Privacy Policy

This Policy applies to three audiences:

• Clients — individuals and organizations that create, configure, and administer research projects through the Service;
• Respondents — individuals invited by a Client to participate in an AI-moderated interview; and
• Site visitors — anyone browsing SignalRise webpages without logging in or participating in an interview.

Where we describe our practices, we do so for all three audiences unless we state otherwise. Dedicated notices for Respondents, California residents, and EU/UK/Swiss residents appear in Sections 16, 17, and 18, respectively.

If you are a Respondent, the Client that invited you is an independent “controller” (or the equivalent under applicable law) of your personal data in addition to us. Please consult the Client’s own privacy notice for how that Client handles your data.

This summary is provided for convenience. It is not a substitute for the full Policy, which controls in the event of any inconsistency.

• What we collect: account details from Clients; voice recordings, transcripts, and responses from Respondents; standard technical information from site visitors.
• Why: to operate and improve the Service, generate research outputs, train and develop AI systems, maintain security, and comply with law.
• Who we share with: categories of vetted service providers under written data-processing agreements; the inviting Client (for Respondent data); and, where required, legal authorities.
• Your rights: depending on where you live, you may have rights to access, correct, delete, port, restrict, or object to the processing of your personal data, and to withdraw consent. Section 12 explains how to exercise them.
• Contact: privacy@getsignalrise.com.

3.1 Information we collect from Clients

• Account and contact information: your email address; any name, organization, or role you choose to provide; authentication identifiers (such as magic-link tokens and session cookies).
• Project content: brand and company context you supply, research objectives, audience and respondent definitions, discussion topics and questions, screener questions, guide-review feedback, and other content you enter during Project setup.
• Usage information: pages and features you access, actions you take within the Service, diagnostic logs, device and browser identifiers, IP address, and approximate location derived from IP.
• Communications: correspondence you send to us and information associated with support requests.

3.2 Information we collect from Respondents

• Invitation and identifier data: the tokenized link used to access an interview; any identifier or label the inviting Client associates with you.
• Screener and interview responses: your answers to screener questions and to interview prompts, including tap-to-select selections, typed input, and free-form spoken content.
• Voice recordings: audio recordings of your responses, captured per interview turn.
• Transcripts: machine-generated transcripts produced from your recordings, including both real-time and higher-accuracy post-interview transcripts.
• Technical and session information: IP address, browser and device metadata, connection quality, microphone permission state, session timestamps, turn timing, and interaction telemetry.
• Volunteered personal information: any personal details you choose to disclose during the interview (which may include your name, employer, demographic information, opinions, location, or other information about you or third parties).

We do not intentionally collect biometric identifiers (in the GDPR or CCPA sense) from voice recordings. We do not use voice characteristics to identify or authenticate individuals. We ask Clients not to design Projects that solicit special-category or sensitive personal information. If you nonetheless disclose such information during an interview, Section 7 of our Terms of Service governs responsibility for that disclosure.

3.3 Information we collect from site visitors

• Server logs: IP address, user-agent string, pages and resources requested, referring URL, and timestamps.
• Cookies: strictly-necessary cookies used to maintain an authenticated session when you log in (see Section 14).

We do not currently deploy third-party analytics, advertising, or tracking pixels on our marketing pages. If we add them in the future, we will update this Policy and, where required, provide a separate cookie banner and consent mechanism.

We obtain information about you from the following sources:

• Directly from you when you sign up, configure a Project, participate in an interview, or communicate with us;
• From the inviting Client when you are a Respondent (including the identifier the Client assigns to you);
• Automatically through your interaction with the Service (logs, cookies, device information); and
• From our service providers when they return processed data to us (for example, a transcript generated from your audio).

