Privacy Policy

Overview

SignedApproval is operated by Floyd Media LLC. This policy explains what data we collect when you use the SignedApproval web app at signedapproval.net and the SignedApproval iOS app. We collect the minimum data needed to operate the service. We do not sell your data to anyone, ever.

Data we collect

• ✓Email address — collected via Google OAuth at sign-up. Used to identify your account and send essential service notifications. Never used for marketing.
• ✓Approval request content — the action description submitted by an AI agent or developer when requesting your approval. Stored so you can review and act on the request.
• ✓Decision audit log — a record of every approval or rejection you make, including the Ed25519-signed credential, authentication method used, and timestamp. Retained for 90 days, then permanently deleted. Pro accounts retain for 90 days as well.
• ✓Push notification token — your APNs device token, stored only to deliver approval notifications to your iPhone. Deleted when you remove the device or close your account.
• ✓Authentication credentials — encrypted TOTP secrets and passkey public keys. Stored in our database, encrypted with AES-256-GCM at rest. Your private keys never leave your device in plaintext.

Google OAuth data

We request your Google email address and basic profile information solely to authenticate you. We do not access your Google Drive, Gmail, contacts, or any other Google services. We do not store your Google profile photo or full name beyond the initial sign-in session.

What we do not collect

SignedApproval does not access or store your Dropbox files, Google Drive files, or any cloud storage contents. If you use Clevername (our parent platform) and have connected cloud storage there, that data is governed by Clevername's privacy policy, not this one. SignedApproval only handles approval requests and decisions.

Data storage

All data is stored in Supabase Postgres hosted in the United States (us-east-1). Connections are encrypted in transit with TLS. Data at rest is encrypted by Supabase's infrastructure and additionally at the application layer for sensitive fields (TOTP secrets, signing keys).

Data retention

• Approval request content and decision audit logs: 90 days from creation, then permanently deleted.
• Push notification tokens: deleted when you remove a device or close your account.
• Authentication credentials (passkeys, TOTP): retained until you remove them or close your account.
• Account data (email, API keys): retained until you request account deletion.

To request deletion of your account and all associated data, email privacy@signedapproval.net.

Verification logs

When a third party verifies a signed approval credential using our public verification endpoint, we log a truncated SHA-256 hash of the verifier's IP address — not the raw IP. This lets us detect abuse without storing identifying network data.

Third parties

We use the following third-party services to operate SignedApproval:

• Supabase — database and authentication infrastructure (US-East)
• Vercel — web hosting and edge delivery
• Apple APNs — push notification delivery to iOS devices
• Cloudflare Turnstile — bot protection on registration
• Upstash Redis — ephemeral rate limiting and challenge storage

We do not sell, rent, or share your personal data with any third party for advertising or marketing purposes.

Contact

Privacy questions or deletion requests: privacy@signedapproval.net