Privacy Policy
Effective date: March 21, 2026 · Last updated: March 21, 2026
The Compliance Signal is a regulatory intelligence service for healthtech compliance teams. We sell clarity, not data. This policy explains exactly what we collect, where it goes, how long we keep it, and what you can do about it. We wrote it to be read, not skimmed.
1. Who we are
The Compliance Signal is a US-based regulatory intelligence service. Our product domain is compliancesignal.io. Our newsletter is delivered via a third-party email delivery platform. Payments are processed by Stripe.
For any privacy-related question, contact:
The Compliance Signal
We respond to all privacy inquiries within 5 business days.
2. What we collect
Information you provide directly
- Email address — when you subscribe via our landing page. This is the only field required to subscribe.
- Company name and job title — only if you provide them voluntarily (e.g., in correspondence or during a paid upgrade).
- Payment information — processed entirely by Stripe. We never see, store, or have access to your credit card number, bank account, or payment credentials. Stripe provides us with a transaction confirmation and the last four digits of your card for support purposes only.
Information collected automatically
- Email engagement data — Our email delivery platform records whether you opened an email and which links you clicked. This is standard newsletter infrastructure and helps us understand which content is useful. We do not build behavioral profiles from this data.
- No website analytics — we do not run Google Analytics, tracking pixels, or any third-party analytics on our landing page. We do not use cookies for tracking. We do not fingerprint your browser.
Information we do not collect
- We do not collect IP addresses for tracking purposes
- We do not use cookies (no cookie banner because there are no cookies)
- We do not purchase data from third-party brokers
- We do not collect device identifiers, location data, or browsing history
3. How we use your information
Your email address is used for exactly three purposes:
- Delivering the newsletter you subscribed to (weekly digest and breaking alerts)
- Sending transactional emails related to your subscription (confirmation, payment receipts via Stripe, cancellation confirmation)
- Responding to emails you send us
That's it. We do not use your email for unsolicited marketing. We do not sell, rent, share, or disclose your email address to any third party for their marketing purposes. We never have. We never will.
4. AI systems and your data
The Compliance Signal uses AI systems to research and draft regulatory analysis from public sources — government documents, regulatory filings, law firm publications. This is disclosed on our website and in every issue.
Your personal information is not sent to AI systems. Our AI workflows process publicly available regulatory documents. Subscriber email addresses, names, payment information, and engagement data are never included in AI processing requests. The AI reads the Federal Register. It does not read your inbox or your subscriber record.
5. Data processors
We use a limited number of third-party services to operate. Each processes only the minimum data necessary for its function:
| Service | Purpose | Data accessed |
|---|---|---|
| Email delivery platform | Newsletter delivery | Email address, open/click data |
| Stripe | Payment processing | Payment info (card, billing address) — we never see full card numbers |
| Private database | Operational records | Email address, subscription status |
We do not use advertising networks, data enrichment platforms, or behavioral analytics services. Our vendor list is short because our data practices are simple.
6. Data retention
Active subscribers: Your data is retained for the duration of your subscription plus 30 days after cancellation or unsubscription.
After unsubscription: Our email delivery platform removes you from all mailing lists immediately upon unsubscription. Your email address is purged from our operational database within 30 days. Stripe retains transaction records as required for financial compliance and tax reporting — this is a legal requirement and not within our control to override.
Correspondence: If you email us directly, we retain that correspondence for as long as it's relevant to an ongoing support issue, then delete it.
We do not retain data indefinitely. We do not archive subscriber data for future marketing. When we say deleted, we mean deleted — not "anonymized" or "aggregated."
7. Your rights
Regardless of where you live, we honor the following:
- Access — request a copy of all personal data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your personal data (we will confirm completion)
- Portability — request your data in a structured, machine-readable format
- Unsubscribe — one-click unsubscribe in every email, effective immediately
To exercise any of these rights, email hello@compliancesignal.io. We will respond within 5 business days and complete your request within 30 days. We do not require you to verify your identity beyond confirming the email address associated with your subscription.
8. California residents
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have additional rights including the right to know what personal information is collected, the right to delete, and the right to opt out of the sale of personal information.
We do not sell personal information. We have never sold personal information. There is no "Do Not Sell" opt-out because there is nothing to opt out of.
Under CalOPPA, we disclose: this policy is accessible from our homepage, it includes an effective date, we describe how we notify users of changes (see Section 12), and we describe how users can request changes to their personal information (see Section 7).
9. European Economic Area, UK, and international users
If you are located in the EEA or UK, our lawful basis for processing your email address is consent — you actively subscribed. For payment processing, the lawful basis is contractual necessity.
Your data is processed in the United States. Our third-party processors maintain their own data processing agreements and compliance frameworks. If you have concerns about cross-border data transfer, contact us and we will provide specific details about the safeguards in place.
You have the right to lodge a complaint with your local data protection authority. We'd prefer you contact us first so we can resolve your concern directly.
10. Data security
We implement the following security measures to protect your data:
- All data transmitted to and from our services is encrypted in transit (TLS/HTTPS)
- Database access is restricted through row-level security policies
- Administrative interfaces are not publicly exposed
- We conduct periodic security reviews of our infrastructure
No system is perfectly secure. If we ever discover a breach that affects your personal data, we will notify you by email within 72 hours with a clear description of what happened, what data was affected, and what we are doing about it.
11. Children's privacy
The Compliance Signal is a B2B regulatory intelligence service. It is not directed at anyone under 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected data from a minor, contact us immediately and we will delete it.
12. Changes to this policy
If we make material changes to this policy, we will notify you by email before the changes take effect. Minor clarifications and formatting updates may be made without notice, but the effective date at the top of this page will always reflect the latest revision.
We will never retroactively weaken this policy. If future changes expand data collection or introduce new processors, you will be informed and given the opportunity to unsubscribe before those changes apply to your data.
13. What this policy does not cover
This policy covers data collected through The Compliance Signal's subscription service and website. It does not cover:
- Third-party websites linked in our newsletter content (regulatory agency sites, law firm publications, etc.)
- Stripe's independent data practices (see Stripe's Privacy Policy)
- Our email delivery platform's independent data practices
Questions?
This policy is meant to be read and understood, not buried. If anything is unclear, email hello@compliancesignal.io and ask. We'll answer plainly.