Sigrel

Privacy Policy

Last updated: 2026-05-30

Heads up. This is a draft authored against the actual product. It is pending review by counsel and the operator's legal-tech provider (Termly). It reflects our intent; the final published version may differ in form. If you rely on this for any decision, email privacy@sigrel.com first.

1. Who we are

Sigrel ("Sigrel," "we," "us," or "our") is a consumer breach-monitoring and identity-exposure service operated by Stelviq Holdings LLC, a Delaware limited liability company, doing business as Sigrel. This policy explains what personal data we process, why, who we share it with, how long we keep it, and what you can do about it. A registered-agent mailing address will be published here once finalized; for now please contact us at privacy@sigrel.com.

2. The short version

  • We collect only what we need to do the job you signed up for. We do not sell or rent your personal information, and we do not share it for cross-context behavioural advertising.
  • The identifiers you ask us to monitor (your email, phone number, etc.) are encrypted at rest. We never see your password in plaintext. We never accept or store SSNs, passport numbers, driver's licence numbers, financial-account numbers, or government IDs.
  • The free public exposure scan does not store the email you submit. We hash it, query our partners, and discard it.
  • You can export or delete your account at any time from Settings → Privacy, or by emailing privacy@sigrel.com.

3. The personal information we collect

We collect the following categories of personal information:

3.1 Account & profile

  • Email address (used as the primary account identifier).
  • Password — stored only as a hash by our authentication provider (Supabase).
  • Optional display name and timezone, if you set them.
  • Multi-factor authentication factors (e.g. an authenticator-app secret) — stored by Supabase.

3.2 Identifiers you choose to monitor

  • Email addresses, phone numbers, usernames, online aliases, gaming handles, and domains you add to your vault.
  • These values are encrypted at rest in our database with AES-256-GCM and decrypted only at the moment they are needed to query a breach feed.

3.3 Breach intelligence we receive about you

  • Records returned by our intelligence partners (see Section 6) when a monitored identifier matches a known breach.
  • AI-generated narratives, remediation guidance, and forecasts derived from those records (Pro tier).

3.4 Product activity & security

  • Audit log of significant actions you take (login, identifier add/remove, breach acknowledge, billing change), including a salted hash of your IP and the user-agent string. Raw IPs are never stored on these audit rows.
  • Push-notification subscription tokens, if you opt in.
  • Web-server access logs (IP, user-agent, requested path, timing), retained for security and abuse-prevention purposes only.

3.5 Billing

  • Subscription tier, status, and renewal dates. Payment-card details are processed by Stripe and are never seen or stored by Sigrel.

3.6 Free public exposure scan

  • When you submit an email to our public /scan endpoint, we accept it over TLS, hash it, query our intelligence partners, return an aggregate count and severity, and then discard the email. The email is not stored. We do retain a salted hash of the requesting IP solely for abuse-prevention rate limiting (cleared after 7 days).

3.7 Data we do not collect

  • Social Security numbers, passport numbers, driver's licence numbers.
  • Financial-account numbers, full credit-card numbers, bank routing numbers.
  • Full physical addresses, date of birth, or phone numbers (we may forward these to EasyOptOuts on your authorisation for broker removal — see Section 6 — but we do not store them).
  • Biometric data, precise geolocation, device fingerprinting beyond what is needed for fraud prevention.
  • Behavioural advertising or cross-site tracking signals.

4. How we use your information

We use the information described above for the following purposes only:

  • Provide the service: match your monitored identifiers against breach feeds, surface findings, generate AI narratives and remediation guidance, deliver alerts, run scans on the cadence your tier allows.
  • Authenticate & secure your account: sign you in, prevent unauthorised access, enforce rate limits and bot protection.
  • Communicate with you: service announcements, breach alerts you have enabled, billing notices, and security-incident communications. We do not send marketing email without your opt-in.
  • Bill you: only for paid tiers, via Stripe.
  • Comply with law & protect rights: respond to valid legal process, enforce our Terms of Service, and protect users from abuse.

