Privacy Policy

FeatureSignals is committed to protecting your privacy. This policy explains what data we collect, how we process it, where we store it, and what rights you have over your data. We comply with GDPR, CCPA, and other applicable data protection frameworks.

Info

This is a summary of our privacy practices. For the full legal privacy policy, visit featuresignals.com/privacy-policy.

Data We Collect

FeatureSignals collects only the data necessary to provide the feature flag service. We do not sell data, and we never use customer data for purposes beyond delivering and improving the service.

Account Data

Email address (required for login)
Name (optional, for display)
Organization name
Role and team membership
Authentication method (SSO, password)

Service Data

Feature flag keys, names, and descriptions
Targeting rules and segment definitions
Evaluation events (flag key + user key + result)
Audit log entries (who changed what and when)
API key metadata (name, type, environment scope)

Usage Data

API request metadata (endpoint, latency, status)
SDK version and language
Aggregated evaluation counts
Dashboard page views and feature usage
Error and crash reports (anonymized)

What We Don't Collect

User targeting attributes beyond what you configure
End-user personal data (PII) in evaluation context
Browser fingerprints or device IDs
Payment card details (handled by Stripe)
Third-party tracking data for advertising

How We Process Data

All data processing is tied to providing the feature flag service:

Evaluation processing — Flag evaluation context (user key, custom attributes) is processed in-memory during flag resolution and is not persisted beyond the evaluation event record.
Flag management — Flag configurations, targeting rules, and segments are stored in PostgreSQL and cached in Redis for performance.
Audit logging — All mutations to flags, segments, and environments are recorded in an immutable audit log. Audit entries are retained per your data retention settings.
Analytics — Aggregated, anonymized usage analytics help us improve the product. Individual evaluation data is never used for analytics.

Data Storage & Transfer

Primary storage: Data is stored in the cloud region you select during onboarding (EU, US, or APAC). For Dedicated Cloud, data stays within your own cloud account.
Encryption at rest: All data at rest is encrypted with AES-256. Database volumes, backups, and object storage all use encryption by default.
Encryption in transit: All connections use TLS 1.3. HTTP is redirected to HTTPS. HSTS is enforced with a 1-year max-age.
Cross-border transfers: For customers on our EU infrastructure, data does not leave the EU. We maintain Data Privacy Framework (DPF) certification for EU-U.S. data transfers where applicable.

Your Data Rights

Depending on your jurisdiction, you have the following rights over your data:

Right	Description	How to Exercise
Access	Request a copy of your personal data.	Email privacy@featuresignals.com
Rectification	Correct inaccurate or incomplete data.	Update in FlagEngine settings or contact support
Erasure	Request deletion of your personal data.	Email privacy@featuresignals.com with specifics
Portability	Receive your data in a machine-readable format.	Export via FlagEngine or API; email for custom exports
Objection	Object to certain types of processing.	Email privacy@featuresignals.com with your objection

Compliance Commitments

GDPR — We act as a data processor for customer data. Our DPA includes Standard Contractual Clauses (SCCs) for international transfers.
CCPA/CPRA — We do not sell personal information. California residents may exercise their rights under CCPA by contacting us.
SOC 2 — We maintain SOC 2 Type II compliance. Our latest report is available to Enterprise customers under NDA.
ISO 27001 — Our Information Security Management System (ISMS) is aligned with ISO 27001. Certification is on our roadmap.