Privacy Policy

SIGNAL is an AI-powered relationship communication analysis service operated by Audexum (“we,” “us,” or “our”). For the purposes of the EU General Data Protection Regulation (GDPR), Audexum is the data controller.

Service URL: readmysignal.com
Data protection contact: [email protected]

We will appoint a formal Data Protection Officer (DPO) when our processing activities reach the scale requiring one under GDPR Article 37. Until then, all data protection inquiries should be directed to [email protected].

What we do NOT collect:

• ✕Your conversation text — never written to disk or any database
• ✕Names, phone numbers, or personal identifiers of any party in the conversation
• ✕Device fingerprints or advertising identifiers
• ✕Location data or GPS coordinates

2a. Scan data (all users):

• ✓A one-way SHA-256 hash of your conversation text (used only to detect duplicate submissions — cannot be reversed to recover your messages)
• ✓The AI analysis result: toxicity score (0–100), severity level, detected communication pattern names, health summary, and recommended next steps
• ✓Your selected relationship type (e.g., "Partner") and duration (e.g., "Several months")
• ✓A randomly generated referral code linked to your scan
• ✓Payment status and plan type — processed by Stripe; we never receive card numbers or banking details
• ✓Standard server logs: IP address, timestamp, HTTP method — retained for 30 days and automatically deleted

2b. Screenshot images (if uploaded):

If you upload screenshots for text extraction, the images are transmitted to OpenAI for optical character recognition (text extraction) only. We do not store the images, perform facial recognition, extract biometric data, or analyse any images beyond extracting their text content. Images are discarded immediately after text extraction is complete. Screenshots may contain personal data of third parties (names, profile photos) — you are responsible for ensuring you have the right to submit that content.

2c. Account data (registered users only):

• ✓Email address and display name
• ✓Password — stored as a one-way bcrypt hash; we cannot recover your plaintext password
• ✓Profile image URL (if provided via Google OAuth)
• ✓Session tokens (stored as secure, HTTP-only cookies for authentication)
• ✓Google account ID and OAuth tokens (if you choose to sign in with Google)

2d. Cookies and session data:

We use strictly necessary cookies to maintain your authenticated session. These are HTTP-only, secure session tokens set by our authentication provider. We do not use advertising cookies or tracking pixels.

We use PostHog for product analytics. PostHog sets a first-party cookie to distinguish unique visitors and track user journeys through the app (e.g. which steps users complete before paying). We also enable session recordings, which capture mouse movements and clicks on our pages — conversation text and passwords are never recorded. This processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in understanding and improving how users experience the Service. You may opt out by enabling “Do Not Track” in your browser, which PostHog respects.

For users in the European Economic Area (EEA) and UK, we process your data under the following legal bases:

Data Protection Impact Assessment: We have conducted a Data Protection Impact Assessment (DPIA) in accordance with GDPR Article 35 to evaluate the risks of our automated analysis of relationship communication patterns. This assessment is available to the Bulgarian Commission for Personal Data Protection (CPDP) upon request.

We use your data to:

• Generate and display your analysis report
• Allow you to return to your report via your unique report URL
• Process payments and manage subscription billing through Stripe
• Track referral conversions (counting how many people used your invite link)
• Detect and prevent duplicate scans (via SHA-256 hash comparison)
• Maintain service security and investigate abuse (via temporary server logs)
• Analyse how users navigate the Service to identify usability issues and improve conversion flows (via PostHog analytics and session recordings)

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

Email communications: We may send transactional emails related to your account, purchases, and service updates. If we send promotional emails, you can unsubscribe at any time using the link in the email. We will honour unsubscribe requests within 10 business days.

AI-generated output disclosure (EU AI Act, Art. 50): All analysis results, toxicity scores, communication pattern identifications, and recommendations generated by SIGNAL are produced entirely by an artificial intelligence system (OpenAI GPT-4o mini large language model). No human reviews or verifies individual results. AI-generated outputs are probabilistic assessments and may contain errors, biases, or inaccuracies. They are not clinical assessments, expert opinions, or factual determinations.

OpenAI API: Your conversation text is transmitted to OpenAI's API for AI analysis. OpenAI processes this data as a data processor acting on our behalf, under their Privacy Policy and Data Processing Addendum. We use the paid API tier under terms that prohibit OpenAI from training models on your data. After the analysis result is returned, the conversation text is discarded and not retained by us.

Stripe: All payments are handled by Stripe under their Data Processing Agreement. We never see or store your card number, CVV, or banking details. Stripe provides us only with a payment confirmation status and your chosen plan type.

