In this document · 16 sections
  1. 01Who we are
  2. 02Summary at a glance
  3. 03Data we collect
  4. 04How we use your data
  5. 05Sub-processors
  6. 06International transfers
  7. 07Cookies and similar technologies
  8. 08Data retention
  9. 09Your rights (GDPR / UK GDPR)
  10. 10California privacy rights
  11. 11India DPDP rights and grievance officer
  12. 12AI processing and automated decisions
  13. 13Security
  14. 14Children
  15. 15Changes to this notice
  16. 16Contact

Legal · Privacy Notice

Privacy Notice

This notice explains what personal data Signal Tracker collects, why we collect it, how we use and share it, and the rights you have over it. We default to collecting the least data needed to run the service.

EffectiveApril 20, 2026
01

Who we are

Signal Tracker is operated by CODERCOPS, a sole proprietorship operated by Anurag Verma (“we”,“us”, or “our”), located in India. For the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), and the Digital Personal Data Protection Act, 2023 (“DPDP Act”), CODERCOPS is the controller (GDPR / UK GDPR), the business (CCPA/CPRA), and the data fiduciary (DPDP Act) of your personal data, except where expressly noted otherwise.

You can reach us at support@signal.codercops.com. For registered-office details and our grievance officer under the DPDP Act, see section 11.

02

Summary at a glance

  • What we collect: your email, name, and Google account ID; the product information, keywords, and writing samples you enter; encrypted Reddit access tokens you connect; usage logs; minimal device and request-log data; billing identifiers held by Polar.
  • Why we collect it: to provide the Signal Tracker service under our contract with you, to keep the service secure and reliable, to comply with law, and in limited cases to improve the service under a legitimate interest balanced against your privacy.
  • Who we share it with: a small, named set of sub-processors (Polar, Google, OpenAI, Sentry, Vercel, Railway, Neon, Upstash). We do not sell your personal data. We do not use it to train machine-learning models.
  • How long we keep it: for the duration of your subscription and up to thirty (30) days after an account-deletion request, except where we are legally required to retain it longer (for example, tax records).
  • Your rights: access, correction, deletion, portability, restriction, objection, and withdrawal of consent. See sections 9–11.
03

Data we collect

We collect the following categories of personal data:

  • Identity and account data. Your name, email address, Google account identifier, and avatar URL, obtained when you sign in with Google. Signal Tracker requests only the profile and email OAuth scopes; we do not access Gmail, Drive, Calendar, or any other Google product.
  • Product and voice inputs. Product descriptions, keyword lists, brand-voice writing samples, disclosure-style preferences, and any notes or draft replies you save.
  • Reddit connection data. When you connect a Reddit account, we store the OAuth access and refresh tokens encrypted at rest using a server-side key. We use these tokens only to fetch signals and, at your direction, to post replies you have approved. We do not store your Reddit password. You can disconnect at any time.
  • Usage data. Records of the signals you retrieve, replies you draft, ideas you generate, and AI usage logs (provider, model, operation, token counts, estimated cost) for billing and abuse-prevention.
  • Device and log data. IP address, user-agent, timestamps, request identifiers, and error traces, collected automatically from your browser and server logs.
  • Billing data. Name, email, transaction amounts, invoices, Polar customer identifier, subscription state, and billing-country information. Card numbers are never sent to or stored by Signal Tracker. Payment data is collected and held by Polar as Merchant of Record.
  • Communications. Support emails and other messages you send us.

We do not knowingly collect special-category data under GDPR Article 9 or sensitive personal information under the CCPA / CPRA. Please do not enter such data into product descriptions, keywords, or writing samples.

04

How we use your data

We process your personal data only where we have a lawful basis to do so. The table below maps each purpose to the data categories involved and the legal basis under GDPR / UK GDPR.

PurposeData usedLegal basis
Creating and maintaining your accountIdentity and account dataPerformance of the contract (Art. 6(1)(b))
Delivering the core service (fetching signals, generating drafts)Product and voice inputs, Reddit tokens, usage dataPerformance of the contract (Art. 6(1)(b))
Processing payments and invoicingBilling dataPerformance of the contract (Art. 6(1)(b)); legal obligation for tax records (Art. 6(1)(c))
Error monitoring, abuse prevention, securityDevice and log data, usage dataLegitimate interests in a secure service (Art. 6(1)(f))
Transactional email (welcome, payment failed, cancellation)Identity and billing dataPerformance of the contract (Art. 6(1)(b))
Product announcements and material updates to policiesIdentity dataLegitimate interests in keeping you informed (Art. 6(1)(f)); consent where required (Art. 6(1)(a))
Complying with law and defending legal claimsAll categories as necessaryLegal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f))

For residents of India, we rely on your consent under Section 6 of the DPDP Act for the processing described above, except where the processing is necessary for a contract with you or for compliance with law.

