Sig Privacy Policy

1. Legal Framework and Binding Nature

1.1 Policy Authority

This Privacy Policy is incorporated by reference into the Sig Use Policy and constitutes a legally binding agreement. By accessing Sig, you irrevocably consent to the data practices described herein.

1.2 Regulatory Compliance

• General Data Protection Regulation (EU) 2016/679
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Health Insurance Portability and Accountability Act (HIPAA) Security Rule
• Federal Trade Commission Act Section 5
• State data breach notification laws

1.3 Data Controller Status

Protocol LLC acts as the data controller for all personal information collected through Sig services.

2. Comprehensive Data Collection Matrix

2.1 Authentication and Access Data (Mandatory)

• Corporate Email Address: Required for passwordless authentication
• Supabase User Identifier: System-generated unique identifier
• JWT Tokens: Session authentication and authorization
• Access Timestamps: Login/logout times and session duration
• IP Addresses: Collected for security and fraud prevention
• Device Fingerprints: Browser type, operating system, device characteristics

2.2 Conversation and Interaction Data (Core Service)

• User Inputs: All text submitted to the AI coaching system
• AI Responses: Complete system-generated coaching responses
• Conversation Threads: Organized dialogue sessions and context
• Timestamp Metadata: Precise timing of all interactions
• Session Analytics: Usage patterns, feature utilization, engagement metrics

2.3 AI-Inferred Analytics (Automated Processing)

• Wellness Scores: Algorithmic assessment of emotional states
• Behavioral Tags: AI-generated categorization of conversation themes
• Risk Flags: Automated identification of concerning content patterns
• Progress Metrics: Longitudinal analysis of user development
• Personalization Vectors: AI-generated user preference profiles

2.4 Technical and Security Data (Operational)

• System Logs: Comprehensive application and database activity
• Error Reports: Technical failures and system performance issues
• Security Events: Authentication attempts, access violations, threat detection
• Performance Metrics: Response times, system resource utilization
• Backup Metadata: Data redundancy and recovery information

2.5 Explicitly Excluded Data

We do NOT collect:

• Government-issued identification numbers
• Financial account information or payment data
• Biometric identifiers or health records
• Contact information beyond email
• Location data or device identifiers
• Third-party social media connections

3. Data Processing Legal Bases and Purposes

3.1 Contract Performance (GDPR Article 6(1)(b))

• Provide AI coaching services as specified in user agreement
• Maintain conversation context and personalization
• Ensure service availability and performance
• Process user inputs and generate appropriate responses

3.2 Legitimate Interests (GDPR Article 6(1)(f))

• Maintain system security and prevent unauthorized access
• Conduct service improvement and feature development
• Ensure regulatory compliance and legal obligations
• Protect user safety and platform integrity

3.3 Consent (GDPR Article 6(1)(a))

• Optional analytics and performance tracking
• Service improvement surveys and feedback collection
• Marketing communications (where applicable)
• Data sharing for specific business purposes

3.4 Legal Obligations (GDPR Article 6(1)(c))

• Compliance with data protection laws and regulations
• Cooperation with law enforcement and regulatory authorities
• Maintenance of audit trails for compliance verification
• Implementation of data subject rights requests

4. Data Storage and Security Architecture

4.1 Infrastructure Security

• Cloud Provider: Google Cloud Platform (SOC 2 Type II certified)
• Database Encryption: AES-256 encryption at rest via Cloud KMS
• Transmission Security: TLS 1.3 encryption for all data in transit
• Network Security: Virtual private clouds with firewall protection
• Access Controls: Zero-trust architecture with multi-factor authentication

4.2 Data Isolation and Compartmentalization

• Per-User Isolation: Strict database-level data segregation
• Per-Thread Isolation: Conversation-specific access controls
• Role-Based Access: Minimum necessary access for all system users
• Audit Logging: Immutable logs of all data access and modifications
• Backup Security: Encrypted backups with separate access controls

4.3 Advanced Security Measures

• Real-Time Monitoring: 24/7 security operations center
• Threat Detection: AI-powered anomaly detection and response
• Penetration Testing: Regular third-party security assessments
• Vulnerability Management: Automated scanning and patch management
• Incident Response: Documented procedures for security breaches

4.4 Data Retention and Lifecycle Management

• Active Data: Retained for service provision and user experience
• Archived Data: Secure long-term storage with restricted access
• Deletion Protocols: Secure data destruction upon retention expiration
• Backup Retention: Automated backup lifecycle management
• Audit Trails: Seven-year retention for compliance purposes

5. Data Sharing and Disclosure Framework

5.1 Prohibited Sharing

We do NOT sell, rent, or trade personal information to third parties for marketing purposes.

