Privacy & Compliance
The same honesty we apply to measurement applies here: this page describes what the software actually does, not what a template says. North Signal is data-minimal by architecture.
What North Signal stores, and where
- • Project data — brand name/domain, category, competitors, prompt taxonomy, engine responses, extracted metrics, experiments. Stored locally in the operator's SQLite database. This is business data about brands, not personal data about people.
- • No accounts, no cookies, no trackers. One localStorage key holds your theme preference. Nothing else is stored in your browser.
- • API keys never enter the application database — they are read at request time from the operating system keychain or environment and are never logged or persisted by North Signal.
- • Aggregated benchmarking — anonymized, aggregated measurement patterns (never your brand, domain, or attributable prompt text) may inform cross-industry priors, as disclosed in the Terms §4; deleting a project removes it from future aggregation.
- • Retention — raw engine responses are kept indefinitely by default as a longitudinal dataset; operators can enable automatic purging with CITELIFT_RETENTION_DAYS. Aggregates contain no raw content.
Processors — what leaves your machine, and when
- • Anthropic (Claude API) — receives your prompts, the URL you submit for site research, and engine responses for extraction judging. Handled under Anthropic's API terms; API inputs/outputs are not used to train models by default.
- • SerpApi — receives your prompt text as Google queries when the AI Overviews engine is enabled.
- • Nothing is sent to any processor except when you explicitly run research or a measurement batch. There is no background telemetry of any kind.
Data-minimization guidance:prompts are sent to the engines you measure. Write prompts about your market and product — do not include personal data (names, emails, customer records) in prompt text. North Signal's generated taxonomies never do.
Your rights, as product features
- • Access & portability — every project has an "Export all data" button producing one complete, machine-readable JSON file.
- • Erasure — "Delete project" permanently removes the project and every derived record (runs, responses, extractions, metrics, experiments, outcomes) in a single transaction.
- • Rectification — all project inputs are editable before and after measurement.
Regulation-by-regulation position
GDPR / UK GDPR (EU, EEA, UK)
Processing of personal data
North Signal is built data-minimal: it processes brand, competitor, and prompt data — business information, not personal data. No accounts, no behavioral tracking, no profiling of natural persons. Data-subject rights are implemented as product capabilities: full machine-readable export (Art. 20 portability, and the access right under Art. 15), permanent project deletion (Art. 17 erasure), in-place editing (Art. 16 rectification), and a configurable raw-response retention window (Art. 5(1)(e) storage limitation). Lawful basis for the operator's processing is legitimate interest in measuring the brand's own visibility.
ePrivacy (EU cookie rules)
Cookies & terminal-equipment storage
North Signal sets no cookies and runs no analytics or advertising trackers. The only browser storage used is a single localStorage key for your light/dark theme choice — strictly necessary for a function you explicitly requested, which is exempt from consent. That is why there is no cookie banner: there is nothing to consent to.
PIPEDA & Québec Law 25 (Canada)
Personal information in commercial activity
Same data-minimal posture. Consent-by-design: the only data leaving your machine is what you deliberately submit for analysis. Export and deletion satisfy the access and withdrawal principles; Law 25's transparency requirement is met by the processor disclosure below.
CCPA / CPRA (California)
Sale/sharing of personal information
North Signal does not sell or share personal information, and collects none from consumers. No 'Do Not Sell or Share' link is required because the practice it governs does not occur. Deletion and access rights are met by the same product capabilities.
LGPD (Brazil) & other GDPR-style laws
General data-protection regimes (LGPD, POPIA, Australian APPs, PDPA…)
The GDPR-grade controls above (minimization, purpose limitation, export, erasure, retention) meet or exceed the requirements of GDPR-derived regimes. Operators deploying in a specific jurisdiction should confirm local registration/notification duties, which are organizational rather than technical.
EU AI Act
Use of AI systems
North Signal is a measurement and analytics tool, not a high-risk AI system under Annex III. It uses general-purpose models via API (Anthropic Claude) for research, extraction, and judging. Transparency obligations are met in-product: AI-generated content (site research prefill, extraction judgments) is labeled as such, and every automated recommendation carries its mechanism and evidence grade so a human can review the basis. No decisions with legal or similarly significant effect on natural persons are made.
Enterprise controls (implemented)
- • Access control — organization accounts with role-based permissions (owner / admin / member / viewer); all data is organization-scoped at the query layer.
- • Single sign-on — standard OIDC with PKCE against any enterprise IdP (Okta, Microsoft Entra, Google Workspace, Auth0), with just-in-time provisioning.
- • Audit trail — an append-only log of every consequential action (who, what, when), visible to admins in Settings.
- • Credential hygiene — passwords stored as salted scrypt hashes; API keys stored as SHA-256 hashes and shown exactly once; sessions are httpOnly cookies with server-side expiry.
Honest scope note
The technical enterprise controls above are implemented. Offering North Signal as a hosted multi-tenant service still adds organizational duties the code alone cannot satisfy: signed DPAs with subprocessors (Anthropic, SerpApi, hosting), a subprocessor register, records of processing, a breach-notification process (72h under GDPR), transfer mechanisms (SCCs/DPF) for EU→US flows, a designated privacy contact or DPO where required, and a SOC 2 Type II audit — the audit trail, RBAC, and key-hygiene controls here are the evidence that audit would examine, but the attestation itself is an external process. Stating that plainly is part of the posture.