Legal

Privacy Policy

Last updated: April 19, 2026

1. Introduction

Nofluff Advisory LLC, doing business as Signal-Stack ("Signal-Stack", "we", "us", or "our") operates the Signal-Stack platform, accessible at signal-stack.io (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Service.

If you have questions or concerns about this policy, contact us at privacy@signal-stack.io.

2. Information We Collect

2.1 Information You Provide Directly

  • Account information: Name, work email address, and password when you register.
  • Connector credentials: API keys (e.g., Gong API key) that you enter to connect third-party services.
  • Communications: Any messages or support requests you send us.

2.2 Information We Collect Automatically

  • Usage data: Pages visited, features used, and interactions with the Service.
  • Device and log data: IP address, browser type, operating system, and timestamps of requests.
  • Cookies: Session cookies to maintain your authenticated state. We do not use advertising or tracking cookies.

2.3 Information From Third-Party Integrations

When you connect third-party services, we access data from those services on your behalf and with your explicit authorization:

  • Google Gmail API: Email thread metadata, message bodies, and headers from threads involving prospects you are researching. We access only threads relevant to your pre-call intelligence requests.
  • Google Calendar API: Calendar event titles, start times, and attendee email addresses for your scheduled meetings. We use this to identify upcoming external meetings.
  • Gong API: Call recordings metadata, transcripts (speaker-isolated), tracker data, talk-time analytics, and AI-generated call summaries for contacts in your Gong workspace.
  • LinkedIn: When you upload your LinkedIn data export or connect via OAuth, we process your connection list (names, companies, positions, LinkedIn URLs), relationship signals (endorsements, recommendations, invitation direction, messaging frequency), and company follows. Email addresses within connection data are encrypted at rest using AES-256-GCM. Message content is never stored — only aggregate counts and dates.
  • Salesforce: Contact records, opportunity/deal data, account information, and activity history for prospects you are researching.
  • HubSpot: Contact properties, deal pipeline data, company records, and engagement history.
  • Clay: Enrichment data (company firmographics, contact details) received via webhook integration.

We access third-party data only to provide the Service. We do not sell or share this data with third parties for advertising or unrelated purposes.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and improve the Service
  • Generate AI-powered pre-call intelligence briefings
  • Authenticate your identity and maintain your session
  • Send transactional emails (verification, password reset, briefing digests)
  • Monitor and analyze usage patterns to improve performance and reliability
  • Detect, prevent, and address technical issues or security incidents
  • Comply with legal obligations

We do not use your data to train AI models. We do not use Gmail, Calendar, or Gong data for any purpose other than generating your requested briefings.

4. Lawful Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing your account data, generating briefings, and managing your subscription are necessary to provide the Service you have requested.
  • Consent (Art. 6(1)(a)): Connecting third-party integrations (Google, Gong, LinkedIn, Salesforce, HubSpot) is based on your explicit consent via OAuth authorization or data upload. You may withdraw consent at any time by disconnecting the integration.
  • Legitimate interest (Art. 6(1)(f)): We process limited third-party contact data (names, companies, positions) from your LinkedIn connections to compute network overlaps and relationship signals. Our legitimate interest is providing accurate sales intelligence. We have assessed that this processing does not override the rights and freedoms of the data subjects, given that: (a) only professional/business context data is used, (b) email addresses are encrypted at rest, (c) data subjects can request erasure via the data subject rights process below, (d) data is automatically purged after 90 days, and (e) processing is restricted to overlap analysis — no marketing or profiling is performed.
  • Exemption from individual notification (Art. 14(5)(b)): When your LinkedIn connections' data is uploaded by another user, we rely on the disproportionate effort exemption under GDPR Article 14(5)(b) for not individually notifying each data subject. This is justified because: (a) uploads may contain thousands of connections, making individual notification impracticable, (b) we do not hold verified contact details for most data subjects, (c) this privacy policy is publicly accessible and clearly describes the processing, (d) data is limited to professional context (names, companies, positions) and is automatically purged after 90 days, and (e) data subjects may exercise their rights at any time by contacting privacy@signal-stack.io.
  • Legal obligation (Art. 6(1)(c)): We may process data to comply with applicable laws, regulations, or legal requests.

