All Legal Documents

Privacy Policy

Effective date: March 26, 2026

Get AI Explanation

Need help understanding this document? Get an AI-powered explanation from your favorite AI models.

ChatGPT
Gemini
Claude

1. Introduction

This Privacy Policy explains how Signa Technologies AS ("Signa," "we," "us," or "our"), a company organized under the laws of Norway, collects, uses, discloses, and protects personal data when you use our website (signa.so), API, documentation, SDKs, and related services (collectively, the "Service").

Signa is the data controller for personal data processed in connection with the Service. We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Norwegian Personal Data Act (personopplysningsloven), and other applicable data protection laws.

If you have questions about this Privacy Policy, please contact us at privacy@signa.so.

2. Data Controller

Signa Technologies AS Universitetsgata 2, 0164 Oslo Norway

Email: privacy@signa.so

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Organization and Account Information

When your organization creates an account, we collect:

  • Organization name
  • Full name of authorized representatives
  • Email addresses of team members
  • Country/region
  • Authentication credentials (stored in hashed form only)

3.2 Billing and Payment Data

When you subscribe to a paid plan, we collect:

  • Billing name and address
  • Payment method details (processed and stored by Stripe, Inc.; Signa does not store full credit card numbers)
  • Transaction history
  • VAT/tax identification number (if provided)

3.3 API Usage Data

When you use the Service, we automatically collect:

  • API requests (including query parameters, endpoints called, and request timestamps)
  • API Key usage and rate-limit data
  • Response times and error logs
  • IP addresses from which API calls originate

3.4 Website Usage Data

When you visit our website, we may collect:

  • IP address
  • Browser type and version
  • Operating system
  • Referring URL
  • Pages visited and time spent
  • Device identifiers

3.5 Communications Data

When you contact us, we collect:

  • Email correspondence
  • Support ticket content
  • Any information you voluntarily provide

3.6 Query Data

When you use the Service, the trademark search queries, clearance requests, monitoring configurations, and listing-scan inputs you submit are processed by our systems. This data may include brand names, product descriptions, Nice class selections, and jurisdiction preferences.

4. Legal Basis for Processing

Under the GDPR, we process your personal data on the following legal bases:

| Purpose | Legal Basis (GDPR Article) | |---|---| | Providing the Service and fulfilling your API requests | Performance of a contract (Art. 6(1)(b)) | | Account creation and management | Performance of a contract (Art. 6(1)(b)) | | Processing payments and billing | Performance of a contract (Art. 6(1)(b)) | | Sending transactional emails (e.g., billing receipts, API key notifications, security alerts) | Performance of a contract (Art. 6(1)(b)) | | Improving the Service, fixing bugs, and optimizing performance | Legitimate interest (Art. 6(1)(f)) | | Aggregated analytics and usage statistics | Legitimate interest (Art. 6(1)(f)) | | Preventing fraud, abuse, and enforcing our Terms | Legitimate interest (Art. 6(1)(f)) | | Security monitoring and incident response | Legitimate interest (Art. 6(1)(f)) | | Sending marketing communications (only with consent) | Consent (Art. 6(1)(a)) | | Complying with legal obligations (e.g., tax, accounting) | Legal obligation (Art. 6(1)(c)) |

Where we rely on legitimate interest, we have conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms. You may request details of our legitimate interest assessments by contacting us at privacy@signa.so.

5. How We Use Your Data

We use the personal data we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and authorize API access
  • Process payments and manage subscriptions
  • Monitor and enforce rate limits and usage quotas
  • Detect, prevent, and address fraud, abuse, and security incidents
  • Respond to your support requests and communications
  • Send transactional notifications related to your account and the Service
  • Improve and optimize the Service, including improving our algorithms using aggregated and anonymized data (see Section 5.1 below for details on model training)
  • Generate aggregated, anonymized analytics about Service usage
  • Comply with legal obligations
  • Send marketing communications (only with your prior consent, which you may withdraw at any time)

5.1 Optional Model Improvement Consent

By default, Signa does not use your individual trademark searches or queries to train, fine-tune, or improve AI/ML models. If you choose to opt in to our Model Improvement Program, Signa may: (a) aggregate your queries with those of other participating customers; (b) anonymize the data by removing email addresses, company names, API keys, and other direct identifiers; and (c) use the aggregated, anonymized dataset to improve similarity matching, bias detection, and algorithmic accuracy.