5.2 Authorized Service Providers

• Google Cloud Platform: Infrastructure and hosting services
• Supabase: Authentication and database management
• Security Vendors: Cybersecurity monitoring and threat detection
• Audit Firms: Compliance verification and security assessments

All service providers operate under strict data processing agreements with equivalent security and privacy protections.

5.3 Legal Disclosures

Information may be disclosed when required by law:

• Court Orders: Compliance with valid legal processes
• Government Requests: Law enforcement and regulatory investigations
• National Security: Compliance with national security directives
• Public Safety: Imminent threat prevention and public protection

5.4 Business Transfers

• Users receive 30-day advance notice
• Acquiring entity must provide equivalent privacy protections
• Users may request data deletion before transfer
• Opt-out mechanisms provided for data transfer

6. Individual Rights and Control Mechanisms

6.1 Access Rights

• Data Portability: Export all personal data in machine-readable format
• Access Requests: Detailed reports of data processing activities
• Data Inventory: Complete listing of collected information categories
• Processing History: Audit trail of data handling and modifications

6.2 Correction and Deletion Rights

• Rectification: Correction of inaccurate or incomplete information
• Erasure: Complete deletion of personal data ("right to be forgotten")
• Selective Deletion: Removal of specific conversations or data elements
• Account Termination: Immediate cessation of data processing

6.3 Processing Control Rights

• Objection: Opt-out of specific data processing activities
• Restriction: Limitation of data processing to specific purposes
• Consent Withdrawal: Revocation of previously granted permissions
• Automated Decision-Making: Opt-out of algorithmic processing

6.4 Rights Exercise Procedures

• Request Submission: Dedicated privacy contact and web portal
• Identity Verification: Secure authentication for rights requests
• Response Timeline: 30-day maximum response time
• Appeal Process: Escalation procedures for disputed decisions

7. International Data Transfers and Safeguards

7.1 Transfer Mechanisms

• Standard Contractual Clauses: EU-approved data transfer agreements
• Adequacy Decisions: Transfers to countries with adequate protection
• Binding Corporate Rules: Internal data transfer governance
• Certification Programs: Third-party validated transfer mechanisms

7.2 Additional Safeguards

• Encryption: All data encrypted during international transfers
• Access Limitations: Restricted access to transferred data
• Breach Notification: Enhanced monitoring for international transfers
• Regular Reviews: Ongoing assessment of transfer adequacy

8. Specialized Privacy Protections

8.1 Sensitive Data Handling

• Mental Health Information: Enhanced protection for wellness-related data
• Automated Flagging: Detection and special handling of sensitive content
• Access Restrictions: Limited personnel access to flagged content
• Retention Limits: Reduced retention periods for sensitive information

8.2 Vulnerable Population Protections

• Enhanced Consent: Additional protections for vulnerable users
• Parental Controls: Age verification and parental consent mechanisms
• Accessibility: Privacy controls designed for users with disabilities
• Crisis Detection: Automated identification and special handling procedures

9. Breach Notification and Incident Response

9.1 Detection and Assessment

• Real-Time Monitoring: Continuous surveillance for security incidents
• Risk Assessment: Immediate evaluation of potential privacy impacts
• Containment: Rapid response to limit breach scope and impact
• Evidence Preservation: Forensic analysis and documentation

9.2 Notification Procedures

• Regulatory Notification: 72-hour notification to supervisory authorities
• User Notification: Individual notification for high-risk breaches
• Public Disclosure: Transparent reporting of significant incidents
• Remediation: Immediate steps to address vulnerabilities and prevent recurrence

10. Children's Privacy Protection

10.1 Age Verification

• Minimum Age: 18 years required for service access
• Corporate Email: Additional age verification through professional accounts
• Monitoring: Automated detection of potential underage users
• Immediate Deletion: Prompt removal of any data from minors

10.2 COPPA Compliance

Although not directed at children, we maintain COPPA-compliant procedures for inadvertent collection of data from minors.

11. Policy Updates and Change Management

11.1 Material Changes

• Advance Notice: 30-day notice for significant policy modifications
• User Consent: Explicit consent required for material changes
• Opt-Out Mechanisms: Options to decline new data uses
• Version Control: Comprehensive documentation of policy changes

11.2 Minor Updates

• Immediate Effect: Non-material clarifications and corrections
• Notification: Email notification of minor policy updates
• Transparency: Clear documentation of all changes

12. Contact Information and Regulatory Compliance

13. Compliance Certifications and Audits

Current Certifications:

• SOC 2 Type II (Annual)
• ISO 27001 (Triennial)
• GDPR Compliance Assessment (Annual)
• CCPA Compliance Verification (Annual)

Audit Schedule:

• Internal Privacy Audits: Quarterly
• External Security Assessments: Bi-annual
• Compliance Reviews: Annual
• Penetration Testing: Semi-annual