Skip to content
← Back to homepage

Privacy Policy

Last updated: June 11, 2026

Plain-English summary

  • We collect your email, filter preferences, and billing details from Stripe. That's it.
  • We never sell or rent your data.
  • We never share your filter or behavior with anyone.
  • You can export, edit, or delete your data at any time by emailing info@protexaservices.com.
  • We use Supabase (database), Stripe (payments), Resend (email), Vercel (hosting), and Anthropic (AI classification of public filings). All are named below.

1. Who we are

NewBusinessSignal is operated by Protexa Property Services (1338 Wellington St. W., Ottawa, Ontario, Canada). We are a Canadian organization and the "controller" responsible for your personal information under PIPEDA (Canada), CCPA / CPRA (California subscribers), and the GDPR (EU subscribers, if any).

2. What we collect

From you directly:

  • Your email address (to send you the business-formation digest).
  • Your password, stored as a one-way bcrypt hash (we never see your plaintext password).
  • Your filter preferences (state, entity types, counties, NAICS keyword) and cadence (weekly or daily).
  • Your plan tier (Starter or Pro).
  • (Optional) Your Apollo.io API key, stored AES-256-GCM encrypted at rest. Only present if you configure Apollo enrichment in Settings.
  • (Optional) Your company profile and sender identity: company name, website URL, value proposition, ideal-customer description, sender name, sender role, and booking link. Stored as plain text and used solely to draft cold-outreach email templates when you click “Generate email” on a filing.
  • (Optional) Additional outreach notes: free-text tone / style guidance for the email generator.
  • The cached enrichment data + email drafts we generate for filings you act on. Stored per-subscriber; never shared across subscribers.

From Stripe (our payment processor):

  • A Stripe customer ID and subscription ID (never your card number - Stripe holds that).
  • Billing address and tax ID if you provide them at checkout.

Automatically, via server logs:

  • IP address (hashed before we persist it for rate-limiting and abuse defense).
  • Timestamps of signup, digest sends, and link clicks.
  • Email delivery events from Resend (delivered, opened, bounced, unsubscribed).

We do not collect data about the businesses we surface in your digest. Those filings are public records published by each state's Secretary of State. We don't enrich them with personal contact information, owner names, or other PII beyond what the state already publishes.

3. Why we collect it

  • Service delivery (legal basis: contract): sending you the digests you subscribed for.
  • Billing (legal basis: contract): processing payments via Stripe.
  • Account access (legal basis: contract): password authentication and magic-link account management.
  • Abuse prevention (legal basis: legitimate interest): rate-limiting signup attempts.
  • Legal compliance (legal basis: legal obligation): CASL / CAN-SPAM unsubscribe processing; financial records.

4. Who we share with

We share only what's necessary with these service providers, each bound by their own privacy commitments:

  • Supabase (database + storage): your subscriber record, filter, and subscription status.
  • Stripe (billing): your payment details.
  • Resend (email delivery): your email address and the digest content we send you.
  • Vercel (hosting): standard server logs of requests you make to newbusinesssignal.com.
  • Anthropic (AI): public business-formation filing text (state Secretary of State data) for industry classification, and (when you click “Generate email” on a filing) the filing data plus the outreach context you saved in Settings for cold-email drafting. Your password, billing details, and IP address are never sent to Anthropic.
  • Upstash (rate limiting): hashed IP and email keys only, no plaintext PII.
  • Apollo.io (optional, opt-in subprocessor): only triggered when you (a) add your own Apollo API key in Settings and (b) click “Enrich” on a specific filing. We send the business name + city to Apollo using your key and receive back contact records that we cache in your account. We never send Apollo your password, your filter, or any other subscriber data. Your Apollo key is stored AES-256-GCM encrypted at rest; we do not transmit it anywhere except to Apollo on calls you initiate. Remove the integration at any time from Settings.

We do not sell, rent, or share your data for advertising. We do not use third-party trackers (Meta Pixel, Google Analytics, etc.).

5. Where your data lives

Your subscriber record lives in a Supabase Postgres database hosted in a North American region. Emails are sent via Resend (US infrastructure). If you're outside Canada or the US, your data may cross borders as a result. We rely on standard contractual commitments from these providers (SCCs where applicable) for cross-border transfer.

6. How long we keep it

  • Active subscribers: as long as you're subscribed, plus 1 year after you cancel (for billing records and refund disputes).
  • Unsubscribed: we stop sending immediately. We retain the record of your unsubscribe (required by CASL / CAN-SPAM) for 3 years.
  • Server logs: 30 days.
  • Stripe webhook events and server-error rows: 90 days.

7. Your rights

Depending on your jurisdiction, you have the right to:

  • Access what we hold on you (PIPEDA, CCPA, GDPR).
  • Correct any information you think is wrong (PIPEDA, CCPA, GDPR).
  • Delete your subscriber record (subject to the retention minimums above for billing and anti-spam law).
  • Withdraw consent - the unsubscribe link in every email does this with one click.
  • Opt out of sale or sharing for advertising (CCPA) - we never sell or share for advertising, so this is already in effect by default.
  • Portability - we'll provide a JSON export of your subscriber record on request.
  • Complain to a privacy regulator: the Office of the Privacy Commissioner of Canada (PIPEDA), the California Privacy Protection Agency (CCPA), or your local data protection authority (GDPR).

To exercise any of these, email info@protexaservices.com. We respond within 30 days (or 45 days for CCPA / GDPR requests).

8. Cookies

newbusinesssignal.com uses essential cookies (HttpOnly session cookie, CSRF token) and PostHog product analytics. PostHog stores an identifier in a cookie and in localStorage and automatically captures page views, page leaves, and on-page interactions so we can understand how the product is used. We do not use advertising cookies.

9. Security

We use HTTPS everywhere, encrypted database storage, bcrypt for password hashing, HMAC-signed short-lived magic-link tokens for account access, signed Stripe webhook verification, and least-privilege service accounts. We don't store your payment card number.

10. Children

NewBusinessSignal is a B2B service for adults. We do not knowingly collect personal information from children under 16. If you believe we have, email us and we will delete it.

11. Changes to this Policy

Material changes will be announced by email at least 14 days in advance.

12. Contact

Privacy questions, access requests, deletion requests: info@protexaservices.com.