To opt in, visit Account Settings > Data Usage > "Improve Signa Models." This is an optional checkbox that is not pre-checked during account creation. You may opt out at any time, and opting out does not affect your access to or experience with the Service. If you opt in, you may view your opt-in status and an audit log of queries contributed to model improvement at any time through your account settings.

6. Data Sharing and Sub-processors

6.1 We Do Not Sell Your Data

Signa does not sell, rent, or trade your personal data to third parties for their marketing purposes.

6.2 Sub-processors

We use the following categories of third-party service providers ("sub-processors") to help us deliver the Service. Each sub-processor processes personal data only as necessary to perform its specific function and is bound by contractual data processing agreements:

| Sub-processor | Purpose | Data Processed | Location | |---|---|---|---| | Amazon Web Services (AWS) | Cloud infrastructure, database hosting, API processing | Account data, encrypted API request logs, query data, monitoring configurations | US East (primary) | | Vercel, Inc. | Website hosting and static asset delivery | Website analytics (IP address, browser type, page views); does not process API request data or trademark queries | Global (edge network) | | Stripe, Inc. | Payment processing | Billing name, billing address, payment method, transaction history; receives no API request data, trademark queries, or search results | US | | Resend, Inc. | Transactional and marketing email delivery | Email address, name, email content | US | | Attio, Ltd. | Customer relationship management (CRM) | Name, email address, company name, account activity, communications history | EU / US | | Slack Technologies, LLC | Operational notifications and internal communications | Team notifications triggered by account events; does not receive trademark queries or search results | US | | Google LLC (Google Analytics) | Aggregated website analytics | Anonymized website usage statistics only; individual trademark queries are not sent to Google | EU / US | | Google LLC (Google Ads) | Advertising and conversion tracking | Hashed or pseudonymized identifiers, IP address (truncated), conversion events (e.g., sign-up, subscription); does not receive trademark queries or search results | US | | Meta Platforms, Inc. (Facebook/Instagram Ads) | Advertising and conversion tracking | Hashed or pseudonymized identifiers, IP address, conversion events; does not receive trademark queries or search results | US | | LinkedIn Corporation (LinkedIn Ads) | Advertising and conversion tracking | Hashed or pseudonymized identifiers, IP address, conversion events; does not receive trademark queries or search results | US |

We will maintain an up-to-date list of sub-processors at https://signa.so/sub-processors. We will notify you of any material changes to our sub-processors by email or through the Service at least 30 days before the change takes effect. You have the right to object to new sub-processors within that 30-day period. If your objection is reasonable and cannot be resolved, you may terminate your account without penalty.

6.3 Other Disclosures

We may disclose personal data when:

  • Required by law, regulation, legal process, or enforceable governmental request
  • Necessary to enforce our Terms of Service or protect our rights, property, or safety
  • Necessary to detect, prevent, or address fraud, security, or technical issues
  • In connection with a merger, acquisition, reorganization, or sale of assets, provided the successor entity agrees to be bound by this Privacy Policy

7. International Data Transfers

Signa is based in Norway (part of the EEA). Some of our sub-processors are located in the United States and other countries outside the EEA.

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

  • EU Standard Contractual Clauses (SCCs): We execute the European Commission's Standard Contractual Clauses (June 2021 version) with sub-processors located outside the EEA.
  • Adequacy Decisions: Where the European Commission has determined that a country provides an adequate level of data protection, we may rely on that determination.
  • EU-U.S. Data Privacy Framework: Where applicable, we rely on sub-processors' certification under the EU-U.S. Data Privacy Framework.

