Privacy Policy · SignalSpa

Who this policy is for

This Privacy Policy ("Policy") describes how SignalSpa Inc. ("SignalSpa," "we," "us") collects, uses, discloses, and protects personal information when you visit our website at signalspa.com (the "Site"), request a discovery call, communicate with us, or engage us for marketing services.

This Policy does not govern the privacy practices of our clients' own websites, booking systems, electronic medical records, or patient communications. Where we process personal information on behalf of a client, we act as a service provider or processor and process that information under our agreement with that client; the client's own privacy notice governs.

By using the Site, you acknowledge that you have read this Policy and understand how your information is processed.

What we collect

Information you provide

When you book a discovery call, fill out a form, email us, sign a Statement of Work, or otherwise engage us, you may provide:

Identifiers — name, email address, telephone number, business mailing address.
Practice information — practice or spa name, role, location, services offered, website, social handles.
Engagement information — meeting notes, content of communications, files, calendar invitations, signed documents.
Payment information — billing contact, billing address, and limited card metadata. Full payment-card numbers are handled by our payment processor and are not stored by SignalSpa.

Information collected automatically

When you visit the Site, we and our service providers may automatically collect:

Device and connection data — IP address, browser type and version, operating system, device identifiers, language preferences, time zone.
Usage data — pages viewed, referring URL, links clicked, time on page, scroll depth, approximate geographic location derived from IP.
Cookies and similar technologies (see § vii).

Information from third parties

We may receive information from advertising and analytics partners (e.g., Meta, Google), scheduling and CRM vendors, business-data providers, or publicly available sources, including aggregated audience insights, conversion events, and basic firmographic data about your practice.

How we use personal information

We use personal information to:

Respond to inquiries, schedule discovery calls, prepare proposals, and provide the Services.
Administer engagements, including billing, invoicing, account management, and contract administration.
Operate, maintain, secure, debug, and improve the Site and our internal tools.
Communicate about engagements, send transactional messages, and provide customer support.
Send occasional editorial updates and information about our Services. You can opt out at any time.
Measure and improve the performance of our marketing, including A/B testing creative on the Site.
Comply with legal obligations, enforce our agreements, and protect our rights, property, and safety, and those of our clients and the public.
Aggregate or de-identify information for analytics, benchmarking, and research; once aggregated or de-identified, such information is not treated as personal information.

We do not sell personal information

We do not sell personal information for money. We also do not engage in "sales" or "sharing" of personal information for cross-context behavioral advertising in the sense that triggers an opt-out right under most U.S. state privacy laws when applied to our own Site. If this changes, we will update this Policy and provide the required opt-out mechanism.

Legal bases for processing (EEA / UK)

Where the General Data Protection Regulation or UK GDPR applies, we process personal information under one or more of the following legal bases:

Contract — to take steps at your request before entering into a contract and to perform a contract with you.
Legitimate interests — to operate, secure, and improve our Site and Services; to communicate about our business; and to prevent fraud and abuse. We balance these interests against your rights and freedoms.
Consent — where you have given consent for a specific purpose, such as non-essential cookies or marketing emails. You may withdraw consent at any time without affecting prior processing.
Legal obligation — to comply with applicable law, tax and accounting requirements, and lawful requests by authorities.

Sharing & disclosure

We disclose personal information only as follows:

Service providers and processors — vendors that host, secure, analyze, or otherwise support our Site and operations, under written contracts requiring them to protect personal information and use it only for the services they provide to us.
Advertising and analytics partners — for the limited purpose of measuring and improving the performance of our own marketing. See § viii.
Professional advisors — lawyers, accountants, auditors, and insurers, subject to professional obligations of confidentiality.
Authorities — government, regulatory, or law-enforcement authorities where required by law or to protect rights, property, or safety.
Business transfers — in connection with a merger, acquisition, financing, reorganization, or sale of all or part of our assets, in which case personal information may be transferred subject to standard confidentiality protections and, where required, notice to you.
With your direction or consent — for any other purpose disclosed at the time of collection or with your consent.

Service providers we rely on

Our current categories of sub-processors and service providers include website hosting and content delivery, email and calendaring, electronic-signature and document storage, customer-relationship management, scheduling and form software, payment processing, analytics, and advertising platforms. We select vendors for reliability and security and contract with them to protect personal information.

A current list of material sub-processors is available on written request to [email protected].

Cookies & similar technologies

We and our service providers use cookies, local storage, pixels, and similar technologies on the Site for the following purposes:

Strictly necessary — to operate the Site, route traffic, maintain security, and remember basic preferences. These cannot be disabled.
Performance & analytics — to understand how visitors use the Site, measure traffic sources, and improve content and design.
Advertising & conversion measurement — to measure the performance of our own ads, exclude existing contacts from prospecting audiences, and improve creative.

