Privacy Policy
Last updated: 11 March 2026
1. Introduction
SignalSprint (“we”, “us”, “our”) is a speed-to-lead conversion platform operated by Powleads. We are committed to protecting and respecting your privacy. This policy explains how we collect, use, store, and share personal data when you visit our website at signalsprint.io, use our platform, or interact with our services.
For the purposes of UK GDPR, the EU General Data Protection Regulation (“GDPR”), and the California Consumer Privacy Act (“CCPA”), SignalSprint acts as both a data controller and a data processor, depending on the context described below.
2. When We Are Controller vs Processor
SignalSprint as Data Controller
We act as the data controller when we determine the purposes and means of processing. This includes:
- User account registration and management
- Billing and subscription processing
- Website analytics and product improvement
- Demo requests and sales enquiries
- Marketing communications (where you have opted in)
- Customer support interactions
SignalSprint as Data Processor
We act as a data processor on behalf of our customers (the data controllers) when processing their end-user data. This includes:
- Lead data received from Facebook Lead Ads via customer-authorised integrations
- Behavioural tracking data collected through the Boost snippet installed on customer websites (page views, scroll depth, clicks, time on page)
- Intent scoring calculations that classify leads as HOT, WARM, or COLD based on behavioural signals
- Widget interactions and form submissions on customer-branded pages
When we act as a processor, your customer’s privacy policy governs the processing of their end-user data. We process such data only on documented instructions from the customer. Our standing Data Processing Agreement (“DPA”), compliant with GDPR Article 28, is published at /legal/dpa. For a counter-signed copy, contact [email protected].
3. Data We Collect
3.1 Information You Provide Directly
- Account information: name, email address, phone number, organisation name
- Billing information: payment card details (processed and stored by Stripe — we do not store full card numbers)
- Demo and enquiry data: website URL, business type, message content
- Support communications: emails, chat messages, feedback
3.2 Information Collected Automatically
- Usage data: pages visited, features used, actions taken within the dashboard
- Device information: browser type, operating system, screen resolution, device identifiers
- Network data: IP address, general geographic location (city/country level)
- Cookie data: authentication tokens, session identifiers, analytics identifiers (see our Cookie Policy)
3.3 Customer End-User Data (Processed on Behalf of Customers)
- Lead form data: names, emails, phone numbers, and custom fields submitted through Facebook Lead Ads
- Behavioural data: page views, scroll depth, click events, time on page, form interactions (collected via the Boost snippet)
- Intent scores: calculated temperature classifications (HOT/WARM/COLD) based on aggregated behavioural signals
4. Legal Basis for Processing
Under UK GDPR and EU GDPR, we rely on the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Account creation and service delivery | Performance of a contract (Art. 6(1)(b)) |
| Billing and subscription management | Performance of a contract (Art. 6(1)(b)) |
| Website analytics and product improvement | Consent (Art. 6(1)(a)) via cookie banner |
| Marketing emails and communications | Consent (Art. 6(1)(a)) |
| Security, fraud prevention, abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Legal and regulatory compliance | Legal obligation (Art. 6(1)(c)) |
| Processing end-user data on behalf of customers | Customer’s instructions under DPA (Art. 28) |
5. How We Use Your Data
We use personal data to:
- Provide, maintain, and improve our platform and services
- Process subscriptions, payments, and invoicing
- Send transactional emails (account confirmations, billing receipts, service notifications)
- Send marketing communications where you have opted in (you can unsubscribe at any time)
- Respond to support requests and enquiries
- Analyse usage patterns to improve product features and user experience
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
6. Third-Party Sub-Processors
We share personal data with the following categories of third-party service providers, each bound by data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Convex | Real-time database and backend infrastructure | EU (eu-west-1) |
| Clerk | User authentication and identity management | United States |
| Stripe | Payment processing and subscription billing | United States / EU |
| PostHog | Product analytics (with consent) | EU |
| Composio | Facebook Lead Ads integration and data sync | United States |
| Resend | Transactional email delivery | United States |
| Railway | Application hosting and deployment | United States |
We do not sell, rent, or trade your personal data. We only share data with third parties as described in this policy or with your explicit consent.