5. How long we keep it

  • Account & vault data: for the life of your account, plus 30 days after deletion to allow for recovery.
  • Audit logs & LLM-usage logs: 90 days, then automatically pruned.
  • Free-scan IP hashes: 7 days, used only for rate limiting.
  • Free-scan email submissions: not retained.
  • Billing records: retained as required by US tax and accounting law (typically 7 years).
  • Backups: overwritten on a 30-day rotation.

6. Who we share with (service providers / sub-processors)

We share personal information only with the service providers below, and only to the extent they need it to deliver the service to you. Each provider is contractually prohibited from using your data for any other purpose.

  • Supabase — authentication, primary database, encrypted storage (US).
  • Fly.io — API server hosting (US).
  • Vercel — web app hosting (US).
  • Upstash — Redis cache, rate-limit counters (US).
  • Stripe — payment processing. Card data is sent directly from your browser to Stripe; we never touch it (US).
  • Resend — transactional email delivery (US).
  • Cloudflare — bot protection (Turnstile) on the public scan and auth forms (US).
  • EasyOptOuts (Pro tier, data-broker removal only) — when you opt in to broker removal, we forward your legal name, current and past addresses, date of birth, and (if provided) phone numbers directly to EasyOptOuts's enrollment API. We store only a Sigrel-controlled synthetic identifier we mint for each user; we do not retain the underlying personal data ourselves (US).
  • Anthropic, OpenAI, xAI (LLM providers) — we send breach metadata (breach names, dates, data classes) to generate narratives, remediation guidance, and chat answers. We sanitise prompts so that the raw values of your monitored identifiers are never included. Each provider is contractually prohibited from training models on our prompts.
  • Intelligence partners — for the specific per-partner data flows, see the appendix at the bottom of this page.

We do not sell your personal information, and we do not share it for cross-context behavioural advertising.

7. Your rights

Depending on where you live in the United States, you may have one or more of the following rights under state privacy law (CCPA/CPRA in California, VCDPA in Virginia, CPA in Colorado, UCPA in Utah, CTDPA in Connecticut, and other state laws as enacted):

  • Right to know & access: request a copy of the personal information we hold about you.
  • Right to delete: request that we delete your personal information.
  • Right to correct: request correction of inaccurate information.
  • Right to portability: receive your data in a portable, machine-readable format.
  • Right to opt out: opt out of any "sale" or "sharing" of your data. (We do neither, but the right is stated for completeness.)
  • Right against discrimination: we will not deny service, charge a different price, or provide a lower-quality service because you exercised a right under this section.
  • Right to appeal: if we deny a request, you can appeal by replying to our response email. If we deny the appeal, you may contact your state attorney general.

Most rights can be exercised one-click from Settings → Privacy. For anything else, email privacy@sigrel.com. We will respond within 45 days. We may ask you to verify your identity (typically by signing into the account) before acting on a request.

Authorised agents: if you authorise someone to act for you, they must provide written proof of authorisation. We will still verify your identity.

Global Privacy Control: if your browser sends a Global Privacy Control (GPC) signal, we treat it as an opt-out signal for the rights to which it applies.

8. California "Shine the Light" (Civil Code § 1798.83)

California residents may request, once per year, a list of third parties to which we have disclosed personal information for those third parties' direct marketing purposes during the prior calendar year. Our answer for the current year is: none. We do not disclose personal information to third parties for their direct-marketing purposes.

9. Children's privacy

Sigrel is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided personal information to us, email privacy@sigrel.com and we will delete it.

10. International users

Sigrel is operated from the United States and our service providers are US-based. If you access the service from outside the United States, you understand that your information will be transferred to and processed in the United States.

11. Security

We take security seriously. Our specific posture is described on the Responsible Disclosure page. The short version: TLS 1.3 in transit, AES-256-GCM for monitored identifiers at rest, hashed passwords (managed by Supabase), role-based access controls on our infrastructure, and short-lived secrets. No system is perfectly secure; we will notify affected users without undue delay if a security incident has materially impacted their data.

12. Changes to this policy

We may update this policy. When we make material changes we will notify active accounts by email at least 30 days before the change takes effect, and we will update the "Last updated" date at the top. If you do not agree with a change, you can delete your account before the change takes effect.

