Your California rights (CCPA/CPRA) ⚖ lawyer review
Depending on our activities, certain processing may constitute a "sale" or "share" of personal information (e.g., sending data to advertising platforms). You may:
- Opt out of sale/share via our "Do Not Sell or Share My Personal Information" link
- Request to know, delete, or correct your information, and not be discriminated against for
([URL]), and we honor GPC.
exercising rights. For client-controlled data, we act as a service provider and route your request to the relevant client. Submit requests at [PRIVACY REQUEST URL / EMAIL]; we will verify and respond within the statutory window.
8. Your rights (GDPR/UK)
Access, rectification, erasure, restriction, objection, portability, and the right to withdraw consent. Where we are processor, we forward your request to the controlling client. Contact: [PRIVACY EMAIL]. You may also opt out of being included in the Identity Graph / resolution at [URL].
9. Sharing & sub-processors
We share data with vendors that help us operate, under contract (DPAs in place). Current categories (maintained list at [SUBPROCESSOR URL]; see ../DPA_TEMPLATE.md):
- Infrastructure/hosting: Cloudflare (Workers, D1, storage, queues).
- IP/firmographic enrichment: IPinfo, Apollo, ipregistry / The Companies API.
- Person-level identity: RB2B (only if enabled; currently dormant).
- Email delivery: Resend. Payments: Stripe.
We do not sell client data. We may disclose data to comply with law or protect rights.
10. International transfers
Where data moves across borders, we rely on appropriate safeguards (e.g., EU/UK Standard Contractual Clauses, UK Addendum), as detailed in the DPA.
11. Retention & security
We retain data only as long as needed for the purposes above and per our retention schedule (e.g., raw events ~90 days; aggregates longer), then delete or de-identify. Security includes per-client HMAC peppers (so the same IP hashes differently per client), encryption in transit, access controls, and a crypto-shred erasure mechanism. No system is perfectly secure.
12. No FCRA / eligibility use
SignalCore data is for B2B sales and marketing only. It must not be used — by us or our clients — to determine any individual's eligibility for credit, insurance, employment, housing, or a government benefit, or as a "consumer report" under the Fair Credit Reporting Act.
13. Children
The Service is for businesses and not directed to children; we do not knowingly collect children's data.
14. Changes & contact
We'll post changes here with a new effective date and, where required, notify you. Contact: [ENTITY NAME], [ADDRESS], [PRIVACY EMAIL]. [EU/UK representative + DPO, if applicable.]