FeatureSignals

Privacy Policy

Last updated: January 15, 2026

1. Introduction & Scope

This Privacy Policy describes how Vivekananda Technology Labs, a proprietorship firm with its registered office at Plot no 308, L5-Block, LIG, Chitrapuri Colony, Manikonda, Hyderabad, Telangana — 500104, India, operating under the trade name “FeatureSignals” (“we,” “us,” or “our”), collects, uses, stores, discloses, and protects personal data when you access our website at https://featuresignals.com (the “Website”) or use our feature flag management platform, including APIs, SDKs, dashboard, documentation, and related services (collectively, the “Platform”).

This policy applies to all Users of the Platform, including account holders, team members, API consumers, SDK integrators, website visitors, and end-users whose data may be processed through the Platform's feature flag evaluation engine (“End Users”). It describes your privacy rights under applicable data protection laws, including:

  • The Digital Personal Data Protection Act, 2023 (DPDP Act) of India;
  • The Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;
  • The General Data Protection Regulation(GDPR) — Regulation (EU) 2016/679, for Users and End Users in the European Economic Area (EEA) and the United Kingdom;
  • The California Consumer Privacy Act (CCPA), as amended by the CPRA, for Users in California, United States; and
  • Other applicable data protection laws in jurisdictions where we operate or where our Users or End Users are located.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of the Platform immediately.

2. Data Controller Identity

For the purposes of the GDPR, DPDP Act, and other applicable data protection laws, the data controller responsible for your personal data is:

Vivekananda Technology Labs
(Trading as: FeatureSignals)
Registered Office: Plot no 308, L5-Block, LIG, Chitrapuri Colony, Manikonda, Hyderabad, Telangana — 500104, India
Email: privacy@featuresignals.com
Website: https://featuresignals.com

Where you are an End User of a FeatureSignals customer (an “Organization”), that Organization acts as the data controller, and we act as a data processor on their behalf. This policy primarily addresses our role as a data controller. If you are an End User, please refer to the privacy policy of the Organization that uses FeatureSignals for information about how they process your data.

3. Information We Collect

3.1 Account & Registration Data. When you create an account, subscribe to a plan, or interact with our sales or support teams, we collect:

  • Full name and display name;
  • Email address (used as primary account identifier);
  • Organization name and industry;
  • Password (hashed with bcrypt — we never store plaintext passwords);
  • Profile picture (optional, if provided via third-party SSO);
  • Job title or role (optional);
  • Phone number (optional, for Enterprise sales and support);
  • Billing address, GSTIN/VAT ID (if applicable), and tax identification information;
  • Preferred language and timezone for dashboard customization.

3.2 Feature Flag Configuration Data. When you use the Platform, we store the configuration data you create, including:

  • Feature flag keys, names, descriptions, and tags;
  • Flag targeting rules and variations;
  • Environment configurations (development, staging, production);
  • Segment definitions and user targeting attributes;
  • Rollout percentages and scheduling rules;
  • Webhook and integration configurations;
  • API key metadata and permission scopes.

3.3 Evaluation Data. When your applications make flag evaluation requests through our APIs or SDKs, we may process:

  • Evaluation context attributes (user IDs, email addresses, custom properties, device identifiers) that you send for flag targeting purposes;
  • The flag key being evaluated and the resulting variation served;
  • Timestamp of evaluation;
  • Evaluation reason (e.g., “targeting match,” “default rule”);
  • SDK version and platform identifier for compatibility analytics.

Evaluation context data is processed in memory during the flag evaluation request and is not persistently stored by default. When evaluation impression tracking is explicitly enabled by you, evaluation data is stored for analytics and debugging purposes according to the retention periods described in Section 8.

3.4 SDK Telemetry Data. Our SDKs may collect minimal, anonymized telemetry data to help us improve the Platform:

  • SDK version and programming language;
  • Aggregated evaluation latency metrics;
  • Error rates and connectivity status;
  • Cache hit/miss ratios for local evaluation optimization.

SDK telemetry does not include your flag keys, targeting rules, or End User data. This collection can be disabled through SDK configuration options. Telemetry is opt-in for self-hosted Community Edition deployments and opt-out for cloud deployments.

