AppSigma

This Privacy Policy explains how AppSigma ("AppSigma," "we," "us," "our") processes personal data when you use our B2B analytics Service at appsigma.io.

We act as:

Controller for account/profile data, authentication, communications, logs, and analytics ("Account Data" and "Service Data").
Processor only if/when customers upload their own content for analysis (not applicable at launch; if later enabled, we will process such "Customer Content" per your instructions).

The Service is intended for business users 18+.

1) Data we collect

Identity & contact: name, email.
Auth: email magic-link tokens, Google account identifier (if used).
Logs/technical data: IP address, device and browser info, timestamps, pages/actions, diagnostic and performance data.
Product analytics: event-level usage data to improve features and stability (via PostHog).
Communications: your messages to us (e.g., support requests).
Organization profile & membership: organization name, role (Owner/Admin/Member/Viewer), membership status, invitations.
Billing & subscription: billing contact details, organization details, plan and invoice metadata, tax IDs; payment method tokens via Stripe (e.g., card brand, last 4 digits, expiration). We do not store full card numbers or CVV.
Audit & admin: membership changes, role updates, and administrative actions (visible to Organization Owner/Admins).

We do not intentionally collect sensitive categories. Please do not submit such data.

2) How we use data (purposes & legal bases)

Provide and secure the Service (create accounts, authenticate via magic link/Google, operate core features, prevent abuse, troubleshooting).
Legal bases: Contract (performance of Terms), Legitimate interests (security, anti-abuse).
Improve the Service (usage analytics, diagnostics, A/B testing, UX improvements).
Legal basis: Legitimate interests.
Communicate with you (transactional emails, service notices, updates to Terms/Privacy).
Legal bases: Contract, Legitimate interests.
Legal compliance (complying with lawful requests, enforcing Terms).
Legal basis: Legal obligation / Legitimate interests.
Workspace administration & security (show member names/roles within an Organization, attribute usage to the Organization, manage invitations, prevent fraud/abuse).
Legal bases: Legitimate interests, and Contract where necessary to provide the Service.
Billing & payments (process subscriptions and invoices, taxes, and payment method tokens via Stripe).
Legal bases: Contract, Legal obligation (tax/accounting), Legitimate interests (fraud prevention).

Where required for non-essential cookies or analytics, we will seek consent.

3) Cookies and similar technologies

We use essential cookies (authentication, security) and analytics cookies (PostHog) to understand product usage. You can manage cookies in your browser. If we implement a cookie banner, your choices will be honored.

4) Sharing and disclosures

We share personal data with:

Hosting & infrastructure: DigitalOcean (US) for application hosting and storage.
Product analytics: PostHog (US) for event analytics.
Auth & email providers: Google (if you choose Google sign-in) and a transactional email provider (for magic links and notices).
Payments: Stripe for subscription billing and invoicing. Stripe receives payment method information (e.g., card brand, last 4 digits, expiration), billing details, and transaction metadata to process payments and prevent fraud. Privacy: https://stripe.com/privacy.
Professional services & compliance: legal counsel, auditors, or authorities where required by law.

We do not sell or share personal information for cross-context behavioral advertising.

5) International transfers

Data is hosted in the United States. If you are in the EEA/UK, we rely on appropriate safeguards such as the EU Commission Standard Contractual Clauses (SCCs) or UK IDTA/Addendum (as applicable) with our US vendors, including Stripe. By using the Service, you understand your data will be processed in the US.

6) Security

We implement reasonable technical and organizational measures (e.g., encryption in transit, access controls, least-privilege practices). No method of transmission or storage is 100% secure.

7) Retention

We retain personal data only as long as necessary for the purposes above:

Account data: for the life of the account and a reasonable period thereafter for recordkeeping, security, and legal obligations.
Logs/analytics: typically up to 12 months, unless longer is needed for security or legal reasons.
Billing/invoicing records: retained as required by tax and accounting laws.

We may anonymize data for analytics and product improvement. Payment method details are tokenized and stored by Stripe per its policies; we do not store full card numbers or CVV.

8) Your rights

Depending on your location (e.g., EEA/UK), you may have rights to access, rectify, erase, restrict, port, or object to certain processing, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your data protection authority.

To exercise rights, contact [email protected]. We may need to verify your identity. We respond within applicable deadlines.

9) CCPA/CPRA (California)

We are a B2B service and do not sell or share personal information. California residents may have rights to know, correct, delete, and limit use of personal information, subject to exceptions. To exercise, email [email protected].

10) Children

The Service is not directed to children and is for 18+ business users only.

11) Data controller; contact

Controller: AppSigma
Email: [email protected]

Controller roles. For account, billing, and service operations data, AppSigma is the controller. For Customer Content processed within an Organization, your Organization is typically the controller and AppSigma acts as processor under our DPA (available upon request). For certain requests regarding Organization-controlled data, please contact your Organization Owner/Admins. For payments, Stripe acts as our processor.

If you are in the EEA/UK and require details of transfer mechanisms or vendor safeguards, contact us.

12) Changes to this Policy

We may update this Policy from time to time. Material changes will be posted in the Service or sent to your account email. Continued use after the effective date means you accept the changes.