Privacy Policy

Last updated: April 15, 2026

1. Who We Are

Signal shoot is a feedback management service operated from Japan. This policy describes how we collect, use, and protect information in connection with our Service.

2. Information We Collect

Account Information

When you sign up, we collect:

Name and email address (from your GitHub account)
Profile picture URL
OAuth provider ID

Feedback Data

When your app sends feedback through our API, we receive:

Feedback message content
Feedback type, channel, and metadata you choose to send
Optional end-user identifiers (user_id) if you include them
Device and app version information if included in metadata

Important: Feedback data may contain personally identifiable information (PII) from your end users. As the data controller, you are responsible for ensuring appropriate consent and legal basis for collecting this data.

We process feedback content and associated end-user data (such as user_id and metadata) solely for the purpose of providing the Service to you and on your behalf as a data processor. We do not use this data for advertising, profiling, or other independent commercial purposes. Access to this data is limited to the circumstances described in Section 4.

Usage Data

We automatically collect:

API request logs (IP address, timestamp, endpoint)
Dashboard usage patterns (pages visited, features used)
Error logs via Cloudflare analytics

3. How We Use Information

To provide and maintain the Service
To authenticate your identity
To process feedback data on your behalf
To send service-related communications
To monitor and improve service reliability
To enforce our Terms of Service

We do not sell your data. We do not use feedback data for advertising or profiling.

4. Data Storage and Security

Data is stored on Cloudflare's global infrastructure (D1 database).
We do not currently offer customer-selectable data residency or region pinning.
All data is encrypted in transit (TLS) and at rest.
API keys are hashed before storage.
Sessions use cryptographically secure tokens.
Data is stored on Cloudflare D1 with platform-managed backups.
When you use inline translation, the selected feedback text is processed on Cloudflare infrastructure.

Signal shoot does not provide an operator-facing interface for browsing feedback content or associated end-user data across customer accounts. Access to this data is restricted to limited operational needs, such as maintaining the Service, investigating abuse or security incidents, complying with legal obligations, or providing support you request.

5. Data Retention

Data Type	Retention Period
Feedback data (Free plan)	6 months (feedbacks older than 6 months are automatically deleted)
Feedback data (Pro / Infinite plan)	Retained indefinitely
Account data	While your account is active
Billing records	Retained by Stripe per their data retention policy

You can delete your account from the Account page. Deletion is immediate — all Signal shoot data (feedback, replies, tags, action items, sessions, developer profile) is permanently removed. Infrastructure backups (managed by Cloudflare) may retain data for a short period, but this is not used as a recovery mechanism.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

Access: Request a copy of your data.
Rectification: Correct inaccurate data.
Deletion: Request deletion of your data.
Portability: Export your data in a machine-readable format (JSON/CSV).
Objection: Object to certain processing activities.

To exercise these rights, contact us at yu.development.vtoz+signalshoot@gmail.com.

GDPR (European Union)

If you are in the EU/EEA, our lawful basis for processing is contract performance (providing the Service you signed up for) and legitimate interest (improving our Service). For feedback data containing end-user PII, you as the data controller must ensure appropriate legal basis.

CCPA (California)

We do not sell personal information. California residents may request disclosure of what information we collect and request its deletion.

APPI (Japan)

We comply with Japan's Act on the Protection of Personal Information. Personal data may be processed on servers outside Japan (Cloudflare's global network). We handle personal information with appropriate security measures as required by APPI.

7. Third-Party Services

We use the following third-party services that may process your data:

Service	Purpose	Data Processed	Server Location
Cloudflare	Hosting, D1 database, CDN, Workers AI translation (see section 7.1 below)	All service data; feedback message body only for translation	Global (incl. US)
Stripe	Payment processing	Billing information (card data is not stored on our servers)	US
GitHub	OAuth authentication	Name, email, avatar URL	US

7.1 Inline translation (Cloudflare Workers AI)

The dashboard's feedback detail page offers an on-demand "Translate" button that sends the selected feedback message body to Cloudflare Workers AI (model @cf/meta/m2m100-1.2b) for machine translation. This feature is opt-in per browser tab — a consent dialog is shown the first time you use it in a session and must be acknowledged before any data leaves the dashboard.

What is sent: only the feedback message body. user_id, metadata, reviewer name, email, and developer account details are not forwarded.
Caching: translated results are not stored by Signal shoot. Each click triggers a fresh API call, so you always see the current model output.
Retention by Cloudflare: subject to Cloudflare Workers AI terms. Signal shoot does not control Cloudflare's own processing or retention of inference inputs.
End-user PII: because the message body is end-user free-form text, it may contain personal data. Operators choosing to translate should consider this before clicking.
Scope: translation is never invoked automatically. It only runs on explicit button clicks after consent.

8. Cookies and Local Storage

We use essential cookies and browser storage only:

Name	Type	Purpose	Duration
fh_session	Cookie (HttpOnly, Secure)	Authentication session	30 days
fh-app-id	Cookie + LocalStorage	Selected app ID	Cookie: 1 year / LS: no expiry
fh-locale	LocalStorage	Language preference	No expiry
fh-theme	LocalStorage	Theme preference	No expiry
fh-translate-consent-v1	SessionStorage	Tab-scoped acknowledgment of the Cloudflare Workers AI translation notice (see section 7.1)	Until the tab is closed

We do not use advertising or tracking cookies.

9. Data Breach Notification

Account data (we are the controller)

In the event of a personal data breach involving account information we control, we will comply with Japan's Act on the Protection of Personal Information (as amended in 2022):

We will report to the Personal Information Protection Commission (PPC) within 3–5 days (preliminary report) and within 30 days (full report), or within 60 days if unauthorized access is suspected.
We will notify affected individuals of the nature of the breach, the data involved, the cause, and the measures taken.

Feedback data (you are the controller)

For feedback data where you are the data controller and we act as processor, we will promptly notify you of any breach or suspected breach and cooperate with your investigation and response. Notification to your end users is your responsibility as the data controller. We will provide reasonable technical assistance within our capability.

10. Disclaimer

We are not liable for:

Inappropriate collection or use of end-user personal information by you as the data controller.
Data breaches caused by your failure to secure your account credentials or API keys.
Data loss or breach caused by force majeure events, including natural disasters, cyberattacks, or infrastructure failures beyond our reasonable control.

11. Children

The Service is not intended for use by anyone under 18 years of age.

12. Changes

We may update this policy from time to time. Material changes will be communicated via email or dashboard notification at least 30 days before taking effect.

13. Contact

For privacy-related questions, contact us at yu.development.vtoz+signalshoot@gmail.com.