7. International Data Transfers
Our primary database is hosted in the EU (eu-west-1 via Convex). However, some sub-processors are located in the United States. Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs): approved by the European Commission and adopted by the UK Information Commissioner’s Office as the International Data Transfer Agreement / Addendum
- EU-U.S. Data Privacy Framework: where the processor is certified under the DPF
- Adequacy decisions: where the destination country has been deemed adequate by the UK or EU
You may request a copy of the relevant transfer safeguards by contacting [email protected].
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data Category | Retention Period |
|---|---|
| User account data | Duration of account + 30 days after deletion |
| Billing and invoice records | 6 years (UK legal requirement for financial records) |
| Customer lead data (processor role) | Duration of customer subscription + 30 days (then deleted or returned) |
| Webhook logs | 90 days |
| Anonymous sessions / analytics | 30 days |
| Demo requests | 12 months |
| Support communications | Duration of account + 12 months |
When data is no longer required, it is securely deleted or anonymised.
9. Your Rights
9.1 UK and EU Residents (UK GDPR / EU GDPR)
You have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate or incomplete data
- Erasure — request deletion of your personal data (“right to be forgotten”)
- Restriction — request that we limit how we process your data
- Data portability — receive your data in a structured, machine-readable format (JSON)
- Objection — object to processing based on legitimate interests or direct marketing
- Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
To exercise any of these rights, email [email protected]. We will respond within 30 days.
9.2 California Residents (CCPA)
If you are a California resident, you have additional rights under the CCPA:
- Right to Know — what personal information we collect, use, and share
- Right to Delete — request deletion of your personal information
- Right to Opt-Out — we do not sell personal information, so this right does not apply
- Right to Non-Discrimination — we will not treat you differently for exercising your privacy rights
10. Automated Decision-Making and Profiling
SignalSprint uses automated intent scoring to classify leads as HOT, WARM, or COLD based on behavioural signals (page views, scroll depth, clicks, time on page, and form interactions). This scoring is used to prioritise follow-up actions for our customers’ sales teams.
This automated processing does not produce legal effects or similarly significantly affect individuals. It influences the order and urgency with which a sales representative contacts a lead, not whether they are contacted at all.
If you are a lead whose data is processed through our platform, you have the right to request human review of any automated scoring decision. Contact the business that collected your data (the data controller), or email us at [email protected] and we will direct your request appropriately.
11. Cookies
We use cookies and similar technologies for authentication, analytics, and storing your preferences. For full details on the cookies we use, how to manage them, and how to withdraw consent, see our Cookie Policy.
12. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS/HTTPS on all connections)
- Encryption at rest for database storage
- Role-based access controls with principle of least privilege
- Regular security reviews and dependency updates
- Authentication via Clerk with multi-factor authentication support
- Webhook signature verification for all inbound integrations
No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at [email protected].
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms, we will:
- Notify the relevant supervisory authority (the ICO in the UK) within 72 hours of becoming aware of the breach
- Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms
- Notify our customers (as data controllers) without undue delay where we are acting as a processor, so they can fulfil their own notification obligations
- Document all breaches, including those that do not require notification, in our internal breach register
14. Children’s Privacy
SignalSprint is a business-to-business service intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a minor, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us at [email protected].
15. Third-Party Links
Our website and platform may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to read the privacy policy of every website you visit.
16. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated by posting a notice on our website and, where appropriate, by email. We encourage you to review this page periodically. The “Last updated” date at the top indicates when this policy was most recently revised.
17. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO):
- Website: https://ico.org.uk
- Telephone: 0303 123 1113
We would, however, appreciate the opportunity to address your concerns before you approach the ICO. Please contact us first at [email protected].
18. Contact Us
If you have any questions about this privacy policy or our data practices, please contact us:
- Email: [email protected]
- Website: signalsprint.io