3.5 Payment Information. When you subscribe to a paid plan, your payment information (credit/debit card number, UPI ID, net banking credentials, billing address) is collected and processed directly by our third-party payment gateways:

  • PayU Software Private Limited (for India-based customers); and
  • Stripe, Inc. / Stripe Payments Europe Limited (for international customers).

We do not receive, store, or have access to your full payment instrument details. We receive only a payment token, the last four digits of your card number (where applicable), card network, expiry date, and transaction metadata necessary to manage your subscription.

3.6 Support & Communication Data. When you contact our support team, sales team, or interact with us through any communication channel (email, in-app chat, contact forms, social media), we collect:

  • Your name, email address, and any other contact information you provide;
  • The content of your message, inquiry, or support request;
  • Any attachments, screenshots, or logs you share with us;
  • Communication metadata (timestamp, channel, agent assigned);
  • Chat transcripts (for in-app support).

3.7 Website & Dashboard Analytics. When you visit our Website or use the FeatureSignals dashboard, we automatically collect:

  • IP address (truncated/anonymized before storage);
  • Browser type, version, and operating system;
  • Device type (desktop, mobile, tablet) and screen resolution;
  • Referring URL and exit pages;
  • Pages visited, time spent, and interaction events;
  • Language preferences derived from browser settings.

We use first-party analytics only. We do not use third-party tracking cookies, advertising pixels, social media trackers, or cross-site tracking technologies on our Website or dashboard.

4. How We Collect Information

We collect information through the following methods:

4.1 Directly from You. Information you voluntarily provide when you create an account, fill out a form, subscribe to a plan, configure flags, send a support request, respond to a survey, or otherwise communicate with us.

4.2 Automatically via the Platform.Information collected automatically when you interact with the Website, the dashboard, or our APIs, including through server logs, SDK telemetry, and essential session cookies (see Section 13 — Cookie Policy).

4.3 From Third-Party Authentication Providers. If you choose to sign in using a third-party single sign-on (SSO) provider such as Google or GitHub, we receive your name, email address, and profile picture (if available) from that provider, in accordance with their respective privacy policies and your privacy settings with them.

4.4 From Your Applications (SDK/API). When your application code sends evaluation requests to our APIs or evaluates flags using our SDKs, we receive the data described in Section 3.3 (Evaluation Data).

4.5 From Third-Party Integrations.When you connect third-party services to the Platform (e.g., GitHub for AI Janitor, Slack for notifications), we access data from those services as authorized by you, described in Section 3 of our Terms & Conditions.

5. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery & Operation. To create and manage your account, authenticate you, process flag evaluation requests, deliver the dashboard, and provide the core functionality of the Platform.
  • Billing & Subscription Management. To process payments, manage subscriptions, send invoices, handle plan changes, and communicate about billing matters.
  • Customer Support. To respond to your inquiries, troubleshoot technical issues, investigate bugs, and provide technical assistance.
  • Security & Abuse Prevention.To detect, prevent, investigate, and respond to security incidents, fraud, abuse, and violations of our Terms & Conditions. This includes monitoring for unauthorized access, rate limit violations, and malicious activity.
  • Product Improvement (Opt-In Only).To analyze aggregated, anonymized usage patterns to improve the Platform's performance, reliability, and user experience. We will only use your individually identifiable Content or evaluation data for product improvement with your explicit opt-in consent.
  • Communication. To send you service-related communications (account notifications, security alerts, billing reminders, maintenance notices) and, with your consent, marketing communications (product updates, newsletters, event invitations). You may opt out of marketing communications at any time.
  • Legal Compliance.To comply with applicable laws, regulations, legal processes, and governmental requests; to enforce our Terms & Conditions; and to protect our rights, property, and safety.

We do not use your personal data for automated decision-making (including profiling) that produces legal effects or similarly significant effects concerning you.

6. Legal Basis for Processing

Our legal basis for collecting and using your personal data depends on the specific context and applicable law. We rely on the following legal bases:

  • Contractual Necessity.Processing is necessary for the performance of our contract with you (the Terms & Conditions), including creating your account, delivering the Service, processing payments, and providing support.
  • Legitimate Interests. Processing is necessary for our legitimate interests, including: securing and improving the Platform; detecting and preventing fraud, abuse, and security incidents; analyzing aggregated usage trends; and communicating with you about service-related matters. We balance our legitimate interests against your data protection rights.
  • Consent. Where required by law, we obtain your consent before processing your personal data for specific purposes, including: sending marketing communications; using your data for product improvement beyond aggregated analytics; collecting SDK telemetry (where opt-in is required); and placing non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Legal Obligation. Processing is necessary to comply with applicable laws, regulations, court orders, or governmental requests.