We do not sell your personal data, and we do not use it to train machine-learning models.

05

Sub-processors

We share personal data with a small number of vendors that help us operate the service. Each is bound by a written data-processing agreement or equivalent contractual controls.

Sub-processorPurposeData involvedRegion
Polar Software Inc.Merchant of Record; payments, invoicing, taxName, email, billing address, card data, transaction historyUK / EU / US
Google LLC (Google OAuth)Authentication (sign-in)Email, name, Google account ID, avatar URLUS
Reddit, Inc.Reddit API access under your own credentialsYour Reddit ID and any content you fetch or postUS
OpenAI, L.L.C. (and any successor AI provider)Inference for classification, drafting, and idea generationSignal text (truncated), your product description and voice configuration, the specific prompt sent on your behalfUS
Functional Software, Inc. (Sentry)Error monitoringError traces and request identifiers; PII is scrubbed before sendUS
Vercel Inc.Frontend hosting and edge deliveryRequest log dataUS
Railway Corp.Backend hostingAll application data processed by the APIUS
Neon Inc.Managed PostgreSQL databaseAll persistent application dataUS
Upstash, Inc.Managed Redis cache and queueEphemeral cached data, job payloadsUS

We review this list periodically and will update it when we add, remove, or change a sub-processor. Material changes are announced by email.

Our AI providers operate under their standard API terms, which provide that data sent via the API is not used to train their models by default. OpenAI retains API inputs for a limited period to monitor abuse and then deletes them.

06

International transfers

Signal Tracker is operated from India, and most of our sub-processors operate from or store data in the United States. When personal data of individuals in the European Economic Area, the United Kingdom, or Switzerland is transferred outside those regions, we rely on (a) the European Commission’s Standard Contractual Clauses as updated in 2021, with the UK Addendum where relevant, or (b) the transferee’s certification under the EU–US Data Privacy Framework (or its UK Extension / Swiss–US equivalent), where available.

For residents of India, your personal data is primarily processed in India and in the countries listed in section 5. We transfer data outside India only to countries not restricted by the Central Government under Section 16 of the DPDP Act.

You can request a copy of the safeguards applicable to a specific transfer by writing to support@signal.codercops.com.

07

Cookies and similar technologies

Signal Tracker uses only the cookies that are strictly necessary to run the service. We do not use advertising cookies, analytics cookies, or any cross-site tracking technology. We do not use pixel tags, fingerprinting, or session replay.

CookiePurposeLifetimeProperties
access_tokenKeeps you signed in across page loads4 hoursHttpOnly, Secure, SameSite=Lax
refresh_tokenIssues new access tokens without requiring re-login7 daysHttpOnly, Secure, SameSite=Lax

Because these cookies are strictly necessary for you to sign in and use the service, no consent banner is required under the ePrivacy Directive or the UK Privacy and Electronic Communications Regulations. You can clear these cookies via your browser at any time; doing so signs you out.

08

Data retention

  • Account and product data is retained for as long as your subscription is active and for up to thirty (30) days after you cancel or request deletion, after which it is permanently deleted from live systems. Backups are purged on a rolling ninety (90) day cycle.
  • Billing records (invoices, tax data) are retained by us and Polar for the period required by applicable tax law (typically seven (7) years under Indian law).
  • Error logs in Sentry are retained for ninety (90) days and then deleted automatically.
  • Security and abuse-prevention logs are retained for up to one (1) year.
  • Support communications are retained for up to two (2) years after the matter is closed.
  • Aggregated and anonymized data that no longer identifies you may be retained indefinitely for product analytics.
09

Your rights (GDPR / UK GDPR)

If the GDPR or UK GDPR applies to your personal data, you have the following rights, subject to the conditions and limitations set out in those laws:

  • Right of access (Art. 15) — obtain confirmation of whether we process your data and a copy of it.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — ask us to delete your personal data where one of the grounds in the GDPR applies.
  • Right to restriction (Art. 18) — ask us to stop processing your data in certain circumstances.
  • Right to portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — object to processing based on our legitimate interests or to direct marketing.
  • Right not to be subject to solely automated decisions (Art. 22) — see section 12.
  • Right to withdraw consent where processing is based on consent (Art. 7(3)), without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email support@signal.codercops.com. We will respond within thirty (30) days as required by law, and may ask you to verify your identity before acting.