We use information for the purposes set out below:

• Provide, maintain, secure, and support the Service — including authenticating users, hosting Project content, moderating interviews, generating transcripts, producing reports and analyses, enforcing usage limits, and providing customer support.
• Generate research outputs for Clients — including AI-generated summaries, per-interview extractions, and cross-interview synthesis reports.
• Process information through artificial-intelligence systems— we route content through categories of service providers (see Section 8) that perform large-language-model inference, speech-to-text transcription, and related AI tasks to produce the Service’s features.
• Train, fine-tune, evaluate, validate, and develop AI models, features, and products— including SignalRise’s own artificial-intelligence models, prompts, methodology, and successor systems. We may use Inputs and Outputs for these purposes in identifiable form during early-stage product development, and indefinitely in de-identified, aggregated, synthetic, or derivative form. See also Section 7 for our AI-processing disclosure.
• Conduct analytics, product research, benchmarking, and quality assurance on our own systems.
• Send transactional and service-related communications such as magic-link login emails, account notices, security alerts, and product updates. Marketing messages are sent only where permitted and, where required, on the basis of separate opt-in.
• Prevent, detect, and respond to fraud, abuse, and security events, and to protect our rights, property, and users.
• Comply with applicable law and legal process, including responding to subpoenas, court orders, and regulatory requests, and enforcing our Terms of Service.
• Effect corporate transactions, including in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, subject to this Policy and applicable law.

Where the EU General Data Protection Regulation or the UK GDPR applies, we rely on the following legal bases for processing:

• Contract (Art. 6(1)(b))— to provide the Service to Clients and to take steps at Clients’ request prior to entering into a contract.
• Consent (Art. 6(1)(a)) — for Respondents, we rely primarily on the consent you provide at the start of an interview to record, transcribe, share with the inviting Client, and use your contributions for the purposes described in Section 5, including AI training and development. You may withdraw consent at any time (see Section 12). Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Legitimate interests (Art. 6(1)(f)) — for security, abuse prevention, product analytics, debugging, and certain internal improvement activities, where our interests are not overridden by your rights and freedoms.
• Legal obligation (Art. 6(1)(c)) — where required to comply with law.

We use third-party service providers that perform large-language-model inference, speech-to-text transcription, and related AI tasks on our behalf. The service providers in these categories are, to the best of our knowledge at the time of this Policy, contractually committed not to use your data to train their own foundation models. We nonetheless reserve the right, as described in Section 5 and in our Terms of Service, to use Inputs and Outputs to train, fine-tune, evaluate, and develop SignalRise’s own models and products.

If you do not consent to this processing, please do not begin an interview.

We rely on a vetted set of third-party service providers to operate the Service. For security reasons, we do not publicly name specific providers in this Policy. A current list of named sub-processors is available on written request to privacy@getsignalrise.com and is provided as part of any data-processing addendum executed with a Client. We disclose below the categories of service providers we use, which is the standard and accepted approach under Article 13(1)(e) of the GDPR and Section 1798.100(b) of the California Consumer Privacy Act.

Categories of service providers:

• Cloud application hosting and content delivery;
• Managed database, authentication, and file-storage infrastructure;
• Large-language-model inference;
• Speech-to-text and audio-transcription services;
• Transactional email delivery;
• Background job orchestration and workflow processing;
• Error monitoring, observability, and performance telemetry.

Each service provider operates under a written data-processing agreement obligating it to process personal data only on our instructions and to maintain appropriate technical and organizational security measures. Where any provider processes data outside the data subject’s home jurisdiction, transfers are covered by Standard Contractual Clauses (including the UK Addendum and the Swiss DPA version, as applicable) or other lawful transfer mechanisms.

In addition to service providers, we may share information:

• With the inviting Client,in respect of Respondent data associated with the Client’s Project. Once shared, that Client is an independent controller of the data and subject to its own privacy practices and applicable law;
• With professional advisers (legal, accounting, insurance) under customary confidentiality obligations;
• In response to legal process or regulatory requests, or to protect the safety, rights, or property of any person;
• In connection with a corporate transaction such as a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, in which event the acquirer will be bound by this Policy (as amended on notice); and
• With your consent or at your direction.

SignalRise is based in the United States, and our service providers primarily process personal data in the United States. If you are located outside the United States, your personal data will be transferred to, and processed in, the United States and other jurisdictions that may have data-protection laws that differ from those in your country.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards including the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and the Swiss Data Protection Authority’s template, as applicable. A copy of the safeguards applicable to a specific transfer is available on request.