7. Data Storage & Region Selection

7.1 Data Regions. We offer data storage in the following regions to help you comply with data residency requirements:

  • India: Data centers located in Mumbai and Hyderabad, India. This is the default region for accounts created from India.
  • European Union: Data centers located in Frankfurt, Germany (EU-west). Available for Pro and Enterprise plans.
  • United States: Data centers located in Northern Virginia (US-east). Available for Pro and Enterprise plans.

Free Tier accounts are hosted in the India region by default. Enterprise plan customers may select their preferred data region during onboarding. Once a data region is selected and data has been written, region migration requires a support-assisted process.

7.2 Infrastructure Providers. Our cloud infrastructure is hosted on industry-standard platforms, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Cloudflare. We select data center facilities that maintain ISO 27001, SOC 1/2/3, and PCI DSS certifications. A current list of sub-processors is available in Section 9.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our retention periods are as follows:

  • Account & Registration Data: Retained for the duration of your account plus thirty (30) days after account termination, after which it is permanently deleted. Billing records and invoices are retained for seven (7) years as required by Indian tax law (Income Tax Act, 1961).
  • Feature Flag Configuration Data: Retained for the duration of your account plus thirty (30) days after termination. You may delete individual flags, environments, or segments at any time, and they will be permanently removed from our systems within thirty (30) days.
  • Evaluation Data (with Impression Tracking Enabled):Retained as follows based on your plan: Free Tier — 7 days; Pro Plan — 90 days; Enterprise Plan — custom retention period as defined in your order form (up to 2 years maximum).
  • Evaluation Data (in-memory processing only): When impression tracking is disabled, evaluation context data is processed ephemerally in memory during the request lifecycle and is not written to persistent storage. Memory is cleared after the evaluation completes.
  • Audit Logs:Retained based on your plan: Free Tier — 7 days; Pro Plan — 90 days; Enterprise Plan — up to 1 year.
  • Support Communications: Retained for three (3) years after the last interaction to maintain continuity of support.
  • Website Analytics Data: IP addresses are anonymized within 24 hours. Aggregated, anonymized analytics data is retained indefinitely.
  • Backups: Routine encrypted backups are retained for up to sixty (60) days as part of our disaster recovery procedures.

After the applicable retention period, personal data is securely deleted using methods such as cryptographic erasure, secure overwriting, or physical destruction, as appropriate.

9. Data Sharing & Third-Party Processors

9.1 We Do Not Sell Your Data. We do not sell, rent, trade, or otherwise disclose your personal data to third parties for monetary consideration. We do not share personal data with advertising networks, data brokers, or any other third party for their own marketing purposes.

9.2 Service Providers & Sub-Processors. We engage the following categories of third-party service providers who process personal data on our behalf and under our instructions:

Sub-ProcessorPurposeData Location
Amazon Web Services (AWS)Cloud infrastructure, compute, storage, and networkingIndia, EU, US (per data region)
Google Cloud Platform (GCP)Cloud infrastructure, object storageIndia, EU, US
Cloudflare, Inc.Content delivery network (CDN), DDoS protection, DNSGlobal edge network
PayU Software Pvt LtdPayment processing (Indian customers)India
Stripe, Inc.Payment processing (International customers)US, EU
Resend, Inc.Transactional email delivery (notifications, password resets, invoices)US (AWS us-east-1)
Intercom, Inc.In-app customer support and engagement platform (optional; used for support chat)US, EU
Sentry (Functional Software, Inc.)Error tracking and application performance monitoringUS

All sub-processors are contractually bound to: (a) process personal data only on our documented instructions; (b) implement appropriate technical and organizational security measures; (c) assist us in responding to data subject requests; (d) notify us of security breaches without undue delay; and (e) delete or return all personal data upon termination of services.

9.3 Legal Disclosure. We may disclose your personal data if required to do so by law, regulation, court order, or a valid governmental request. We will notify you of such disclosure unless prohibited by law.

