Skip to content

Privacy Policy

Last updated: July 9, 2026

Plain-English summary

  • We collect your email, filter preferences, and billing details from Stripe.
  • We never sell or rent your data.
  • We never share your filter or behavior with anyone.
  • If you use the optional enrichment or Scout lead-finding tools, the business-contact details you look up (decision-maker names, work emails, phones) are saved in your account, scoped to you and never shared with other subscribers. You bring your own Apollo/Hunter API keys for this.
  • You can export, edit, or delete your data at any time by emailing info@protexaservices.com.
  • We use Supabase (database), Stripe (payments), Resend (email), Vercel (hosting), Anthropic (AI), and - only if you enable enrichment or Scout - Apollo.io and Hunter.io (business-contact data). All are named below.

1. Who we are

NewBusinessSignal is operated by Protexa Property Services (1338 Wellington St. W., Ottawa, Ontario, Canada). We are a Canadian organization and the "controller" responsible for your personal information under PIPEDA (Canada), CCPA / CPRA (California subscribers), and the GDPR (EU subscribers, if any).

2. What we collect

From you directly:

  • Your email address (to send you the business-formation digest).
  • Your password, stored as a one-way bcrypt hash (we never see your plaintext password).
  • Your filter preferences (state, entity types, counties, NAICS keyword) and daily digest cadence.
  • Your plan and billing status.
  • (Optional) Your Apollo.io API key, stored AES-256-GCM encrypted at rest. Only present if you configure Apollo enrichment in Settings.
  • (Optional) Your company profile and sender identity: company name, website URL, value proposition, ideal-customer description, sender name, sender role, and booking link. Stored as plain text and used solely to draft cold-outreach email templates when you click “Generate email” on a filing.
  • (Optional) Additional outreach notes: free-text tone / style guidance for the email generator.
  • The cached enrichment data + email drafts we generate for filings you act on. Stored per-subscriber; never shared across subscribers.
  • (Optional) Business-contact records you retrieve through Scout or filing enrichment: contact name, job title, work email, phone, LinkedIn URL, and company details (name, domain, industry, size, location). Retrieved from Apollo.io and Hunter.io using the API keys you connect, stored in your account, scoped to you and never shared across subscribers.

From Stripe (our payment processor):

  • A Stripe customer ID and subscription ID (never your card number - Stripe holds that).
  • Billing address and tax ID if you provide them at checkout.

Automatically, via server logs:

  • IP address (hashed before we persist it for rate-limiting and abuse defense).
  • Timestamps of signup, digest sends, and link clicks.
  • Email delivery events from Resend (delivered, opened, bounced, unsubscribed).

The business filings we surface in your digest are public records published by each state's Secretary of State, and we do not add personal contact information to the digest itself. Separately, if you choose to use filing enrichment or the Scout lead-finder, we retrieve and store business-contact details (decision-maker names, work emails, phones, LinkedIn) from Apollo.io and Hunter.io using the API keys you connect. That data is collected only on searches you run, is scoped to your account, and is never shared with other subscribers.

3. Why we collect it

  • Service delivery (legal basis: contract): sending you the digests you subscribed for.
  • Billing (legal basis: contract): processing payments via Stripe.
  • Account access (legal basis: contract): password authentication and magic-link account management.
  • Abuse prevention (legal basis: legitimate interest): rate-limiting signup attempts.
  • Legal compliance (legal basis: legal obligation): CASL / CAN-SPAM unsubscribe processing; financial records.

4. Who we share with

We share only what's necessary with these service providers, each bound by their own privacy commitments:

  • Supabase (database + storage): your subscriber record, filter, and subscription status.
  • Stripe (billing): your payment details.
  • Resend (email delivery): your email address and the digest content we send you.
  • Vercel (hosting): standard server logs of requests you make to newbusinesssignal.com.
  • Anthropic (AI): public business-formation filing text (state Secretary of State data) for industry classification, and (when you click “Generate email” on a filing) the filing data plus the outreach context you saved in Settings for cold-email drafting. Your password, billing details, and IP address are never sent to Anthropic.
  • Upstash (rate limiting): hashed IP and email keys only, no plaintext PII.
  • PostHog (product analytics): pageview and interaction events tied to a pseudonymous device ID, used to understand and improve the product. We redact sensitive URL parameters (reset tokens, one-time links) before they reach PostHog and do not send your password or billing details.
  • Google (optional, opt-in - only if you connect a Gmail account): see the dedicated Google user data section below.
  • Apollo.io (optional, opt-in subprocessor): triggered when you add your own Apollo API key in Settings and then either click “Enrich” on a specific filing or run a search in Scout. For enrichment we send the business name + city; for Scout we send the search criteria you enter (such as job title, industry, location, and company size) and, when you choose to reveal a contact, that person's Apollo identifier. Apollo returns contact records that we cache in your account. We never send Apollo your password, your filter, or any other subscriber data. Your Apollo key is stored AES-256-GCM encrypted at rest; we do not transmit it anywhere except to Apollo on calls you initiate. Remove the integration at any time from Settings.
  • Hunter.io (optional, opt-in subprocessor): used only as an email fallback in Scout, when you have connected your own Hunter API key and Apollo did not return an email for a contact you revealed. We send that person's first name, last name, and company domain to Hunter to look up their work email. We never send Hunter your password, filter, or other subscriber data. Your Hunter key is stored AES-256-GCM encrypted at rest. Remove the integration at any time from Settings.