Resend: Post-purchase confirmation emails and transactional account notifications are delivered by Resend under their Data Processing Agreement. They receive your email address for delivery purposes only and do not use it for marketing or profiling.

PostHog: We use PostHog for product analytics and session recordings. PostHog receives anonymised event data (e.g. pages visited, buttons clicked, funnel steps completed), your IP address (used for approximate geolocation then discarded), and session recordings of your interactions with our pages. Conversation text, passwords, and payment details are never captured. PostHog acts as a data processor under their Privacy Policy and Data Processing Agreement. Data is stored on PostHog's US servers.

OpenAI, Stripe, Resend, and PostHog are US-based companies. When we send your conversation text to OpenAI for analysis, process payments through Stripe, deliver emails through Resend, or send analytics events to PostHog, your data may be transferred to and processed in the United States.

These transfers are protected by the following mechanisms:

• OpenAI: Standard Contractual Clauses (SCCs) incorporated into OpenAI's Data Processing Addendum, including the UK International Data Transfer Addendum.
• Stripe: SCCs incorporated into Stripe's Data Processing Agreement.
• Resend: SCCs incorporated into Resend's Data Processing Agreement.
• PostHog: SCCs incorporated into PostHog's Data Processing Agreement. Analytics data is pseudonymous and limited to behavioural events — no conversation content is transferred.

We have assessed the laws and practices of the United States in relation to these transfers and concluded that, together with contractual, technical, and organisational measures (including encryption in transit, data minimisation, and no-training clauses), they provide adequate protection for your personal data.

Conversation text: Never stored — discarded immediately after analysis.

Screenshot images: Never stored — discarded immediately after text extraction.

Scan analysis results: Retained so you can return to your report via your unique URL. If you have not accessed your report in over 12 months and hold no active subscription, we may delete it. Contact us at [email protected] to request deletion at any time.

Account data: Retained for as long as your account is active. You may request account deletion at any time.

Server logs: Automatically deleted after 30 days.

Consent records: Records of your consent (Article 9 consent for special category data, subscription consent) are retained for 3 years to demonstrate compliance.

EU/EEA users (GDPR):

• Right to access the data we hold about you (Art. 15)
• Right to correction of inaccurate data (Art. 16)
• Right to erasure / “right to be forgotten” (Art. 17)
• Right to data portability (Art. 20)
• Right to object to processing based on legitimate interests (Art. 21)
• Right to restriction of processing (Art. 18)
• Right to withdraw consent at any time where processing is based on consent (Art. 7)
• Right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) (Art. 77)

UK users (UK GDPR):

If you are based in the United Kingdom, your data protection rights are governed by the UK GDPR, which mirrors the EU GDPR. You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).

California residents (CCPA/CPRA):

You have the right to know what personal information we collect and how it is used, the right to request deletion, the right to correct inaccurate personal information, and the right to opt out of the sale or sharing of personal information. We do not sell or share your personal information. To exercise your rights, contact us at [email protected].

Virginia, Colorado, Connecticut and other US state residents:

Residents of states with comprehensive privacy laws (including Virginia VCDPA, Colorado CPA, and Connecticut CTDPA) have rights including: access, correction, deletion, data portability, and opt-out of targeted advertising, profiling, and sale of personal data. We do not sell your data or use it for targeted advertising. To exercise any right, contact us at [email protected].

Canadian residents (PIPEDA):

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, you have the right to access and correct your personal information, and to withdraw consent for its collection, use, or disclosure. Contact [email protected] to exercise these rights.

To exercise any right listed above, contact us at [email protected]. We aim to respond within 30 days.

We maintain appropriate technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Bulgarian Commission for Personal Data Protection (CPDP) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms (GDPR Article 34), including details of the breach, its likely consequences, and the measures we are taking to address it.

All security incidents, including those that do not meet the notification threshold, are logged internally in our breach register.

SIGNAL is designed for adults and is not directed at children under the age of 18. While users aged 13–17 are not prohibited from accessing free features, we strongly encourage minors to discuss relationship concerns with a trusted adult, school counsellor, or one of the crisis resources listed on this site rather than relying on AI analysis.

We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has submitted data to us, we will delete it promptly. If you are a parent or guardian and believe your child has used our Service, contact us at [email protected] immediately.

We may update this policy from time to time. The “last updated” date at the top will always reflect the most recent version. For material changes, we will notify registered users by email or via a notice on the Service at least 14 days before the change takes effect. Continued use of SIGNAL after changes constitutes acceptance of the updated policy.

Questions, data access requests, correction or deletion requests:

[email protected]

We aim to respond to all requests within 30 days.