Privacy Policy

Last updated: February 2026

1. Introduction

SignalVault (signalvault.io) is an AI compliance audit tool that helps you log, monitor, and enforce guardrails on AI requests and responses. SignalVault is operated by Elvar (elvar.io). This Privacy Policy explains how we collect, use, store, and protect your data when you use our service.

2. Data We Collect

We collect the following categories of data:

  • Account data: When you register, we collect your email address and store a hashed version of your password. We do not store your plain-text password.
  • AI audit data: When you use the SignalVault API or SDK, we receive and store the prompts and responses you submit for audit. This includes message content, metadata (provider, model, environment), and associated event data.
  • Usage analytics: We may use Google Analytics to understand how visitors use our website. Analytics are optional and require your consent where required by law.
  • Payment data: Subscriptions are processed by Stripe. We do not store credit card numbers or full payment details. Stripe handles all payment data in accordance with PCI-DSS requirements.

3. How We Use Your Data

We use your data to:

  • Deliver the SignalVault service, including audit logging, guardrail evaluation, and dashboard access
  • Authenticate your account and secure your session
  • Monitor for security incidents, abuse, and unauthorized access
  • Improve our product, fix bugs, and develop new features
  • Send transactional emails (e.g., password reset, billing notifications) via Resend

4. Data Processing (AI Audit Data)

AI audit data (prompts and responses submitted via the API) receives special treatment:

  • Encryption: All prompt and response payloads are encrypted at rest using AES-256-GCM. Encryption keys are managed through environment configuration and are never stored alongside the data they protect.
  • Retention: Data is retained according to your plan: 30 days (Starter), 90 days (Growth), or up to 365 days (Enterprise). After the retention period, data is permanently deleted via automated background jobs.
  • No AI training: We do not use your audit data to train AI models. Your prompts and responses are used solely for audit logging and guardrail evaluation.
  • No third-party sharing: We do not share your audit data with third parties for advertising, marketing, or any purpose other than delivering the service.

5. Third-Party Processors

We use the following third-party processors to operate SignalVault:

  • Stripe: Payment processing. Stripe processes subscription payments and stores payment method details. We receive only subscription status and billing identifiers.
  • Google Analytics: Optional website analytics. Used only with your consent where required. You can opt out via cookie preferences.
  • Resend: Transactional email delivery (password reset, billing notifications, alert emails). We share only the email address and content necessary for each message.

We do not sell your data. All processors are bound by data processing agreements where applicable.

6. Cookies

We use cookies as follows:

  • Essential cookies: Session and CSRF tokens required for authentication and security. These cannot be disabled if you wish to use the service.
  • Optional analytics cookies: Google Analytics cookies, used only with your consent where required by law. You can manage cookie preferences in your browser or via our consent mechanism.

7. Your Rights (GDPR)

If you are in the European Economic Area or the UK, you have the following rights under the General Data Protection Regulation (GDPR):

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data, subject to legal retention requirements.
  • Data portability: Request your data in a structured, machine-readable format.
  • Withdrawal of consent: Where processing is based on consent, you may withdraw consent at any time.
  • Objection and restriction: Object to processing or request restriction in certain circumstances.

To exercise these rights, contact us at support@signalvault.io. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. Data Security

We implement industry-standard security measures to protect your data. For a detailed overview of our security controls, including encryption, access controls, and infrastructure practices, see our Security page.

9. Data Transfers

SignalVault and our processors may store and process data in jurisdictions outside your country of residence. When we transfer data internationally, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and adequacy decisions where applicable. We ensure that our processors provide equivalent protection for transfers of personal data.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you by email or through a notice in the dashboard. Continued use of SignalVault after changes constitutes acceptance of the updated policy.

11. Contact

For questions about this Privacy Policy or to exercise your data protection rights, contact us at support@signalvault.io. SignalVault is operated by Elvar (elvar.io).