13. Contact

Privacy questions, rights requests, or general feedback: privacy@sigrel.com. We are Stelviq Holdings LLC dba Sigrel, a Delaware limited liability company. A registered-agent mailing address will be published here once finalized.

How your data flows through the product

These are the specific data flows that power Sigrel. They are written here in plain English because they are unusual for a privacy policy and we want to be explicit.

Identifiers in the vault

Every identifier you add (email address, phone number, username, etc.) is encrypted at rest in our database with a per-record key. The plaintext value is decrypted only at the moment we need it to query a breach feed, and the decrypted value never leaves the request that needed it.

Breach feeds

  • Have I Been Pwned (HIBP): we hash your email with SHA-1 and send only the first 5 hex characters of the hash to HIBP's anonymous range API. HIBP never sees your email.
  • LeakCheck: we send your email in cleartext over TLS to LeakCheck's API. LeakCheck's data-processing agreement governs their handling.
  • Enzoic: we hash your email with SHA-256 and send the hash to Enzoic's exposures-for-usernames endpoint. Enzoic does not see the cleartext email.

EasyOptOuts (data-broker removal, Pro tier only)

When you enable broker removal, your legal name, current and past addresses, date of birth, and (if provided) phone numbers are sent directly from our API server to EasyOptOuts's enrollment endpoint over TLS. We persist only a Sigrel-controlled synthetic identifier we mint for each enrollment (currently of the form eoo-<uuid>@trace.sigrel.com, on a Sigrel-owned domain), plus per-site scan progress (site name and removal status — no personal data). Your name, address, date of birth, and phone numbers are not stored in Sigrel's database. Status updates from EasyOptOuts are pulled by Sigrel on a daily schedule and rendered in your dashboard. To deactivate, use Settings → Privacy → Broker removal; we will forward the cancellation to EasyOptOuts.

Synthetic email — what it is and isn't. The synthetic identifier acts as a case-number-shaped string EasyOptOuts uses to look up your record in their system. Although it is shaped like an email address, EasyOptOuts has told us they handle all data-broker verification email on their side and won't send mail to it. Should any vendor email reach the alias regardless, our inbound handler silently discards it — we do not forward anything from that alias to your real inbox.

Timing & re-emergence. Brokers process the removal on their own side. Expect most removals within 14–45 days of enrollment. Some brokers re-list previously-removed records on their own quarterly refresh cycle; when EasyOptOuts reports a re-emergence in a later scan, we file the opt-out request again automatically — you don't need to do anything. Re-emergence events are surfaced on the Activity timeline in your dashboard.

EasyOptOuts data retention. When you cancel and Sigrel forwards the deletion, EasyOptOuts removes your account data from their production database immediately. Logs that may reference your personal data (used for opt-out processing) are retained for up to 14 days. Web-server logs containing IP addresses are retained for up to 37 days. After those windows, all personal data and IP addresses are purged. These retention periods are EasyOptOuts's, not Sigrel's; we do not have access to those logs.

Push notifications

If you opt in to push notifications, we send the alert payload encrypted with a key unique to your browser. The push provider (Apple, Google, Mozilla) routes the encrypted bytes to your device but cannot read the alert content.

AI features (chat advisor, breach narratives, remediation guidance)

AI-generated insights are produced by sending breach metadata (titles, dates, data classes — never your raw identifier values) to our LLM provider over TLS. The LLM provider is contractually prohibited from training on the prompts. You can disable AI features entirely from Settings → Privacy.

Email delivery

Breach alert emails are sent via Resend. The email body contains your monitored identifier as the subject of the alert; nothing else from your account is included.

Service providers

  • Supabase (auth, primary database) — US
  • Fly.io (API hosting) — US
  • Vercel (web hosting) — US
  • Upstash (Redis) — US
  • Resend (transactional email) — US
  • Cloudflare (Turnstile bot protection) — US
  • HIBP, LeakCheck, Enzoic, Hudson Rock — see above for what each one receives

Sigrel is operated by Stelviq Holdings LLC, a Delaware limited liability company.

Privacy Policy — Sigrel — Sigrel