We conduct transfer impact assessments for transfers to countries without adequacy decisions and implement supplementary technical and organizational measures where necessary, including: (a) encryption of all personal data at rest and in transit; (b) access controls limiting data access to authorized personnel on a need-to-know basis; (c) contractual commitments from sub-processors to challenge disproportionate government access requests; and (d) data localization options for enterprise customers where feasible.

You may request a copy of the applicable transfer safeguards by contacting us at privacy@signa.so.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

| Data Category | Retention Period | Rationale | |---|---|---| | Organization and account information | Duration of account + 12 months after deletion | Service delivery and post-termination support | | Billing and payment data | 5 years after the end of the fiscal year in which the transaction occurred | Norwegian Bookkeeping Act (bokforingsloven) | | API usage logs | 90 days (detailed logs); aggregated statistics retained indefinitely | Security, debugging, and performance optimization | | Query data | 30 days (individual queries); aggregated and anonymized data retained indefinitely | Service delivery and improvement | | Website analytics | 26 months | Analytics and improvement | | Support communications | Duration of account + 24 months after deletion | Service quality and dispute resolution |

After the applicable retention period, personal data is securely deleted or anonymized.

9. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR and Norwegian data protection law. You may exercise these rights by contacting us at privacy@signa.so.

9.1 Right of Access (Article 15). You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, along with information about how it is processed.

9.2 Right to Rectification (Article 16). You have the right to request correction of inaccurate personal data and completion of incomplete personal data.

9.3 Right to Erasure (Article 17). You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when processing is unlawful. This right is subject to exceptions, including where retention is required by law.

9.4 Right to Restriction of Processing (Article 18). You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful but you oppose erasure.

9.5 Right to Data Portability (Article 20). You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV), and to transmit that data to another controller, where processing is based on consent or contract and carried out by automated means.

9.6 Right to Object (Article 21).

(a) Direct Marketing: You have an absolute right to object to the processing of your personal data for direct marketing purposes. To opt out of marketing communications, click the "unsubscribe" link in any marketing email, or contact privacy@signa.so with "UNSUBSCRIBE" in the subject line. We will cease all marketing communications within 5 business days.

(b) Legitimate Interest Processing: You have the right to object to processing based on legitimate interest (as described in Section 4). Upon receiving your objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. To object, contact privacy@signa.so with "OBJECTION" in the subject line, specifying the processing activity you wish to object to.

9.7 Right to Withdraw Consent (Article 7(3)). Where processing is based on your consent, you may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

9.8 Right to Lodge a Complaint. You have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet):

Datatilsynet P.O. Box 458 Sentrum NO-0105 Oslo, Norway Email: postkasse@datatilsynet.no Website: https://www.datatilsynet.no

9.9 Response Timeline. We will respond to your data subject request within 30 days. If the request is complex or we receive a large number of requests, we may extend this period by up to 60 additional days, in which case we will notify you of the extension within the initial 30-day period.

10. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • API Key authentication with secure key management
  • Access controls and least-privilege principles for internal systems
  • Regular security assessments and vulnerability scanning
  • Logging and monitoring of access to personal data
  • Incident response procedures with defined escalation paths
  • Employee training on data protection and security practices

While we take commercially reasonable measures to protect your data, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

10.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Signa will: (a) notify affected customers without undue delay and in any event within 72 hours of becoming aware of the breach; (b) notify the Norwegian Data Protection Authority (Datatilsynet) within 72 hours as required by GDPR Article 33; and (c) where the breach is likely to result in a high risk to your rights and freedoms, notify affected data subjects without undue delay as required by GDPR Article 34. Breach notifications will include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken to address the breach.

11. Cookies and Tracking Technologies

11.1 What We Use

Our website may use the following categories of cookies and similar technologies:

Strictly Necessary Cookies: Required for the operation of the website and Service (e.g., session management, authentication). These cookies cannot be disabled.

Analytics Cookies: Used to understand how visitors interact with our website (e.g., Google Analytics). These cookies are only set with your consent.

