Privacy notice

Last updated 2026-04-25. The short answer is on /terms § 7. This page is the long-form notice required by the California Consumer Privacy Act, the California Privacy Rights Act, and the parallel state privacy statutes. The authoritative source is docs/legal/privacy_notice.md in the Signal repository — this page summarizes that document for the web.

1. Who we are

Signal is operated as a single-founder entity at alpha-tax.ai. The qualified individual responsible for privacy and security questions is reachable at ian.manchel@gmail.com. Use the subject line [CCPA REQUEST] or [PRIVACY REQUEST] for rights requests.

2. What we collect

Two buckets:

  • Account-row plaintext we can read: your email, your display name, an Argon2id hash of your password (not the password itself), a UMK salt, and the standard request-log line your browser produces (IP, timestamp, route, user-agent).
  • Vault ciphertext we cannot read: everything you upload — the structured return, the audit packet our deterministic engine emits, any notes, and any Plaid metadata if you connect a bank — is encrypted in your browser with a key derived from your password, before it leaves your machine. We store the ciphertext only.

Your tax return contents — including any SSN that appears in the structured payload, employer identifiers, capital- gains lots, basis records, and the inferences our engine computes from them — are in the second bucket. We do not see them.

What Plaid sees vs. what Signal sees

When you link a bank, Plaid sees everything in your bank’s OAuth response. Signal’s edge-strip runs in the same request, in memory, before any data hits disk. Only the stripped shape is encrypted with your in-browser key and saved. The full Plaid response is discarded with the request.

What we keep (encrypted)

  • Account type & subtypeneeded to classify a transaction as e.g. brokerage, checking, or credit
  • ISO currency codeneeded for multi-currency normalization
  • Transaction date & amountthe core inputs to deductible-expense logic
  • Plaid's category labelsthe personal-finance-category taxonomy maps cleanly to Schedule A / Schedule C lines
  • Merchant name (Plaid-cleaned)categorization heuristics rely on it; it is not necessarily a person
  • Opaque Plaid identifiers (transaction_id, account_id)needed for deduplication; not linkable to a human without Plaid's cooperation

What we drop (never written)

  • Account owners (names, addresses, phone numbers, emails)Signal does not need to know who owns the account
  • Institution name & official account namethe institution doesn't change tax treatment for our supported cases
  • Account mask / official account numberno tax-categorization logic depends on it
  • Geolocation coordinatesirrelevant to a federal-return engine
  • Payment-channel and counterparty metadatanot needed for the categorization we run
  • Free-text transaction descriptionhigh free-text-PII risk, low marginal categorization value over the cleaned merchant + Plaid category

Authoritative source: frontend/lib/plaid-edge-stripping.ts. The drop list is enforced in code by typed exclusion, not by convention.

3. Why we collect what we collect

  • Authenticating you and maintaining your session.
  • Running the deterministic scoring engine on the data you upload.
  • Storing the encrypted result so you can come back to it without re-uploading.
  • Routing audit packets to a CPA reviewer of your choice when you initiate a grant.
  • Operating, securing, and debugging the service (logs, rate limiting, abuse prevention).
  • Complying with our legal obligations (security, breach notification).

We do not use your information for advertising, profiling unrelated to the service, or training machine-learning models on your data.

4. Who sees it

  • Fly.io — our hosting provider. Sees the account-row plaintext on the persistent volume, the encrypted vault entries, edge-TLS request metadata, and the application log stream. Cannot decrypt the vault.
  • A CPA reviewer you select — only when you initiate a grant. The position key is wrapped under the recipient's public key. We cannot read what the CPA can read.
  • Nobody else. We do not sell or share personal information for cross-context behavioral advertising. There is no advertising integration on the site.

5. How long we keep it

Account row: while your account is active. Vault entries: until you delete them in-app or delete your account. Subprocess working files: wiped synchronously at the end of every upload request, with a periodic sweep for orphans older than one hour. Application logs: at the host's default retention window. Full retention table at docs/legal/retention_policy.md.

6. Your rights

Depending on the state you live in, you have the right to know what we have about you, to delete it, to correct it, to receive a portable copy, to limit our use of sensitive personal information, and to opt out of sale or sharing. We do not sell or share, so the opt-out is satisfied structurally.

How to exercise these rights with Signal:

  • Know: the only personal information we can read about you is in your account row and your request-log line. Email us for a copy. For specific pieces of vault content (Cal. Civ. Code § 1798.110), use the “Download my data” button on /vault — that exports every entry decrypted in your browser. Signal cannot assemble that file on the server because Signal cannot decrypt your vault.
  • Delete: the in-app delete button on each vault entry removes that entry. Email us to delete the entire account.
  • Correct: account fields are correctable in-app. We cannot correct the contents of your encrypted vault — you do that yourself by re-uploading.
  • Portability: your account row is a tiny record we can email to you on request. The encrypted vault is exportable as JSON envelopes from inside the app.
  • Limit / opt out: structurally satisfied — we use sensitive personal information only for the purpose you uploaded for, and we do not sell or share.

We will not retaliate against you for exercising any of these rights. We verify identity by your control of the account email plus a successful login under your password — because we cannot decrypt your vault, we cannot verify you by re-serving your plaintext.

How to submit: use the intake form at /privacy/request or email ian.manchel@gmail.com. Acknowledgement within 10 business days, substantive response within 45 calendar days per Cal. Civ. Code § 1798.130.

7. Children

The service is not directed at minors under 13 and we do not knowingly collect personal information from minors under 13.

8. Cross-border

We host on Fly.io infrastructure in the United States. If you use Signal from outside the United States, your personal information will be transferred to and processed in the United States.

9. Changes

Material changes will be surfaced in-app before they take effect on your account, and the “Last updated” date at the top of this page will change.

Authoritative source. The full privacy notice — including the CCPA category-by-category breakdown in § 1798.140(v) form, the SPI handling under § 1798.140(ae), and the open questions for counsel — is at docs/legal/privacy_notice.md. The companion documents are docs/legal/safeguards_program.md (FTC Safeguards Rule program), docs/legal/incident_response.md (breach plan), and docs/legal/retention_policy.md (retention).