Privacy Policy

We collect the following types of information:

• Account Information: Name, email address, phone number, company name, job title, and business type provided during registration.
• Usage Data: Information about how you interact with the Service, including EDI transaction logs, file processing records, and feature usage.
• Technical Data: IP address, browser type, device information, and access timestamps collected automatically.
• Payment Information: Billing details processed securely through Stripe. We do not store full credit card numbers on our servers.

• To provide, maintain, and improve the Service;
• To process transactions and send related notifications;
• To respond to support requests and communicate with you;
• To detect, prevent, and address technical issues and security threats;
• To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We may share information with:

• Service providers who assist in operating the platform (hosting, payment processing, email delivery);
• Law enforcement or regulatory authorities when required by law;
• Professional advisors (legal, accounting) as necessary for business operations.

For a complete list of our sub-processors, see Section 7 below or our Data Processing Agreement.

We implement industry-standard security measures including encryption in transit (TLS), encrypted storage, access controls, and regular security assessments. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

We retain your data for as long as your account is active or as needed to provide the Service. EDI transaction data is retained according to your plan’s retention period (14 to 365 days). Account data is retained for a reasonable period after termination for legal and operational purposes.

You have the right to:

• Access and receive a copy of your personal data;
• Request correction of inaccurate information;
• Request deletion of your account and associated data;
• Object to or restrict certain processing of your data.

To exercise these rights, contact us at support@signaledi.com.

• SignalEDI uses AI models (powered by OpenAI) to provide automated support drafting, mapping suggestions, error explanations, and internal operations.
• Before any prompt is sent to an external AI provider, SignalEDI applies pattern-based de-identification (including HIPAA Safe Harbor-style redaction for common PHI identifiers). Raw EDI payload bodies and full transaction content are not intentionally sent to external AI providers.
• AI features may operate on operational metadata (e.g. redacted error text, partner names, ticket subjects). Healthcare customers must execute a BAA before transmitting PHI-bearing transaction sets (837, 835, 270, 271, and related sets).
• SignalEDI sets the OpenAI store: false flag on every chat completion request so OpenAI does not retain prompt or response content beyond the request lifecycle.
• Operational logs of AI interactions are stored in SignalEDI’s database for audit and quality purposes, governed by the retention policy in Section 5.
• Client can request deletion of AI conversation history by contacting support@signaledi.com.

• Data is primarily stored and processed in the United States (Vercel edge network, Neon PostgreSQL in US-East).
• For EU, UK, and Swiss data subjects, international transfers are protected by Standard Contractual Clauses (EU Commission Decision 2021/914).
• Clients may request execution of Standard Contractual Clauses by contacting support@signaledi.com.

SignalEDI uses the following sub-processors, each bound by data processing agreements:

• Vercel — Hosting and CDN
• Neon — Database (PostgreSQL)
• Stripe — Payment processing
• Resend — Email delivery
• Upstash — Redis caching and rate limiting
• OpenAI — AI processing (support drafting, mapping assistance) — prompts de-identified before transmission; not used for model training
• Sentry — Error and performance monitoring
• Svix — Outbound webhook delivery
• Google (Ads and Analytics APIs) — Marketing attribution and ad-account reporting (no customer EDI payload data)
• Twilio — SMS notifications (operational alerts only)
• LinkedIn — OAuth and marketing post publishing (no customer EDI data)
• Microsoft Graph — Teams notifications and calendar integrations (optional)
• Instantly.ai — Sales outreach orchestration (no customer EDI data)
• Intuit QuickBooks Online — ERP connector sync when customer connects QuickBooks
• Google Search Console and YouTube APIs — SEO rank tracking and marketing video publishing (no customer EDI data)
• Slack — Internal operational alerts and inbound webhook notifications

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You may request information about what personal information we collect, use, disclose, and sell.
• Right to Delete: You may request deletion of your personal information.
• Right to Opt-Out of Sale: We do not sell personal information. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, email support@signaledi.com.

We may update this Privacy Policy from time to time. We will notify registered users of material changes. Your continued use of the Service after changes constitutes acceptance of the updated policy.

For questions about this Privacy Policy, contact us at support@signaledi.com.