Privacy Policy

Signal Tracker (Signal Tracker) operates a government-contract alerting service available at https://www.signaltracker.live. This Privacy Policy explains what personal information we collect, why, how we use and share it, how long we keep it, and the choices and rights you have. You can reach us at privacy@signaltracker.live.

Information you provide directly

• Account details — email address and password (required to register and sign in).
• Access code — required to register; we store only a hashed (SHA-256) version of the code plus a redemption record.
• Profile details — optional display name, bio, and avatar.
• Alert email — an optional email address where contract alerts are sent.
• Requests you submit — the contents of privacy requests and any messages you send us.

Information collected automatically

• Session data — we store an authentication session token in your browser's local storage to keep you signed in. This is strictly necessary for the service to function.
• IP address and user agent — recorded when you log consent or submit a privacy request, for security and recordkeeping.
• Email delivery metadata — recipient address, status, and timestamps for emails we send you.

We do not use web analytics, advertising pixels, or third-party tracking cookies. We do not buy personal information about you from data brokers.

We use only strictly-necessary browser storage (a session token in local storage) to keep you authenticated. We do not set advertising or analytics cookies and do not load third-party tracking technologies. Because we use no non-essential cookies, no cookie consent banner is required; if we add analytics or advertising in the future, we will update this policy and add a consent mechanism.

• To create and secure your account and authenticate you.
• To send the contract alerts and service emails you have configured.
• To operate, maintain, debug, and improve the service.
• To prevent fraud, abuse, and unauthorized access.
• To respond to your requests and to comply with legal obligations.
• To send marketing emails only where you have opted in (you can withdraw consent at any time).

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Contract — to provide the service you sign up for.
• Legitimate interests — to secure the service and prevent abuse.
• Consent — for marketing emails (withdrawable at any time).
• Legal obligation — to keep certain records and respond to lawful requests.

The service automatically screens public government-contract opportunities against value thresholds and keyword/filter rules to decide which contracts to surface and alert on. Some descriptive content may be generated or summarized by automated systems. This automated processing applies to public contract data — not to profiling of you as a user, and it does not produce legal or similarly significant decisions about you. Automated outputs may contain errors; see our Terms of Service for accuracy disclaimers.

We share personal information only with service providers that help us run the service:

• Lovable Cloud — application hosting, database, authentication, and storage infrastructure.
• Supabase — underlying database, authentication, and storage (provided through Lovable Cloud).
• Lovable Email — delivery of authentication and alert emails (receives recipient email and message content).

We query SAM.gov and Alpha Vantage for public contract and market data; we do not send your personal information to those services. We do not sell your personal information and do not share it for cross-context behavioral (targeted) advertising. We may disclose information if required by law or to protect our rights, users, or the public.

The service is invite-gated and does not currently host public user-generated content. Profile information you enter is visible only to you and to administrators.

We do not currently collect payment information or process payments through the service.

Registration requires a valid access code, an email address, and a password. Passwords are salted and hashed by our authentication provider and are never stored in plaintext. Access codes are stored only as a one-way hash.

Contract alerts and account/security emails are transactional messages tied to your use of the service. We will only send promotional/marketing emails if you opt in. You can withdraw consent at any time in your account settings or by submitting an unsubscribe request.

We keep personal information only as long as needed:

• Account and profile data — until you delete your account.
• Privacy requests — 3 years.
• Consent logs — 5 years.
• Administrative audit logs — 7 years.
• Email delivery logs — 2 years.

We apply specific safeguards, including:

• Row-Level Security on user data tables so users can access only their own records and administration is restricted.
• Passwords salted and hashed by our authentication provider; access codes stored only as SHA-256 hashes.
• Encryption in transit (TLS) between your browser, our servers, and our providers.
• Server-side secrets kept out of client code; least-privilege administrative access.
• Audit logging of administrative and self-service access to personal data, and of exports and deletions.

No method of transmission or storage is perfectly secure, but we work to protect your information.

The service is not directed to children under 13. During registration you must confirm you are at least 13 years old. We do not knowingly collect personal information from children under 13; if we learn we have, we will delete it.

Depending on your state, you may have rights to know, access, correct, delete, and obtain a portable copy of your personal information, and to be free from discrimination for exercising these rights.

California residents may request access to, correction of, and deletion of personal information, and information about our data practices. We do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of in that regard; we nonetheless honor opt-out and Global Privacy Control (GPC) signals where applicable. You may appeal a denied request by contacting privacy@signaltracker.live.

Because we do not sell or share personal information or run targeted advertising, GPC signals do not change processing. We will honor GPC and opt-out preferences if our practices ever change.

You can exercise your privacy rights at any time:

• Access / portability — export your data from account settings, or submit a request.
• Correction — edit your profile, or submit a correction request.
• Deletion — delete your account from settings, or submit a deletion request.
• Opt-out / unsubscribe — turn off marketing in settings, or submit a request.

Submit any request via our privacy request form. We respond within the timeframe required by applicable law (generally within 30–45 days) and may need to verify your identity first.

Our providers may process data in the United States and other countries. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for international transfers.

We may update this policy from time to time. We will revise the "Last updated" date and version above, and where required we will ask you to re-accept the updated policy.

Privacy questions and requests: privacy@signaltracker.live. Security matters: security@signaltracker.live.