Most browsers let you refuse or delete cookies; doing so may affect Site functionality. Mobile operating systems offer separate controls for advertising identifiers. Where required by law, we obtain consent before placing non-essential cookies and provide a cookie banner or preferences center.

Analytics & advertising platforms

We may use third-party analytics and advertising services (for example, Google Analytics, Meta Pixel, LinkedIn Insight, Microsoft Clarity, or similar) to measure how the Site is used and the performance of our own marketing. These services may collect IP address, device identifiers, and usage events, and may set their own cookies, subject to their respective privacy policies and your platform-level controls.

You can opt out of common interest-based advertising via the Network Advertising Initiative (thenai.org/opt-out), the Digital Advertising Alliance (optout.aboutads.info), and your device's "limit ad tracking" or equivalent setting.

Patient data & HIPAA

SignalSpa is not a HIPAA-covered entity, and is not a Business Associate of any client unless a separate Business Associate Agreement has been signed. We ask that clients and prospects not send us Protected Health Information through the Site, email, or general communications.

If you believe you have inadvertently transmitted PHI to us, please contact [email protected] and we will work with you to delete or return it.

How long we keep information

We retain personal information for as long as necessary to provide the Services, manage our relationship with you, comply with legal obligations (e.g., tax, accounting, statutes of limitation), resolve disputes, and enforce our agreements. When personal information is no longer needed, we delete or de-identify it using commercially reasonable measures.

Backups containing personal information are retained for a limited period under our standard backup-rotation policy and are deleted on schedule.

Security

We use administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, and destruction, including TLS encryption for data in transit, access controls, vendor due diligence, and least-privilege practices. No method of transmission over the internet or storage on electronic systems is fully secure, and we cannot guarantee absolute security.

If we become aware of a security incident affecting personal information, we will respond and notify affected individuals and authorities as required by applicable law.

International data transfers

SignalSpa is based in the United States, and personal information we process is primarily handled in the United States. If you are located outside the United States, you understand that we may transfer, store, and process your personal information in the United States and in other countries where our service providers operate, which may have data-protection laws different from those of your jurisdiction.

Where required, we use appropriate safeguards for international transfers, including Standard Contractual Clauses approved by the European Commission or the United Kingdom, and we rely on supplementary measures where appropriate.

Rights of U.S. state residents

Depending on the state in which you reside, you may have the following rights regarding personal information we hold about you, subject to verification and statutory exceptions:

The right to know what categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of recipients.
The right to a copy of your personal information in a portable format.
The right to correct inaccurate personal information.
The right to delete personal information, subject to exceptions.
The right to opt out of "sales," "sharing" for cross-context behavioral advertising, or profiling that produces legal or similarly significant effects, where applicable.
The right to limit the use of sensitive personal information, where applicable.
The right not to be subjected to unlawful discrimination for exercising these rights.

To exercise these rights, email [email protected]. We will respond within the time required by applicable law (generally forty-five (45) days, with an extension where permitted). We may need to verify your identity before fulfilling a request. You may use an authorized agent where the law permits.

If we decline a request, we will explain why. You may appeal that decision by replying to our response with "Appeal" in the subject line.

Rights of EEA & UK residents

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the rights to: access your personal information; have inaccurate information corrected; have your information erased in certain circumstances; restrict or object to processing based on our legitimate interests; receive your information in a portable format; withdraw consent at any time without affecting prior processing; and lodge a complaint with your local supervisory authority.

To exercise these rights, write to [email protected]. You may also contact your supervisory authority — in the UK, the Information Commissioner's Office (ico.org.uk); in Ireland, the Data Protection Commission; or the authority in your country of residence.

Do Not Track & Global Privacy Control

Our Site does not currently respond to "Do Not Track" browser signals, because there is no widely accepted standard for them. Where required by applicable law (for example, in California and Colorado), we treat Global Privacy Control ("GPC") signals as a valid request to opt out of "sales" and "sharing" of personal information for cross-context behavioral advertising.

Children's privacy

The Site and our Services are intended for adult business users and are not directed to children under sixteen (16). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact [email protected] and we will delete it.

Third-party websites & links

The Site may link to third-party websites, including client websites, social platforms, and partner pages. We are not responsible for the content, privacy practices, or accuracy of those sites. We encourage you to review the privacy notice of any third-party site you visit.

Changes to this Policy

We may update this Policy from time to time to reflect changes to our practices, technology, legal requirements, or other factors. The "Effective" date at the top of this document indicates the latest revision. Material changes will be highlighted at the top of the Policy or notified to you by email where we have your email address on file. Your continued use of the Site after the effective date constitutes acceptance of the updated Policy.

How to contact us

For privacy questions, requests, or complaints:

SignalSpa Inc.
Attn: Privacy
[email protected]
[email protected]

A mailing address is available upon written request. We will acknowledge your request promptly and respond within the period required by applicable law.