5. Google API Data — Limited Use Disclosure

Signal-Stack's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only access Google user data that is necessary to provide the pre-call intelligence features you have requested.
  • We do not use Google user data to serve advertisements.
  • We do not allow humans to read your Google data unless you have given explicit permission, it is necessary for security purposes, or it is required by law.
  • We do not transfer Google user data to third parties except as necessary to provide the Service, and only under written data processing agreements. Specifically, we transmit the following categories to Anthropic, PBC (Claude API) to synthesize your briefings:
    • Truncated excerpts (up to 400 characters each, up to ~24 messages per brief) of email threads between you and the meeting attendee.
    • Meeting titles, start times, and attendee email addresses from your Google Calendar.
    • Derived metadata (thread counts, reply rates, topic classifications, quality labels).
    • Gong call summaries and transcripts, when Gong is connected.
    Anthropic's published Data Processing Agreement (anthropic.com/legal/dpa) governs this processing; we have requested execution of that DPA and are awaiting Anthropic's counter-signature. Anthropic does not use API inputs to train its models. Prompt caching at Anthropic is not enabled for our account.
  • We do not use Google user data for purposes unrelated to improving user-facing features of the Service.

OAuth Scopes we request:

  • https://www.googleapis.com/auth/gmail.readonly — Read Gmail threads involving your prospects
  • https://www.googleapis.com/auth/gmail.send — Send briefing emails to your own address
  • https://www.googleapis.com/auth/calendar.readonly — Read your calendar to identify upcoming meetings

You may revoke these permissions at any time via your Google Account settings or by disconnecting in the Signal-Stack dashboard.

6. Data Storage and Security

6.1 Storage

Your data is stored on Cloudflare's global edge network using Cloudflare Workers KV (edge-replicated, read from nearest region) and D1 (SQLite). The D1 primary database region is Cloudflare's Eastern North America (ENAM) location (Ashburn, Virginia, United States); read replicas are served from the nearest edge location. Workers KV is eventually consistent across Cloudflare's global network. All data is encrypted in transit (TLS 1.2+); OAuth tokens and other sensitive values are additionally encrypted at rest using AES-256-GCM at the application layer before being written to KV.

For users in the European Economic Area and the United Kingdom, we rely on Cloudflare's Standard Contractual Clauses (SCCs) under its Customer Data Processing Addendum for international transfers.

6.2 Security Measures

  • Encryption at rest: OAuth tokens are encrypted using AES-256-GCM with a per-record random IV before storage.
  • Encryption in transit: All data is transmitted over HTTPS/TLS. No unencrypted connections are accepted.
  • Authentication: Sessions are signed with HMAC-SHA256. Passwords are hashed using PBKDF2 with 100,000 iterations.
  • Access controls: Each user can only access their own data. Ownership verification is enforced on every request.
  • Rate limiting: All endpoints are rate-limited to prevent abuse.

6.3 Data Retention

  • Account data is retained until you delete your account.
  • OAuth tokens expire and are refreshed automatically. Disconnect behavior is described in detail below.
  • Cached intelligence data (call history, Gmail analysis) is stored for up to 12 hours to improve performance, then automatically purged.
  • LinkedIn connection data is retained for 90 days from upload, then automatically purged. You may delete your data at any time.
  • Contact enrichment data (CRM, LinkedIn profile lookups) is cached for 24 hours, then expires.
  • Generated briefing content is stored with your brief history until you delete it, request erasure, or delete your account. Each brief contains: (a) the AI-synthesized brief narrative, which may paraphrase or summarize email conversations with the meeting attendee; (b) derived statistical metadata (thread counts, reply rates, topic classifications, quality labels, communication-pattern signals); (c) meeting title, start time, and attendee email addresses. Raw Gmail message bodies are not persisted to our database — they are fetched into memory, analyzed, and discarded at the end of each brief generation. You may delete individual briefs or all briefs at any time from the dashboard.
  • Disconnecting a connector (e.g., Google) (a) revokes the OAuth token at the provider, (b) removes it from our key-value store, (c) invalidates short-term analysis caches via a revocation marker aligned to the cache lifetime, and (d) clears Gmail-derived metrics (thread counts, response-latency averages) that you contributed to your organization's contact analytics. Generated briefs and their AI-synthesized narrative (which may paraphrase Gmail content) remain accessible in your brief history until you delete them individually, delete all briefs, request erasure for a specific contact, or delete your account.

