Privacy Policy

Effective date: 2026-04-11 · Version 1.0 · signalbench.io

1. Who we are

SignalBench ("we", "us") operates the SignalBench platform at signalbench.io. We are the data controller for personal data collected about SignalBench account holders. For leads collected through landing pages published via SignalBench, we act as a processor on behalf of the account holder running the campaign.

2. What we collect

2.1 Account information (from Google OAuth)

• Name
• Email address
• Google profile ID
• Profile picture URL (if available)

2.2 Content you submit

• Startup idea descriptions and supporting details
• Chat messages with our AI assistant
• Campaign configurations (budgets, geography, audience, channels)
• Approved or rejected AI-generated creatives

2.3 Usage data

• Pages visited, features used, and interactions within the app
• Device type, browser, approximate location (derived from IP address)
• Session timestamps and error logs

2.4 Leads captured via published landing pages

When a visitor submits the lead capture form on a public landing page (/lp/[slug]), we collect the fields they fill in — typically email address and any optional fields you configured. These leads belong to the account holder running the campaign; SignalBench only stores and displays them on your behalf.

3. How we use your data

• To operate the Service: authenticate you, store your projects, display your campaigns, generate AI responses.
• To improve the product: analyze aggregate usage patterns, debug errors, build new features. We do not train public AI models on your content without your explicit opt-in.
• To communicate: send you service emails (account notifications, billing, security alerts) and — only if you opt in — product updates.
• To comply with law: respond to valid legal requests and enforce our Terms of Service.

4. AI processing (Google Gemini)

SignalBench sends your messages and project data to Google's Gemini API to generate responses, campaign assets, and validation verdicts. Google's handling of API data is governed by their Gemini API Terms. Per Google's current policy, paid API usage is not used to improve Google's models; free-tier usage may be. If you require strict data isolation, contact us about enterprise options.

5. Third parties we share data with

• Google (OAuth + Gemini API): for authentication and AI processing.
• Google Ads, Meta Ads, TikTok Ads (if connected): to launch and manage campaigns on your behalf. Each platform has its own privacy policy governing its handling of the data you transmit when you connect your ad account.
• Cloud infrastructure providers for hosting (database, compute, storage). They are contractually bound to process data only on our instructions.
• Analytics and error monitoring (if enabled): anonymized session data to debug issues and improve performance.

We do not sell your personal data.

6. Cookies and tracking

We use strictly necessary cookies (authentication session, CSRF token) and — where allowed — analytics cookies to understand product usage. EU/EEA visitors see a consent banner before non-essential cookies are set. You can manage your preferences at any time via the cookie settings link in the footer.

7. How long we keep data

• Account data: as long as your account is active, plus 30 days after deletion for backup rotation.
• Projects and campaigns: stored while the project exists. Deleted projects are purged within 30 days.
• Leads captured via landing pages: retained for the duration of the project and exported to the account holder on request. Account holders are responsible for onward deletion requests from data subjects.
• Logs and usage data: up to 90 days, unless required for security investigation.

8. Your rights

Depending on your jurisdiction, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data ("right to erasure")
• Object to or restrict processing
• Export your data in a portable format
• Withdraw consent at any time for any processing based on consent
• File a complaint with your local data protection authority

To exercise any of these rights, email privacy@signalbench.io. For a complete step-by-step process for account and data deletion, see our Data Deletion page. We respond to every request within 30 days.

9. International transfers

SignalBench is operated from the European Union. If you access the Service from outside this region, your data may be transferred to and processed in jurisdictions with different data protection laws. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for cross-border transfers.

10. Children

SignalBench is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided data, contact us and we will delete it.

11. Security

We protect your data with industry-standard controls: TLS in transit, encryption at rest for sensitive fields, access controls, audit logging, and secret management via Google Cloud Secret Manager. Read the full rundown on our Security Practices page. If you discover a vulnerability, please report it to security@signalbench.io.

12. Changes to this Policy

Material changes will be announced via email or in-app notification at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

13. Contact

Data Protection contact: privacy@signalbench.io
General questions: hello@signalbench.io