Sigrel

Privacy Policy

Last updated: 2026-05-02

[PLACEHOLDER — replace with the body of your Termly-generated Privacy Policy.]

This page is a scaffold. Until the operator pastes the generated policy in, this is what we promise:

  • We collect only what we need to do the job you signed up for.
  • We never sell your data.
  • You can export or delete your account from Settings → Privacy at any time.
  • The data-flow notes below describe what actually happens when you use the product.

What we collect

  • Account details: email, hashed password (Supabase manages this).
  • Identifiers you choose to monitor (emails, phone numbers, usernames, etc.) — encrypted at rest in our database.
  • Breach event records returned by our intelligence partners and matched to your identifiers.
  • Audit log of actions you take in the product (login, identifier add/remove, breach acknowledge).

What we don't collect

  • Plaintext passwords (only Supabase's hashed form).
  • Behavioural analytics, ad-targeting data, or third-party tracking.
  • Browsing history, location data, or biometric data.

Your rights

Under the GDPR and CCPA you have the right to access, export, correct, or delete your data. The product surfaces these as one-click actions in Settings → Privacy. For anything else, email privacy@sigrel.com.

How your data flows through the product

These are the specific data flows that power Sigrel. They are written here in plain English because they are unusual for a privacy policy and we want to be explicit.

Identifiers in the vault

Every identifier you add (email address, phone number, username, etc.) is encrypted at rest in our database with a per-record key. The plaintext value is decrypted only at the moment we need it to query a breach feed, and the decrypted value never leaves the request that needed it.

Breach feeds

  • Have I Been Pwned (HIBP): we hash your email with SHA-1 and send only the first 5 hex characters of the hash to HIBP's anonymous range API. HIBP never sees your email.
  • LeakCheck: we send your email in cleartext over TLS to LeakCheck's API. LeakCheck's data-processing agreement governs their handling.
  • Enzoic: we hash your email with SHA-256 and send the hash to Enzoic's exposures-for-usernames endpoint. Enzoic does not see the cleartext email.
  • Hudson Rock: we send your email in cleartext over TLS to Hudson Rock's stealer-log lookup API. Hudson Rock's data-processing agreement governs their handling.

Push notifications

If you opt in to push notifications, we send the alert payload encrypted with a key unique to your browser. The push provider (Apple, Google, Mozilla) routes the encrypted bytes to your device but cannot read the alert content.

AI features (chat advisor, breach narratives, runbooks)

AI-generated insights are produced by sending breach metadata (titles, dates, data classes — never your raw identifier values) to our LLM provider over TLS. The LLM provider is contractually prohibited from training on the prompts. You can disable AI features entirely from Settings → Privacy.

Email delivery

Breach alert emails are sent via Resend. The email body contains your monitored identifier as the subject of the alert; nothing else from your account is included.

Service providers

  • Supabase (auth, primary database) — US
  • Fly.io (API hosting) — US
  • Vercel (web hosting) — US
  • Upstash (Redis) — US
  • Resend (transactional email) — US
  • Cloudflare (Turnstile bot protection) — US
  • HIBP, LeakCheck, Enzoic, Hudson Rock — see above for what each one receives

Sigrel is operated by Stelviq Holdings LLC, a Delaware limited liability company.