A plain-English privacy policy for SignalOps.

• SignalOps is an operations product, not an ad-tech product. We collect the minimum data needed to run accounts, track work, and secure the service.
• We collect account details, transaction and goal data, session data, and audit or security events when people use the product.
• We do not sell or rent personal data, and we do not run marketing or advertising trackers on the public site.
• Data currently lives on Cloudflare infrastructure only: D1 for core records, R2 for receipt images, and Cloudflare edge services for delivery and logs.
• You can ask for access, correction, deletion, or export by emailing [email protected].

• Account data, such as name, email where provided, role, and store assignment.
• Operational data, including transactions, line items, goals, and related store performance records.
• Authentication and session data, including the `alliance_session` cookie and its expiry so we can keep signed-in users authenticated.
• Audit and security events, including records written to the `audit_log` and `security_events` tables when sensitive actions or security-relevant events occur.
• Minimal Cloudflare edge logs needed to deliver and protect the service, generated under Cloudflare's platform policy.

• We don't sell or rent personal data.
• We do not use marketing or advertising trackers on the public site.
• We do not collect precise location, biometrics, or device contacts.

• Deliver the service, including account access, store assignment, reporting, and receipt handling.
• Calculate goals, leaderboard inputs, compensation-adjacent metrics, and bonus workflows.
• Detect abuse, prevent fraud, investigate incidents, and enforce product rules.
• Respond to lawful legal requests, disputes, and compliance obligations.

• Core application records live in Cloudflare D1, with U.S. data centers as the current default.
• Receipt images live in Cloudflare R2.
• Edge request logs and delivery infrastructure run on Cloudflare.

Our soft default is up to 7 years for transaction-level records so stores can support U.S. federal record-keeping expectations. Session logs and similar security-operational records are kept for shorter periods when possible.

If you make a valid deletion request, we aim to complete it within 30 days unless a legal hold, dispute, or other compliance obligation requires us to keep specific records longer.

• Access the personal data we hold about you.
• Correct inaccurate or incomplete information.
• Request deletion where we are allowed to delete it.
• Request an export of your data.
• Complain to your regulator if you believe your rights were not handled correctly.

To invoke any of these rights, email [email protected].

SignalOps is not directed at children under 16, and we do not knowingly build the public service to target them.

SignalOps currently runs on Cloudflare infrastructure in the United States. If you are an EU or UK customer and need transfer paperwork, you can request a DPA at [email protected].

We use one application cookie after sign-in: the alliance_session cookie. It exists to keep a signed-in session active until its expiry. We do not use marketing cookies on the public site.

For the matching security overview and operating posture, see /security.

Email [email protected] for privacy questions, requests, or regulator follow-up.

Last updated: 2026-05-04

We version this policy and will email notice for material changes when the change affects how we use or disclose customer data.