SignOff

Privacy Policy

Effective date: 26 May 2026 — Version 1.1

1. Who We Are

SignOff is operated by Anna Kusiak-Johnsen (trading as SignOff), Kyrkogatan 19, 231 63 Trelleborg, Sweden. We are the data controller for personal data collected through signoffapp.io. Contact us about privacy: hello@signoffapp.io

2. Who This Policy Applies To

This policy covers two groups of people:

  • Subscribers — tradespeople and business owners who create a SignOff account ("you")
  • End customers — the individuals whose contact details you add to SignOff so we can send review requests on your behalf

Both groups' data is covered here.

3. Data We Collect

3.1 Subscriber Data

  • Name and email address (at registration)
  • Business name, phone number, and Google Business Profile details (in settings)
  • Billing information processed by Stripe (we do not store card details)
  • Login activity and account usage data
  • Country of login, derived from your IP address at the time of each session. We record one entry per user per day and retain this data for 90 days. We do not store your IP address itself.

3.2 End Customer Data (entered by you)

  • Customer names and phone numbers
  • Job details and completion status
  • Quote information and follow-up status

3.3 Google Business Profile Data (collected via API)

  • Reviews left by your customers on your Google Business Profile (star rating, review text, reviewer name)
  • Aggregate rating and review count
  • Business name and location details from your Google Business Profile

This data is retrieved from Google on your behalf when you connect your Google Business Profile. See section 7 for full details.

3.4 Technical Data

  • IP address and browser type (used transiently for routing and geo-derivation; not stored long-term)
  • Pages visited on signoffapp.io
  • Country of origin for landing page visits, derived from IP address
  • Cookies and session data (see our Cookie Policy)

4. How We Use Your Data

4.1 To deliver the Service

  • Create and manage your account
  • Send SMS review requests to your customers via Twilio
  • Generate AI-assisted review response drafts via Anthropic
  • Automate quote follow-ups
  • Process your subscription via Stripe

4.2 To improve the Service

  • Monitor platform performance and fix errors
  • Understand feature usage to inform product development
  • Analyse login geography at country level to monitor service usage patterns and detect anomalies

4.3 To communicate with you

  • Send transactional emails (password reset, billing notifications)
  • Notify you of material updates to Terms or Privacy Policy

We do not send marketing emails without your consent.

5. Lawful Basis for Processing

  • Contract — processing your account data is necessary to provide the Service you subscribed to
  • Legitimate interests — sending review request SMS to your customers on your behalf, as this is a core function you have configured and authorised
  • Legitimate interests — recording country-level login geography to monitor platform security and usage patterns. Only the country is stored (not IP address), one record per user per day, automatically deleted after 90 days.
  • Consent — processing your Google Business Profile data via OAuth, based on your explicit authorisation of the connection. You may withdraw consent at any time by disconnecting in Settings → Google Reviews.
  • Legal obligation — retaining financial records as required by Swedish law

6. Who We Share Data With

We do not sell personal data. Sub-processors:

  • Supabase Inc. (USA) — database hosting and authentication. SOC 2 certified.
  • Twilio Inc. (USA) — SMS message delivery. Phone numbers and message content shared solely to deliver messages.
  • Resend Inc. (USA) — transactional email delivery — quote notifications and platform emails.
  • Anthropic PBC (USA) — AI-powered review response drafting. Does not use API data to train models.
  • Stripe Inc. (USA) — payment processing and subscription billing. PCI-DSS Level 1 certified.
  • Vercel Inc. (USA) — application hosting and infrastructure. All traffic transits Vercel servers.
  • Google LLC (USA) — OAuth authentication and Google Business Profile API access.
  • Sentry / Functional Software Inc. (USA) — error tracking and performance monitoring. Error reports may contain partial request context.

All sub-processors operate under data processing agreements with appropriate safeguards.

7. Google API Services — Data Use Disclosure

SignOff integrates with the Google Business Profile API to allow subscribers to connect their Google Business Profile. When you authorise this connection, the following applies:

What we access

Business Profile data including your business name, location, reviews (star rating and review text), and aggregate review statistics, via the https://www.googleapis.com/auth/business.manage OAuth scope.

How we use it

  • Display your reviews in the SignOff dashboard
  • Track review velocity (this month vs. last month) and your aggregate star rating
  • Generate AI-assisted reply drafts via Anthropic (review text is sent to Anthropic solely for this purpose)

What we store

  • OAuth access and refresh tokens (encrypted at rest)
  • Your Google Business Account ID, Location ID, and business location name
  • Cached aggregate star rating and review count (refreshed on demand)
  • Review text is fetched on demand and is not stored long-term

What we do not do

  • We do not sell, share, or use your Google Business Profile data for advertising or any purpose beyond delivering the Service
  • We do not use Google API data to train AI or machine learning models
  • We do not transfer Google API data to any third party except as strictly necessary to render the Service (Anthropic receives review text solely to generate response drafts and does not use it to train models)

Revoking access

You can disconnect your Google Business Profile at any time in Settings → Google Reviews → Disconnect. On disconnection, your stored OAuth tokens and all cached Google data are permanently deleted from SignOff's systems.

SignOff's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

8. International Data Transfers

Transfers outside UK/EEA rely on Standard Contractual Clauses (SCCs). Contact hello@signoffapp.io for details.

9. How Long We Keep Data

  • Account and subscriber data: subscription duration plus 12 months, then deleted or anonymised
  • End customer data: deleted within 30 days of account termination
  • Financial and billing records: 7 years (Swedish accounting law)
  • Google OAuth tokens and cached Business Profile data: deleted immediately on disconnection; retained for the duration of the active connection otherwise
  • Technical logs: 90 days

10. Your Rights (UK GDPR / EU GDPR)

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction
  • Right to data portability
  • Right to object

Email hello@signoffapp.io to exercise rights. We will respond within one month.

Complaints: Swedish Authority for Privacy Protection (IMY): imy.se · UK Information Commissioner's Office (ICO): ico.org.uk

11. Your Customers' Rights

If a customer contacts us about their data, we direct them to you as the data controller. You are responsible for responding. We will assist where possible.

12. Security

  • Encryption in transit (TLS) and at rest
  • Row-level security (Supabase RLS)
  • Access controls limiting employee access to personal data
  • Regular security reviews

We will notify you of any data breach without undue delay.

13. Children

SignOff is not intended for use by individuals under 18. We do not knowingly collect data from minors.

14. Changes to This Policy

Material changes notified by email or in-app with 14 days' advance notice. Current version always at signoffapp.io/privacy.

15. Contact

Anna Kusiak-Johnsen — SignOff
Kyrkogatan 19, 231 63 Trelleborg, Sweden
hello@signoffapp.io

© 2026 SignOff · signoffapp.io