We do not sell, rent, or share your data for advertising. We do not use advertising trackers (Meta Pixel, Google Analytics ad products, etc.).

Google user data (Gmail integration)

Connecting a Gmail account is optional and powers our inbox and outreach-sequence features. If you do not connect Gmail, none of this applies to you. When you do connect it, you grant access through Google's standard OAuth consent screen, and you can revoke that access at any time from your Google Account security settings or from our Settings page.

  • What we access: with your permission, the Gmail scopes needed to read message metadata and content for the inbox view and to send messages on your behalf for outreach sequences. We request the minimum scopes required for these features.
  • How we use it: solely to provide the inbox and sequence features you enabled - showing your relevant threads inside NewBusinessSignal and sending the emails you compose or approve. We do not use Gmail data for advertising, we do not sell it, and we do not use it to train any generalized AI/ML models.
  • How we store it: your Google OAuth access and refresh tokens are encrypted at rest (AES-256-GCM). Message data is synced only as needed to render your inbox and is scoped to your account; it is never shared with other subscribers.
  • Sharing: we do not transfer Google user data to third parties except as necessary to provide the feature, for security, or to comply with applicable law.
  • Retention and deletion: when you disconnect Gmail or delete your account, we delete the stored Google tokens and synced message data associated with your account.

NewBusinessSignal's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5. Where your data lives

Your subscriber record lives in a Supabase Postgres database hosted in a North American region. Emails are sent via Resend (US infrastructure). If you're outside Canada or the US, your data may cross borders as a result. We rely on standard contractual commitments from these providers (SCCs where applicable) for cross-border transfer.

6. How long we keep it

  • Active subscribers: as long as you're subscribed, plus 1 year after you cancel (for billing records and refund disputes).
  • Unsubscribed: we stop sending immediately. We retain the record of your unsubscribe (required by CASL / CAN-SPAM) for 3 years.
  • Server logs: 30 days.
  • Stripe webhook events and server-error rows: 90 days.

7. Your rights

Depending on your jurisdiction, you have the right to:

  • Access what we hold on you (PIPEDA, CCPA, GDPR).
  • Correct any information you think is wrong (PIPEDA, CCPA, GDPR).
  • Delete your subscriber record (subject to the retention minimums above for billing and anti-spam law).
  • Withdraw consent - the unsubscribe link in every email does this with one click.
  • Opt out of sale or sharing for advertising (CCPA) - we never sell or share for advertising, so this is already in effect by default.
  • Portability - we'll provide a JSON export of your subscriber record on request.
  • Complain to a privacy regulator: the Office of the Privacy Commissioner of Canada (PIPEDA), the California Privacy Protection Agency (CCPA), or your local data protection authority (GDPR).

To exercise any of these, email info@protexaservices.com. We respond within 30 days (or 45 days for CCPA / GDPR requests).

8. Cookies

newbusinesssignal.com uses essential cookies (HttpOnly session cookie, CSRF token) and PostHog product analytics. PostHog stores an identifier in a cookie and in localStorage and automatically captures page views, page leaves, and on-page interactions so we can understand how the product is used. We do not use advertising cookies.

9. Security

We use HTTPS everywhere, encrypted database storage, bcrypt for password hashing, HMAC-signed short-lived magic-link tokens for account access, signed Stripe webhook verification, and least-privilege service accounts. We don't store your payment card number.

10. Children

NewBusinessSignal is a B2B service for adults. We do not knowingly collect personal information from children under 16. If you believe we have, email us and we will delete it.

11. Changes to this Policy

Material changes will be announced by email at least 14 days in advance.

12. Contact

Privacy questions, access requests, deletion requests: info@protexaservices.com.