9.4 Business Transfers. In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Platform before your data is transferred and becomes subject to a different privacy policy.

10. International Data Transfers

FeatureSignals is headquartered in India and operates data centers globally. Your personal data may be transferred to, stored, and processed in countries other than your country of residence, including India, the United States, and the European Union.

When we transfer personal data across borders, we ensure that appropriate safeguards are in place in accordance with applicable data protection laws, including:

  • For EEA/UK to Third Countries: European Commission Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, as applicable;
  • For India: Compliance with data localization requirements under the DPDP Act 2023, RBI guidelines for payment data, and other sectoral regulations;
  • Adequacy Decisions: Where the European Commission has recognized a country as providing an adequate level of data protection, we rely on such adequacy decisions;
  • Data Processing Agreements (DPAs): All sub-processors are bound by DPAs incorporating the applicable SCCs and security obligations.

Enterprise customers requiring customized data transfer mechanisms may request a tailored DPA during contracting.

11. Data Security Measures

We implement and maintain appropriate technical, administrative, and organizational measures designed to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

  • Encryption in Transit: All data transmitted between your systems and our Platform is encrypted using TLS 1.3 (minimum TLS 1.2). We enforce HTTPS Strict Transport Security (HSTS) with a minimum max-age of one year and include the includeSubDomains and preload directives.
  • Encryption at Rest: All stored data is encrypted using AES-256. Database volumes, backups, and object storage are encrypted using cloud provider key management services (AWS KMS, GCP Cloud KMS) with automatic key rotation.
  • Password Security: Account passwords are hashed using bcrypt with a high work factor. We never store plaintext passwords. All password reset flows use time-limited, single-use tokens transmitted over TLS.
  • API Key Security: Server-side API keys are hashed using SHA-256 before storage. Raw keys are displayed only once at creation and cannot be retrieved thereafter. Client-side (public) API keys are stored with restricted access scopes.
  • Access Controls: We enforce the principle of least privilege. Infrastructure access requires multi-factor authentication (MFA), is logged, and is audited regularly. Access to production data is restricted to authorized personnel on a need-to-know basis.
  • Network Security: We use Web Application Firewalls (WAF), DDoS protection (Cloudflare), VPC isolation, security groups, and network segmentation to protect our infrastructure.
  • Security Testing: We conduct regular penetration testing by independent third-party security firms, vulnerability scanning, and code security reviews. Identified vulnerabilities are remediated in accordance with our vulnerability management policy.
  • Compliance (Planned / In Progress): We are working toward SOC 2 Type II certification. Our security controls are modeled on ISO 27001 and NIST Cybersecurity Framework standards.
  • Employee Training: All employees and contractors with access to personal data receive mandatory data protection and security awareness training upon onboarding and annually thereafter.
  • Incident Response: We maintain a documented incident response plan that is tested annually through tabletop exercises.

12. Data Subject Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. We will respond to all valid requests within the timeframes required by applicable law (typically thirty days, extendable by up to sixty days for complex requests under GDPR).

12.1 Right of Access. You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data along with information about how it is being processed.

12.2 Right of Rectification. You have the right to request correction of inaccurate or incomplete personal data. You may also update your account information directly through your account settings.

12.3 Right of Erasure (“Right to be Forgotten”). You have the right to request deletion of your personal data, subject to certain exceptions (e.g., where retention is required for legal compliance, exercise of legal claims, or public interest purposes). Upon verified request, we will delete your data in accordance with Section 8 of this policy.

12.4 Right to Data Portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV), and to transmit it to another data controller without hindrance, where processing is based on consent or contract and is carried out by automated means.

12.5 Right to Restriction of Processing. You have the right to request restriction of processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or object to processing.

12.6 Right to Object. You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

12.7 Right to Withdraw Consent. Where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

12.8 Rights Under the DPDP Act 2023. Users in India have the right to: (a) access a summary of personal data processed; (b) request erasure of personal data (subject to legal retention requirements); (c) nominate another individual to exercise rights on your behalf in the event of death or incapacity; and (d) grievance redressal as provided in Section 16.

12.9 Non-Discrimination. We will not discriminate against you for exercising any of your data subject rights, including by denying services, charging different prices, or providing a different quality of service.