You also have the right to lodge a complaint with a supervisory authority. In the United Kingdom, this is the Information Commissioner’s Office. In the European Union, it is the data-protection authority of your country of residence or workplace.

10

California privacy rights

If you are a California resident, the CCPA as amended by the CPRA gives you specific rights regarding your personal information.

  • Right to know what categories of personal information we collect, the sources, the purposes for which we use it, and the categories of third parties with whom we share it. The disclosures in sections 3 through 6 of this notice satisfy this right.
  • Right to delete personal information we have collected about you, subject to exceptions under California law.
  • Right to correct inaccurate personal information.
  • Right to limit the use of sensitive personal information. We do not use sensitive personal information for any purpose beyond what is reasonably necessary to provide the service.
  • Right to opt out of sale or sharing.
  • Right to non-discrimination for exercising your privacy rights.

To exercise any of these rights, email support@signal.codercops.com with the subject line “California privacy request.” We will respond within forty-five (45) days as required by the CCPA. You may use an authorized agent; we will verify both your identity and the agent’s authority.

11

India DPDP rights and grievance officer

If you are located in India, the Digital Personal Data Protection Act, 2023 gives you the following rights as a Data Principal:

  • Right to access a summary of the personal data we process about you, the processing activities, and the identities of other data fiduciaries or processors with whom it is shared.
  • Right to correction, completion, updating, and erasure of your personal data.
  • Right to grievance redressal through the mechanism below.
  • Right to nominate another person to exercise your rights in the event of death or incapacity.
  • Right to withdraw consent at any time, with the same ease as giving it.
12

AI processing and automated decisions

Signal Tracker uses AI models provided by OpenAI (and potentially additional providers we engage in the future) to classify signals and generate draft replies and post ideas. These operations involve sending relevant portions of your Inputs to the provider’s API. Providers do not use API inputs to train their models by default; our contracts and their API terms reflect this.

Signal Tracker does not make solely automated decisions that produce legal or similarly significant effects on you within the meaning of Article 22 GDPR. AI suggestions are shown to you for review and require your explicit approval before any action is taken. No signal classification, reply draft, or idea determines access to services, employment, credit, or any other legally significant outcome.

The AI-generated-content notice required by Article 50 of the EU AI Act is provided in our Terms of Service.

13

Security

We take the security of your data seriously. Our measures include:

  • Encryption in transit using TLS for all connections to the Signal Tracker application and APIs.
  • Encryption at rest for Reddit OAuth tokens, using the Fernet authenticated-encryption construction with a server-side key kept in a secret manager, so that database disclosure alone does not expose usable tokens.
  • Least-privilege access for staff, with access to production data limited to what is needed for operations and support.
  • Scoped OAuth with Google (only profile and email) and with Reddit (the minimum scopes required).
  • Rate-limiting and abuse protection at the API layer.
  • Error monitoring with PII scrubbing so that error reports sent to Sentry do not contain user-identifying fields.
  • Secret management with rotation for keys and tokens.

No system is perfectly secure. In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within the timelines required by applicable law (including the seventy-two (72) hour window under GDPR Article 33 where applicable).

14

Children

Signal Tracker is not directed to and not intended for children under the age of eighteen (18). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please email support@signal.codercops.com and we will delete it promptly.

15

Changes to this notice

We may update this Privacy Notice to reflect changes in our practices, the services we integrate, or the law. If the changes are material, we will notify you by email and post a notice in the product at least thirty (30) days before the changes take effect. The “Effective” date at the top of this page indicates when this notice was last revised. We keep previous versions on file and can share them on request.

16

Contact

Questions, rights requests, or concerns? Email support@signal.codercops.com. We read every message and respond within the timelines set out in sections 9 through 11.

CODERCOPS · Anurag Verma · India