We retain personal information for as long as reasonably necessary to deliver the Service, pursue the purposes set out in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

• Client account and Project content: retained for the life of the account and for a reasonable period thereafter to support account reactivation, auditing, and dispute resolution.
• Interview audio recordings and transcripts:retained for as long as reasonably necessary to provide, improve, and develop the Service and associated AI systems, and to maintain the Client’s research deliverables. Retention is not subject to a fixed deletion schedule.
• Research reports and Outputs: retained to enable ongoing access by the Client and to support product improvement.
• Server logs and security data: retained for periods aligned with operational security and incident-response requirements.
• De-identified, aggregated, synthetic, and derivative data: may be retained indefinitely, including after a deletion request. Once information is de-identified such that it can no longer reasonably be associated with an identifiable individual, it is no longer personal information for purposes of this Policy.
• Backups: purged on a rolling cycle in line with our backup policy.

Where you exercise a right to delete personal information (see Section 12), we will honor the request in accordance with applicable law, subject to exceptions permitted by law (for example, legal-hold, fraud prevention, security, and limited internal record-keeping) and subject to the survival of de-identified, aggregated, and derivative data as described above.

We use technical and organizational measures intended to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures include encryption of data in transit using industry-standard transport security, encryption of data at rest in our managed storage, role-based access controls, audit logging, and engineering review of changes to production systems.

No system can be guaranteed secure. We cannot and do not guarantee that personal information will not be accessed, disclosed, altered, or destroyed by breach of our controls. You use the Service at your own risk.

Depending on your location, you may have some or all of the following rights with respect to your personal information. We honor verified requests to the extent required by applicable law.

12.1 GDPR / UK GDPR (EU, UK, and Switzerland)

• Right of access to, and a copy of, your personal data;
• Right to rectification of inaccurate or incomplete data;
• Right to erasure (the “right to be forgotten”);
• Right to restriction of processing in certain circumstances;
• Right to data portability in structured, commonly-used format;
• Right to object to processing based on legitimate interests, including for direct marketing;
• Right to withdraw consent at any time, without affecting the lawfulness of prior processing;
• Right to lodge a complaint with a supervisory authority, without prejudice to any other remedy.

12.2 California (CCPA as amended by CPRA)

• Right to know what categories and specific pieces of personal information we have collected and how we use and share them;
• Right to delete personal information we have collected, subject to permitted exceptions;
• Right to correct inaccurate personal information;
• Right to opt out of the “sale” or “sharing” of personal information (as noted in Section 8, we do not sell or share for cross-context behavioral advertising);
• Right to limit our use and disclosure of sensitive personal information to purposes specified in the CCPA;
• Right to non-discrimination for exercising your CCPA rights; and
• Right to designate an authorized agent to make a request on your behalf.

12.3 Other U.S. state laws

Residents of other U.S. states with comprehensive privacy laws (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Delaware, New Jersey, and Montana) may have similar rights under those laws. We will respond to verified requests in accordance with the applicable law.

12.4 Other jurisdictions

Residents of Brazil (LGPD), Canada (PIPEDA and provincial statutes), Australia (Privacy Act), Singapore (PDPA), South Africa (POPIA), and other jurisdictions may have rights under applicable law. We will respond to verified requests in accordance with that law.

12.5 How to exercise your rights

To exercise your rights, email privacy@getsignalrise.com with a description of your request and the jurisdiction under which you are asserting it. To protect your data, we will take reasonable steps to verify your identity before acting, and we may ask for additional information. We will respond within the time frames required by applicable law (generally thirty (30) days under the GDPR, subject to extension for complex requests; forty-five (45) days under the CCPA, subject to extension).

If you are a Respondent, you may also exercise rights by contacting the Client who invited you. That Client is an independent controller of your data and may have primary responsibility for responding to your request.

The Service is not directed to children under sixteen (16) years of age. We do not knowingly collect personal information from children under sixteen. Clients are prohibited under our Terms of Service from inviting minors as Respondents absent verifiable parental or guardian consent and a separate written agreement with SignalRise. If we become aware that we have collected personal information from a child under sixteen without appropriate consent, we will take reasonable steps to delete it.

We use a small number of strictly-necessary cookies to maintain your authenticated session when you log in to the Service. These cookies are required for the Service to function and, under the EU ePrivacy Directive and comparable laws, do not require prior consent.