To exercise any of these rights, please email privacy@featuresignals.com. We may need to verify your identity before processing your request. If you are an End User of one of our customers, please direct your request to that Organization; we will assist them in fulfilling your request as their data processor.

13. Cookie Policy

13.1 Essential Cookies Only. We use a minimal set of essential (strictly necessary) cookies that are required for the Platform to function:

  • Session Cookies: Temporary cookies that authenticate your session and maintain your logged-in state. These cookies are deleted when you close your browser. They are set by our authentication system and are HttpOnly and Secure.
  • CSRF Protection Cookies: Cookies used to prevent Cross-Site Request Forgery attacks. These are essential for security and cannot be disabled.
  • Preference Cookies: Cookies that remember your preferences, such as dashboard theme (light/dark mode), language, and timezone settings. These are functional cookies set only upon your interaction with preference controls.

13.2 No Tracking or Advertising Cookies. We do not use tracking cookies, advertising cookies, analytics cookies from third-party networks, social media pixels, or any cookies for behavioral advertising purposes. We do not deploy any cookies that track you across different websites or build interest profiles.

13.3 No Third-Party Cookies. We do not allow third-party cookies to be set through our Website or dashboard. All cookies set by our domain are first-party, served directly by us.

13.4 Managing Cookies. You can control cookie settings through your browser preferences. Please note that disabling essential cookies may prevent you from logging into or using the Platform. For information on managing cookies, visit www.allaboutcookies.org.

14. Children's Privacy

The Platform is a B2B SaaS product intended for use by software engineering professionals and organizations. It is not directed to or intended for individuals under the age of eighteen (18). We do not knowingly collect personal data from children under 18. If we become aware that a child under 18 has provided us with personal data, we will take prompt steps to delete such information from our systems. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us immediately at privacy@featuresignals.com.

15. Data Breach Notification

15.1 Notification to Authorities. In the event of a personal data breach, we will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, where required by applicable law (including under GDPR and DPDP Act 2023). The notification will include: the nature of the breach; categories and approximate number of data subjects and records affected; likely consequences of the breach; measures taken or proposed to address the breach and mitigate adverse effects; and contact details of our Data Protection Officer / Grievance Officer.

15.2 Notification to Affected Users. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and provide recommendations on steps you can take to protect yourself. We will also notify affected Organizations so they can fulfill their own notification obligations to End Users.

15.3 Breach Record. We maintain an internal record of all personal data breaches, including the facts, effects, and remedial actions taken, regardless of whether notification was required.

16. Grievance Officer & Data Protection Contact

In accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, we have designated a Grievance Officer who is also the primary contact for data protection matters:

Name: Grievance Officer
Email: grievance@featuresignals.com
Address:Vivekananda Technology Labs, #42, 3rd Cross, Viveknagar, Hyderabad, Telangana — 500104, India
Phone: Available upon request via email.

For GDPR purposes, our Grievance Officer serves as the primary contact for data protection inquiries, including requests from EEA and UK supervisory authorities. EEA residents may also lodge a complaint with their local data protection supervisory authority. A list of EU Data Protection Authorities is available at https://edpb.europa.eu.

The Grievance Officer shall acknowledge your complaint within twenty-four (24) hours and endeavor to resolve it within fifteen (15) days, or within the period prescribed by applicable law.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal obligations, or the Platform's functionality. For material changes, we will provide at least thirty (30) days' notice via email to the address associated with your account and/or through a prominent notice on the Platform and Website. For non-material changes (such as clarifying language, updating sub-processor lists, or correcting typographical errors), we may update the policy without prior notice.

The “Last updated” date at the top of this page indicates when this Privacy Policy was last revised. We encourage you to review this policy periodically. Your continued use of the Platform after the effective date of an updated policy constitutes your acceptance of the changes. If you do not agree with the revised policy, you must discontinue use of the Platform.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

Email (Privacy): privacy@featuresignals.com
Email (Legal): legal@featuresignals.com
Email (Security): security@featuresignals.com
Registered Address:Vivekananda Technology Labs, #42, 3rd Cross, Viveknagar, Hyderabad, Telangana — 500104, India
Website: https://featuresignals.com

© 2026 Vivekananda Technology Labs. All rights reserved. FeatureSignals is a trade name of Vivekananda Technology Labs. This Privacy Policy is governed by the laws of the Republic of India.