Privacy Policy

Effective Date: May 21, 2026

SignedOff ("we," "us," or "our") operates the web application located at signedoff.io (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your first name, last name, email address, company name, and password. If you subscribe to a paid plan, we collect billing information through our payment processor, Stripe — your name, email, and company name are shared with Stripe to create your customer record. We do not store your credit card number directly.

1.2 Permit and Project Data

You may enter permit numbers, jurisdiction information, project addresses, permit statuses, and related notes into the Service. This data is stored to provide the core functionality of the Service.

1.3 Data Retrieved from Government Portals

When you add a permit to the Service, we automatically retrieve publicly available information from government permit portals on your behalf. This may include the permit address, work description, contractor name, contractor address, inspection history, status history, assigned inspectors, and relevant dates (submission, issuance, expiration). This data is stored alongside your permit record to provide status tracking, change notifications, and reporting features.

1.4 Notification Preferences

You may opt in to receive email notifications when a permit's status changes or when new inspections are recorded. These preferences are stored in your account settings and are off by default.

1.5 Automatically Collected Information

When you access the Service, we may automatically collect device information (browser type, operating system), IP address, usage data (pages viewed, features used, timestamps), and cookies or similar technologies used for authentication and session management. We also use product analytics tools (see Section 3.6) that record pages visited, button clicks, and a short session recording of how you interact with the interface. All text inputs (including emails, permit numbers, and notes) are automatically masked in these recordings before they leave your browser, so we cannot see what you type into form fields.

1.6 AI Assistant Interactions

When you use the "Ask about this permit" assistant (the AI-powered Q&A panel on permit detail pages), we collect and store your questions, the AI-generated answers returned to you, metadata about which knowledge-base sections were consulted, any feedback you provide (thumbs up/down), and approximate per-query cost and latency metrics. These logs are kept in our own database to improve answer quality, detect abuse, and troubleshoot issues. See Section 3.5 for details on which of this data is shared with third-party AI providers.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process transactions and send related information, including confirmations and invoices
  • Send transactional emails (account verification, trial reminders, billing notifications, permit status change alerts, and inspection change alerts based on your notification preferences)
  • Respond to your comments, questions, and support requests
  • Monitor and analyze usage trends to improve user experience
  • Detect, prevent, and address technical issues or fraudulent activity

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share information with the following categories of third parties only as necessary to operate the Service:

3.1 Service Providers

We use third-party services to help operate the Service:

  • Stripe — payment processing and subscription management (receives your name, email, and company name)
  • Supabase — database hosting and user authentication (including password reset flows)
  • Resend — transactional email delivery (receives your email address and permit information included in notification emails)
  • Railway — application hosting
  • Anthropic — generates responses for the permit-Q&A assistant (receives your question text and relevant permit metadata; see Section 3.5 for details)
  • OpenAI — converts your questions into vector embeddings for semantic search against our knowledge base (receives your question text only; no permit metadata is sent)
  • PostHog — product analytics and session replay (receives pageviews, click events, masked session recordings, and your email address when you log in; see Section 3.6 for details)
  • Plausible — privacy-friendly traffic analytics (receives anonymous pageview counts; no personal identifiers)

These providers only access your data as needed to perform services on our behalf and are obligated to protect it.

3.2 Public Permit Pages

When you generate a QR code or share link for a permit, a limited summary of that permit (permit number, status, and jurisdiction) is made available on a public page accessible to anyone with the link. No account information or personal data is displayed on public permit pages.

3.3 Team Members

If you are on a Team plan, your permit and project data may be visible to other members of your team. Team membership is managed by the team owner.

3.4 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal process, such as a subpoena, court order, or government request.

3.5 AI-Powered Permit Assistant

When you use the "Ask about this permit" assistant, we send the following to third-party AI providers:

  • To Anthropic (Claude API): your question text, metadata for the permit you are viewing (permit number, jurisdiction, permit type, current status, submission / approval / expiration dates, and — when populated from public permit portals — property address, work description, contractor name, inspection history, and pending inspections), and curated excerpts from our permit knowledge base.
  • To OpenAI (embeddings API): your question text only. No permit metadata is sent to OpenAI.

Anthropic and OpenAI process this data under their own privacy terms. Under their commercial API policies in effect when we last verified them, neither provider uses customer inputs submitted via the API to train their models. Neither provider is granted access to any other data in your SignedOff account.

We log each assistant interaction in our own database (see Section 1.6) to measure quality, detect abuse, and improve the feature. If you wish to have your assistant interaction logs deleted, contact us at support@signedoff.io — we will honor the request within the timelines described in Section 6 (Your Rights).

3.6 Product Analytics and Session Replay (PostHog)

We use PostHog to understand how people use SignedOff so we can improve the product. PostHog receives:

  • Pageviews and click events on every page of the Service
  • Anonymous attribution data captured from your initial visit (UTM parameters, referrer)
  • Your Supabase user identifier and email address once you log in or sign up, so anonymous browsing is linked to your account in our analytics
  • Session recordings of your interactions with the Service interface

Session recordings always mask text inputs. Anything you type into form fields — including email addresses, passwords, permit numbers, notes, and AI assistant questions — is replaced with placeholder characters before the recording leaves your browser. We see your clicks, navigation, and which fields you focused on, but not their contents.

PostHog processes this data under its own privacy policy. To opt out of analytics and session replay, enable your browser's Do Not Track setting or use a privacy-focused browser extension that blocks PostHog; the Service will continue to function normally. To request deletion of your PostHog analytics history, contact us at support@signedoff.io.

4. Data Storage and Security

Your data is stored on secure servers provided by our hosting and database providers. We implement industry-standard security measures including encryption in transit (HTTPS/TLS), secure authentication, and access controls. However, no method of electronic storage is 100% secure, and we cannot guarantee absolute security.

5. Data Retention

We retain your account information and permit data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or compliance purposes.

6. Your Rights

Depending on your location, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to or restrict certain processing of your data
  • Request a portable copy of your data

To exercise any of these rights, contact us at the email address listed below. We will respond within 30 days.

7. California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights, including the right to know what personal information we collect and how it is used, the right to request deletion, and the right to opt out of the sale of personal information. As stated above, we do not sell personal information.

8. Cookies

We use cookies and similar technologies for the following purposes:

  • Authentication and session management — required for the Service to function
  • Attribution — a 30-day cookie (so_attr) stores UTM parameters from your first visit so we can understand which marketing channels brought you to us
  • Product analytics — PostHog sets cookies to maintain a stable identifier across pageviews (see Section 3.6)

We do not use advertising cookies and we do not share cookie data with advertising networks. You may disable cookies in your browser settings, but doing so may affect your ability to use the Service.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will take steps to delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the effective date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, please contact us at:

SignedOff
Email: support@signedoff.io
Website: signedoff.io