We do not currently use analytics, advertising, or social-media cookies. If we adopt any such technologies, we will update this Policy and, where required, present a separate cookie-consent mechanism before they are activated.

The Service uses AI to moderate interviews, generate transcripts, and produce research analyses. These processes involve automated processing of personal data; however, they do not produce legal or similarly significant effects on Respondents within the meaning of Article 22 of the GDPR. Clients use Outputs to inform their own decision-making, and any legal or significant decision made by a Client in reliance on the Service is that Client’s responsibility, not SignalRise’s.

If you have been invited to participate in an interview, please read this section carefully. It is written for you.

What we collect from you

Your voice, your transcripts, your screener answers, your interaction telemetry, your IP address and browser details, and anything you volunteer during the interview (see Section 3.2 for the full list).

How we use it

We use it to deliver research outputs to the Client that invited you, to operate and secure the Service, and to train, evaluate, and improve our AI systems and products, as described in Section 5.

Who sees it

The Client that invited you and its personnel; our service providers (categories listed in Section 8); and, where required by law, legal authorities.

How to end or withdraw

You can stop an interview at any time by closing the browser tab or affirmatively withdrawing. Previously-captured content is governed by this Policy. To request deletion of content associated with you, email privacy@getsignalrise.com. Because we do not collect accounts from Respondents, you will typically need to give us enough information to locate your data (for example, the Project or the inviting Client, the approximate date and time, and any identifier the Client assigned).

Contact

You may contact either SignalRise or the inviting Client to exercise your rights. Both are independent points of contact.

This section provides additional disclosures required by the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). It supplements, and does not replace, the rest of this Policy.

Categories of personal information collected

• Identifiers (such as email, IP address, and Client-assigned Respondent labels);
• Customer-record information (account and billing-contact details, when applicable);
• Commercial information (use of the Service and features);
• Internet and network activity (usage logs, device and browser metadata);
• Geolocation information (approximate location derived from IP);
• Audio and electronic information (voice recordings, transcripts, interview telemetry);
• Professional and employment-related information (to the extent volunteered during an interview);
• Inferences (AI-generated extractions, summaries, and analyses);
• Sensitive personal information, where volunteered during an interview.

Purposes of use

See Section 5 for the full list of purposes.

Categories of sources

See Section 4.

Categories of third parties to whom information is disclosed

Service providers in the categories listed in Section 8; the inviting Client; legal authorities where required.

Retention

See Section 10.

Sensitive personal information

We do not use or disclose sensitive personal information for purposes beyond those permitted by Section 7027(m) of the CCPA regulations. Accordingly, the right to limit use of sensitive personal information does not provide additional restrictions beyond those already imposed by our practices.

Do Not Sell or Share

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. No opt-out is therefore required to prevent such activities. We honor Global Privacy Control signals where applicable.

Authorized agents and appeals

You may designate an authorized agent to submit a request on your behalf; we may require proof of authorization. If we deny a request, you may appeal by replying to our response.

For purposes of the GDPR and UK GDPR, the data controller for information processed under this Policy is SignalRise, with contact details provided in Section 20. SignalRise has not appointed a Data Protection Officer; appointment is not mandatory at our current scale, but we monitor the relevant thresholds and will appoint one if and when required by law.

For purposes of Article 27 of the GDPR and the equivalent UK provision, SignalRise has not at the date of this Policy appointed a representative in the EU or the UK. We will appoint representatives if and when required by applicable law based on our targeting of, or monitoring of, EU or UK residents. EU and UK residents may contact us directly at privacy@getsignalrise.com to exercise rights.

You have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available on the European Data Protection Board’s website, and the UK supervisory authority is the Information Commissioner’s Office.

We may update this Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or in-Service notification) prior to the effective date. Material changes affecting the processing of previously-collected Respondent personal data will not be applied retroactively in a manner that exceeds the scope of the consent obtained from that Respondent at the time of collection, absent fresh consent or another lawful basis.

For questions about this Policy or to exercise your rights, please contact us:

SignalRise
Attn: Privacy
1321 Upland Dr. PMB 21345, Houston, Texas, 77043
Email: privacy@getsignalrise.com