7. Data Sharing and Disclosure

We do not sell your personal data. We share data only in the following circumstances:

  • Service providers (subprocessors):
    • Anthropic, PBC — Claude API for brief synthesis. Processes truncated email excerpts, meeting titles/attendees, and derived metadata. Does not use API input for model training. DPA.
    • Cloudflare, Inc. — Hosting (Workers, Pages, D1 database, KV store). Encrypts data at rest and in transit. DPA.
    • Resend (Resend, Inc.) — Transactional email delivery for authentication emails and, if you do not connect Google, brief delivery. DPA.
    • Stripe, Inc. — Payment processing. Does not receive Google user data. DPA.
    Each subprocessor processes data only as necessary to provide their service.
  • MCP (Model Context Protocol) API: Signal-Stack publishes a JSON-RPC endpoint at mcp.signal-stack.io that allows clients authenticated with a personal API key (prefix ss_live_) to retrieve their own briefs, today's and this week's meetings, and contact data. Access requires a valid per-user token that you generate and control from Settings → API Keys; no third-party access is granted without your explicit token issuance.
  • Legal requirements: We may disclose data if required by law, subpoena, or other legal process, or to protect the rights, property, or safety of Signal-Stack, our users, or the public.
  • Business transfers: If Signal-Stack is acquired or merges with another company, your data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
  • With your consent: We may share data in other ways if you have explicitly consented.

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion / Erasure: Request deletion of your account and associated data. You can also request erasure of a specific data subject's records via our API (POST /api/privacy/erasure) or by contacting us.
  • Portability: Export all your data in machine-readable JSON format via the dashboard or API (GET /api/privacy/export).
  • Restriction of processing: Request that specific contacts be excluded from overlap analysis and other processing via our API (POST /api/privacy/restrict) or by contacting us.
  • Objection: Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Withdrawal of consent: Disconnect Google, LinkedIn, Salesforce, HubSpot, or other integrations at any time from your dashboard settings. Disconnecting removes tokens and associated cached data.

8.1 Third-Party Data Subject Rights

If your personal data has been uploaded to Signal-Stack by another user (e.g., as part of a LinkedIn connection export), you may exercise your rights by contacting us at the email below. We will process erasure and restriction requests within 30 days.

To exercise any of these rights, use our online privacy request form or contact us at privacy@signal-stack.io. We will respond within 30 days.

9. Cookies

We use strictly necessary cookies only:

  • Session cookie (__Host-ss_session): An HMAC-signed cookie that maintains your authenticated session. It is HttpOnly, Secure, and SameSite=Lax. It expires after 24 hours.

We do not use advertising cookies, analytics cookies, or third-party tracking cookies.

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us at privacy@signal-stack.io and we will promptly delete it.

11. International Data Transfers

Your data may be processed in countries outside your own, including the United States. When we transfer data from the European Economic Area (EEA), we rely on Standard Contractual Clauses or other approved transfer mechanisms.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect, use, disclose, and sell.
  • The right to delete personal information we have collected.
  • The right to opt-out of the sale of personal information. (We do not sell personal information.)
  • The right to non-discrimination for exercising your privacy rights.

To submit a California privacy request, use our online privacy request form or email privacy@signal-stack.io.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by a prominent notice on the Service. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Nofluff Advisory LLC d/b/a Signal-Stack
Email: privacy@signal-stack.io
Website: www.signal-stack.io
© 2026 Nofluff Advisory LLC d/b/a Signal-Stack. All rights reserved.
Contact Us← Back to signal-stack.io