Advertising/Marketing Cookies: Used by third-party advertising platforms (Google Ads, Meta Ads, LinkedIn Ads) to measure ad campaign effectiveness, track conversions (e.g., sign-ups from ads), and build audience segments for retargeting. These cookies are only set with your consent. When enabled, these platforms may receive pseudonymized identifiers and conversion events. They do not receive any trademark query data, search results, or API usage information.

Functional Cookies: Used to remember your preferences and settings. These cookies are only set with your consent.

11.2 Your Choices

When you first visit our website, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies. You may change your preferences at any time through our cookie settings page or by adjusting your browser settings.

11.3 Do Not Track

We respect "Do Not Track" browser signals. When we detect a Do Not Track signal, we do not load non-essential analytics or tracking scripts.

12. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@signa.so.

13. Privacy by Design and Data Minimization

In accordance with GDPR Article 25, Signa applies data protection by design and by default throughout the Service:

  • Data Minimization: We collect only the personal data strictly necessary for each processing purpose. We do not require phone numbers, residential addresses, or government-issued identifiers for organization registration.
  • Purpose Limitation: Personal data is used only for the specific purposes described in this Privacy Policy. We do not repurpose your data for unrelated activities.
  • Storage Limitation: We apply the retention periods described in Section 8 and actively delete or anonymize data when retention periods expire.
  • Pseudonymization: Where feasible, we pseudonymize personal data so that it cannot be attributed to a specific individual without additional information held separately.
  • Data Protection Impact Assessments (DPIAs): We conduct DPIAs for high-risk processing activities, including AI/ML model development and international data transfers, in accordance with GDPR Article 35. Summaries of relevant DPIAs are available upon request by contacting privacy@signa.so.

14. Third-Party Links and Services

The Service may contain links to third-party websites or services, including trademark office websites and documentation resources. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access.

15. Data Processing Agreement (DPA)

15.1 If you use the Service to process personal data on behalf of your own customers or end users, you are the data controller and Signa acts as the data processor. In such cases, a Data Processing Agreement is mandatory under GDPR Article 28.

15.2 When a DPA is Required. A DPA is required if your use of the Service involves processing any personal data, including but not limited to:

  • Customer, client, or employee names included in trademark search queries or metadata
  • Product listings containing consumer names, addresses, or other personal identifiers
  • Monitoring configurations that reference identifiable individuals
  • Any API request input that contains information relating to an identified or identifiable natural person

15.3 Signa provides a standard template DPA available for download at https://signa.so/dpa. You may download, review, and countersign the DPA at any time. For customized DPA requirements, contact legal@signa.so.

15.4 Audit Rights. Customers with an executed DPA have the right to audit Signa's data handling, security controls, and sub-processor compliance upon 30 days' written notice, up to once per calendar year, or as required by applicable law. Signa may satisfy audit requests by providing current SOC 2 Type II reports, ISO 27001 certifications, or equivalent third-party audit reports, supplemented by written responses to specific questions.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account or through a prominent notice on our website at least 30 days before they take effect.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any update constitutes your acknowledgment of the updated Privacy Policy.

The "Last Updated" date at the top of this page indicates when this Privacy Policy was most recently revised.

17. California and Other U.S. State Privacy Rights

If you are a resident of California or another U.S. state with comprehensive privacy legislation (e.g., Virginia, Colorado, Connecticut), you may have additional rights, including the right to know what personal information is collected, the right to delete, and the right to opt out of the sale or sharing of personal information.

Signa does not sell personal information as defined under the CCPA/CPRA or any other U.S. state privacy law.

To exercise any rights available to you under applicable U.S. state privacy laws, please contact us at privacy@signa.so.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Signa Technologies AS Email: privacy@signa.so Website: https://signa.so

For data protection inquiries, you may also contact our designated data protection contact at privacy@signa.so.

This Privacy Policy was last updated on March 26, 2026. This document does not constitute legal advice. Signa recommends that you consult with a qualified privacy attorney regarding your specific circumstances.