Legal

GDPR / EU Data Rights

Last updated: April 9, 2026 · Undersignal · Jupiter, Florida

If you are in the European Union, European Economic Area (EEA), or United Kingdom, the General Data Protection Regulation (GDPR) grants you specific rights over your personal data. This page explains what those rights are, what data we hold, and how to exercise your rights.

Quick contact: To exercise any GDPR right, email privacy@undersignal.ai. We respond within 30 days.

1. Who We Are (Data Controller)

The data controller for personal data processed through Undersignal is:

Entity: Undersignal
Location: Jupiter, Florida, USA
Contact: privacy@undersignal.ai

As a US-based company with EU users, we are subject to GDPR requirements when processing the personal data of individuals in the EU/EEA.

2. What Data We Hold About You

Depending on how you use Undersignal, we may hold the following categories of personal data:

Account data: Email address, hashed password, account creation date, subscription status.
Usage data: Analysis history (content you submitted and reports generated), timestamps, feature usage.
Technical data: IP address (in server logs), browser type, OS, session tokens.
Billing data: Subscription plan, payment history (managed by Stripe — we don't store card details).

We do not process sensitive categories of personal data (health, biometric, racial/ethnic origin, political opinions, etc.).

3. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

📋 Right of Access (Art. 15)

Request a copy of all personal data we hold about you, including what it is, why we have it, and who we share it with.

✏️ Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data we hold about you.

🗑️ Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten"). We will delete your data unless we are legally required to retain it.

⏸️ Right to Restriction (Art. 18)

Request that we restrict processing of your data — for example, while you contest its accuracy or object to how we're using it.

📦 Right to Portability (Art. 20)

Receive your personal data in a structured, machine-readable format (e.g., JSON or CSV) and have it transferred to another controller where technically feasible.

🚫 Right to Object (Art. 21)

Object to processing of your personal data based on legitimate interests, including profiling. We will stop unless we have compelling legitimate grounds.

You also have the right not to be subject to fully automated decision-making that produces legal or similarly significant effects. Undersignal analysis reports are provided as informational tools — no automated decisions are made about your rights or status based on them.

4. How to Exercise Your Rights

Email us at privacy@undersignal.ai with your request. Please include:

Your name and the email address associated with your Undersignal account.
A description of the right you wish to exercise (access, erasure, portability, etc.).
Any specific details that help us locate your data.

We will respond within 30 days. If your request is complex, we may extend this by up to 60 additional days, but we'll let you know promptly if that's the case.

We do not charge a fee for GDPR requests unless they are manifestly unfounded or excessive.

5. Lawful Basis for Processing

We process your personal data under the following lawful bases (GDPR Art. 6):

Contract (Art. 6(1)(b)): Processing your account data and running analyses is necessary to perform the service contract you agreed to when signing up.
Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, and improving the service. We have conducted legitimate interest assessments for these activities and found them proportionate.
Legal Obligation (Art. 6(1)(c)): Retaining billing records as required by applicable law (e.g., tax regulations).

6. Data Transfers Outside the EU

Undersignal is operated from the United States. By using the service, your personal data may be transferred to and processed in the US.

We take the following safeguards for international transfers:

Supabase (database/auth) — may process data in the US. Supabase has Standard Contractual Clauses (SCCs) in place for EU data transfers.
Stripe (payments) — operates globally; relies on SCCs and the EU-US Data Privacy Framework where applicable.
Anthropic (AI processing) — US-based; your submitted text is processed under their API terms and privacy policy. We minimize account identifier transmission.
Render (hosting) — US-based infrastructure; data in transit protected by TLS.
Resend (email) — US-based; email delivery covered by their privacy policy and SCCs.

Standard Contractual Clauses are European Commission-approved legal instruments that provide adequate safeguards for transferring personal data from the EU to third countries. You may request copies of applicable SCCs by emailing privacy@undersignal.ai.

7. Data Processing Agreement (DPA)

If you use Undersignal in a business context and require a Data Processing Agreement — for example, to comply with your own GDPR obligations — email privacy@undersignal.ai. We will provide a DPA on request.

8. Data Retention

Account and usage data is retained while your account is active.
Upon account deletion or erasure request, personal data is deleted within 30 days.
Billing records may be retained for up to 7 years as required by applicable tax and accounting law.
Anonymized aggregate usage data (not linked to individuals) may be retained indefinitely for service improvement.

9. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your national data protection supervisory authority.

A directory of EU/EEA supervisory authorities is available at:
edpb.europa.eu — Board Members & Supervisory Authorities

UK residents may contact the Information Commissioner's Office (ICO).

We'd appreciate the opportunity to address your concerns directly first — please contact us at privacy@undersignal.ai before filing a complaint.

10. Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include:

TLS encryption for all data in transit.
Hashed password storage via Supabase Auth.
Access controls limiting who can access production data.
Session token expiry and secure cookie flags.

11. Contact

All GDPR and data rights inquiries:

Email: privacy@undersignal.ai
Phone: (561) 510-7575
Response time: within 30 days

For full details on how we collect and use data, see our Privacy Policy.