Your privacy matters to us. This policy explains how Signature collects, uses, and protects your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

Data Controller

Signature is the data controller responsible for your personal data. If you have questions about how we handle your data, contact us at privacy@creativesignature.app.

What We Collect

We collect the following categories of personal data:

• Account information: Email address and password (stored securely via Supabase Authentication)
• Work samples: Project URLs, descriptions, and content you share for analysis
• Generated content: Your signature statements, evidence links, and positioning drafts
• Usage data: Session information, resonance feedback, and refinement history
• Security logs: IP address, browser type, login attempts, and authentication events (retained for 90 days)
• Technical data: Browser fingerprint (hashed) for session security

Legal Basis for Processing

We process your data based on the following legal grounds:

• Contract performance: To provide the Signature service you requested, including analyzing your work and generating signatures
• Legitimate interests: To improve our service, prevent fraud, and ensure security
• Legal obligations: To comply with applicable laws and respond to lawful requests
• Consent: For optional features like marketing communications (you can withdraw consent anytime)

How We Use Your Information

We use the work samples you provide to analyze your creative patterns and generate your signature statement. Your content is processed through our AI systems to identify the unique way you approach your work.

We never sell your data. We may use anonymized, aggregated insights to improve our pattern recognition, but your individual work samples and signatures remain yours.

Third-Party Processors

We use the following service providers to deliver Signature:

• Supabase: Authentication and user management (US-based)
• Anthropic: AI processing for pattern analysis and signature generation (US-based)
• Google: AI processing for pattern analysis and signature generation (US-based)
• Railway: Backend infrastructure and database hosting (US-based)
• Vercel: Frontend hosting and content delivery (US-based)
• Stripe: Payment processing for premium features (US-based)

All processors are bound by data processing agreements and maintain appropriate security measures. Data transfers to the US are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.

Data Retention

We retain your data for the following periods:

• Anonymous sessions: Automatically expire and are deleted after a period of inactivity
• Account data: Retained until you delete your account
• Security logs: Retained for 90 days, then automatically deleted
• Deleted accounts: After you request deletion, your data is retained for 30 days (allowing account recovery), then permanently deleted

Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Access (Article 15): Request a copy of your personal data
• Rectification (Article 16): Correct inaccurate or incomplete data
• Erasure (Article 17): Request deletion of your data ("right to be forgotten")
• Restrict processing (Article 18): Limit how we use your data
• Data portability (Article 20): Receive your data in a portable format (available via Settings → Export Data)
• Object (Article 21): Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise these rights, visit your account Settings or contact us at privacy@creativesignature.app. We will respond within 30 days.

Cookies and Local Storage

We use the following technologies to operate Signature:

• Authentication cookies: Essential for keeping you signed in (managed by Supabase)
• Session storage: Stores your current session ID and progress
• Local storage: Remembers your preferences and draft edits

We do not use advertising or tracking cookies. All cookies are essential for the service to function.

Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (HTTPS/TLS) and at rest
• Secure password hashing via Supabase Authentication
• Rate limiting to prevent brute-force attacks
• Security event logging and monitoring
• Regular security audits of our infrastructure

Children's Privacy

Signature is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Complaints

If you believe we have not handled your data properly, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first so we can address your concerns directly.

Changes to This Policy

We may update this policy from time to time. If we make significant changes, we'll notify you through the service or by email. The "Last updated" date at the top indicates when changes were last made.

Contact Us

For privacy-related questions or to exercise your rights, contact us at privacy@creativesignature.app.

For general inquiries, reach out at hello@creativesignature.app.