Privacy Policy
1. Plain-English summary
Signal is an AI-powered tool that reads social media comments on accounts you own, classifies them by importance, and alerts you to the ones that need attention. To do that, we need to:
- store your account info (email, name) so you can sign in;
- receive comments and mentions from the social platforms you connect (YouTube, Instagram);
- send each comment to an AI service (Anthropic Claude) to classify it;
- save the results so you can read them in the dashboard.
We do not sell your data, run advertising on it, or train AI models on it. The full details are below.
2. Who we are
Signal is operated by VAC Studio ([TO FILL: full legal entity name, registration number, registered address]). For questions about this policy, contact us at [TO FILL: privacy@signal.gue.com.tr or another support email].
3. What we collect
3.1 Account data
- Email address, first and last name, phone number (optional)
- Telegram chat ID (optional, only if you choose to receive alerts there)
- Authentication metadata managed by Firebase Authentication (sign-in time, password reset events)
3.2 Workspace and configuration data
- Workspace name, organization names, channel labels you create
- API keys you provide for the platforms you connect (YouTube, Meta) — see Security for storage details
- Threshold and rule settings you configure
3.3 Social media content (the comments themselves)
When you connect a YouTube channel or an Instagram account you own, Signal receives the comments and mentions posted on that account by other people. For each, we store:
- The text of the comment
- The author's username on the source platform
- A link back to the original post
- The AI classification result and our priority score
The author of a comment is a user of the social platform (YouTube, Instagram), not a user of Signal. We process their public comments only because you, the operator of the receiving account, have asked us to. If a comment author wants their data removed, see Your rights.
3.4 Cookies
| Cookie | Purpose | Lifetime |
|---|---|---|
__session | Firebase Authentication session — proves you are signed in | 5 days |
sm_workspace | Remembers which workspace you last selected | 30 days |
We do not use third-party advertising or tracking cookies.
4. Third parties (sub-processors)
To deliver the service we use a small number of third parties. Each receives only the data needed for its function:
| Provider | Purpose | What we send |
|---|---|---|
| Google Cloud (Firestore, Cloud Run, Firebase Auth) | Hosting, database, authentication | Everything stored in the service |
| Anthropic (Claude API) | AI classification of each comment | The comment text + the system prompt. Anthropic does not train on API inputs by default. |
| Meta (Instagram, Facebook) | Webhook delivery of comments and mentions on the IG/FB accounts you connect | We receive data from Meta; we send our app credentials and access tokens to Meta APIs only as needed for hydration calls. |
| YouTube Data API (Google) | Reading comments on the YouTube channels you connect | Your YouTube API key + channel IDs |
| Telegram Bot API | Sending alerts to Telegram chat IDs you opt into | Alert text + your Telegram chat ID |
We do not sell your data, share it with advertising partners, or use it to train any AI model.
5. How we use the data
- To run the service — sign you in, receive your social comments, classify them, save them, alert you.
- To improve reliability — operational logs (HTTP requests, errors) are kept by Google Cloud Run for diagnostic purposes. These do not contain comment text by default.
- To respond to you — when you contact support.
We do not use the data for marketing, advertising, or to profile end users.
6. Data retention
- Account data: kept until you delete your account.
- Comments and mentions: kept until you delete the workspace or the connected channel, or until you request deletion.
- Cloud Run access logs: retained per Google Cloud's defaults (typically 30 days).
- Backups: we may retain Firestore backups for up to 30 days for disaster recovery.
7. Your rights
Depending on where you live (EU/UK GDPR, Turkey KVKK, California CCPA), you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data ("right to be forgotten")
- Export your data in a portable format
- Object to or restrict certain processing
- Withdraw consent where processing is based on consent
To exercise any of these, email [TO FILL: privacy contact email]. We respond within 30 days.
If you are a comment author whose data was ingested because someone using Signal connected an account you commented on, you can ask us to delete that data by emailing the same address with the comment URL or your username on the source platform.
8. Children's privacy
Signal is intended for use by businesses and adults. We do not knowingly collect data from children under 16. If you believe a child's data has been collected, contact us and we will delete it.
9. International data transfers
Our infrastructure runs primarily in Google Cloud's europe-west1 region (Belgium). Some sub-processors (Anthropic, Meta, Telegram) operate from the United States, so your data may be transferred internationally. Where required, we rely on Standard Contractual Clauses or equivalent legal mechanisms.
10. Security
- All data is transmitted over TLS (HTTPS).
- Stored data is encrypted at rest by Google Cloud (AES-256).
- Access is gated by Firebase Authentication and role-based permissions inside each workspace.
- API keys you provide are stored in our database. We are working on encrypting them at the application layer (tracked internally). Until that ships, treat any key in the system as one that should be rotated if it leaks elsewhere.
No system is perfectly secure. If you become aware of a vulnerability, please email [TO FILL: security contact email].
11. Contact
VAC Studio
[TO FILL: full address]
[TO FILL: support email]
12. Changes to this policy
We may update this policy from time to time. When we make material changes, we will notify you via email or a notice in the app at least 14 days before the change takes effect. The "Last updated" date at the top reflects the most recent revision.