// LEGAL

Privacy Policy

Last updated: 1 January 2025 · Effective: 1 January 2025 · Applies to: safesignal.ch and all related services

Plain language summary: SafeSignal is a Swiss identity monitoring service. We collect only what is necessary to deliver the service. We never sell your data. All data is stored in Switzerland. You can request deletion of your data at any time by emailing privacy@safesignal.ch.

1. Who we are

SafeSignal is a digital identity monitoring service operated under the NortheastVault brand. References to "SafeSignal", "we", "us", or "our" in this policy refer to the operator of safesignal.ch.

Our data processing infrastructure is based in Switzerland. For the purposes of the EU General Data Protection Regulation (GDPR), we act as the data controller for personal data processed through our services.

Contact: privacy@safesignal.ch

2. What data we collect

2.1 Account data

When you create a SafeSignal account, we collect:

Your email address (used for login and breach alerts)
A hashed password (we never store your password in plain text)
Your preferred language and timezone
Subscription plan and billing cycle preference

2.2 Monitored identifiers

To provide the monitoring service, you provide us with the identifiers you want monitored, which may include:

Additional email addresses
Phone numbers (optional)
Usernames (optional, higher-tier plans)

These identifiers are stored encrypted at rest and used solely to perform breach monitoring checks on your behalf.

2.3 Payment data

Payments are processed by our third-party payment processor. We do not store full credit card numbers or payment details on our servers. We retain only non-sensitive billing metadata such as plan type, billing cycle, and transaction reference numbers.

2.4 Usage and technical data

We collect limited technical data necessary to operate the service securely:

IP address (retained for 30 days for abuse prevention)
Browser type and operating system (aggregated, not linked to your account)
Pages visited and features used within your account dashboard
Error logs (purged after 7 days)

2.5 Breach check data (NortheastVault integration)

If you use the free breach checker at northeastvault.com, your email address is hashed locally in your browser using the k-anonymity method before any data is transmitted. The hash prefix (not your full email) is sent to the HaveIBeenPwned API. We do not store the email addresses of free breach checker users.

3. How we use your data

We use your personal data for the following purposes:

Service delivery: Monitoring your identifiers against breach databases and sending you alerts when matches are found.
Account management: Maintaining your subscription, processing payments, and providing customer support.
Security: Detecting and preventing fraud, abuse, and unauthorised access to our systems.
Service improvement: Analysing aggregated, anonymised usage patterns to improve features and performance.
Legal compliance: Meeting our obligations under Swiss nDSG, EU GDPR, and applicable US state law.

We do not use your data for advertising purposes. We do not sell your data to third parties. We do not use your data to train artificial intelligence or machine learning models.

4. Legal basis for processing (GDPR)

For users in the European Economic Area (EEA) and Switzerland, we process your personal data on the following legal bases under Article 6 of the GDPR:

Contract performance (Art. 6(1)(b)): Processing your account data and monitored identifiers to deliver the subscription service you purchased.
Legitimate interests (Art. 6(1)(f)): Processing technical and usage data to ensure service security, prevent fraud, and improve the product.
Legal obligation (Art. 6(1)(c)): Retaining certain records to comply with applicable law.
Consent (Art. 6(1)(a)): Where we ask for your permission for optional processing activities (such as product newsletters), which you may withdraw at any time.

5. Swiss data protection (nDSG)

SafeSignal's operations are governed by the Swiss Federal Act on Data Protection (Datenschutzgesetz, DSG), as revised and effective from 1 September 2023 (nDSG). Key points:

All personal data is processed and stored within Switzerland.
We maintain a record of processing activities as required by Art. 12 nDSG.
We conduct data protection impact assessments for high-risk processing activities.
You have the right to request information, correction, deletion, and data portability under Arts. 25–27 nDSG.
Cross-border data transfers (if any) are governed by Art. 16–17 nDSG, with appropriate safeguards in place.

6. US privacy rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or other US states with comprehensive privacy laws, you have additional rights:

6.1 California (CCPA / CPRA)

Right to know what personal information we collect, use, share, or sell.
Right to delete your personal information.
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information. Note: We do not sell personal information.
Right to non-discrimination for exercising your rights.

6.2 Other US states

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA) have similar rights to access, correct, delete, and port their personal data. To exercise any US privacy right, contact us at privacy@safesignal.ch. We will respond within 45 days as required by applicable law.

7. Data retention

We retain your personal data for as long as your account is active. Upon account deletion:

Account data and monitored identifiers are deleted within 30 days.
Billing records are retained for 10 years as required by Swiss accounting law (OR Art. 958f).
IP logs are deleted after 30 days.
Error logs are deleted after 7 days.
Anonymised, aggregated analytics data may be retained indefinitely as it cannot be linked to any individual.

8. Third-party services

We use a limited number of third-party services to operate SafeSignal. Each is bound by appropriate data processing agreements:

HaveIBeenPwned API: Used to cross-reference email hashes against known breach databases. Only k-anonymity hash prefixes are transmitted — never your full email address.
Payment processor: Handles subscription billing. Subject to PCI-DSS compliance. We do not store card data.
Email delivery: Used to send breach alerts and account communications. Configured to process data within the EU/EEA.
Hosting infrastructure: All servers are located in Switzerland.

We do not use Google Analytics, Facebook Pixel, or any third-party advertising trackers.

9. Cookies

SafeSignal uses only strictly necessary cookies required for the service to function:

Session cookie: Keeps you logged in during your browser session. Expires when you close your browser.
Preference cookie: Stores your language and theme preference. Expires after 365 days.

We do not use advertising cookies, analytics cookies, or third-party tracking cookies. You do not need to accept a cookie banner to use our service.

10. Your rights

Regardless of where you are located, you have the right to:

Access: Request a copy of the personal data we hold about you.
Correction: Ask us to correct inaccurate data.
Deletion: Ask us to delete your personal data ("right to be forgotten").
Portability: Receive your data in a structured, machine-readable format.
Objection: Object to processing based on legitimate interests.
Restriction: Ask us to limit how we use your data while a dispute is resolved.
Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any right, email privacy@safesignal.ch. We will respond within 30 days (GDPR) or 45 days (US state law). We may ask you to verify your identity before processing your request.

If you are unhappy with our response, you have the right to lodge a complaint with:

The Swiss Federal Data Protection and Information Commissioner (FDPIC): edoeb.admin.ch
Your local EU supervisory authority (if you are in the EEA)

11. Security

We implement industry-standard security measures including:

All data encrypted in transit (TLS 1.3) and at rest (AES-256).
Passwords stored as bcrypt hashes — never in plain text.
Monitored identifiers stored with application-level encryption.
Access to production systems restricted to authorised personnel only.
Regular security audits and vulnerability assessments.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33–34 and nDSG Art. 24.

12. Children's privacy

SafeSignal is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a minor, please contact us at privacy@safesignal.ch and we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you by email at least 30 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

14. Contact us

SafeSignal — Privacy enquiries

Email: privacy@safesignal.ch

Website: safesignal.ch

We aim to respond to all privacy-related enquiries within 5 business days. For formal data subject requests (access, deletion, portability), we will respond within the legally required timeframe.