Legal & Compliance

GDPR Compliance

Commitment to European Data Protection Standards

1. Introduction

Catalytic Signal is fully committed to complying with the General Data Protection Regulation (GDPR) and safeguarding the privacy of European Union (EU), European Economic Area (EEA), and United Kingdom (UK) residents. This page outlines our structural compliance, data handling principles, and your rights under European law.

2. Our Roles: Controller vs. Processor

Under GDPR, data handlers are classified into specific roles. Catalytic Signal acts in two distinct capacities depending on the data type:

Catalytic Signal as a Data Controller

We act as a Data Controller for our Customers' Data. When you sign up for our service, we determine the purposes and means of processing your personal billing, authentication, and contact information.

Catalytic Signal as a Data Processor

We act as a Data Processor for Extracted Public Data. When you use the Vanguard Leads Engine to scrape public profiles, you (the Customer) act as the Controller deciding what data to extract. We merely process this data locally via the extension and temporarily via our AI APIs on your instructions.

3. Lawful Basis for Processing

We only process personal data when we have a valid lawful basis under Article 6 of the GDPR:

  • Contractual Necessity: To fulfill our Terms of Service (e.g., creating your account, processing payments, delivering software functionality).
  • Legitimate Interests: To improve our Services, ensure network security, prevent fraud, and build our anonymized Global Data Moat deduplication cache.
  • Consent: Where explicitly required, such as subscribing to non-essential marketing communications.

4. Data Subject Rights (EU/UK Residents)

If you reside in the EU, EEA, or UK, you have the following rights regarding your personal data:

1

Right to Access

You may request a copy of the personal data we hold about you.

2

Right to Rectification

You may request that we correct incomplete or inaccurate data.

3

Right to Erasure ("To Be Forgotten")

You may request the deletion of your personal account data or request the removal of your public profile hash from our Global Cache.

4

Right to Data Portability

You may request your account data in a structured, commonly used, machine-readable format.

5. Cross-Border Data Transfers

Catalytic Signal is a global company. Data we collect may be transferred to, stored, and processed in the United States or other countries. When we transfer EU/UK data outside the EEA/UK, we ensure an adequate degree of protection is afforded by utilizing Standard Contractual Clauses (SCCs) approved by the European Commission, and by utilizing infrastructure partners who comply with the EU-US Data Privacy Framework.

6. Authorized Sub-processors

To deliver our services, we use the following GDPR-compliant sub-processors:

  • Supabase: Database infrastructure and encrypted authentication.
  • Stripe: Payment processing and subscription management.
  • OpenAI / Anthropic: Automated text analysis for our Signal Score AI (Zero-data retention agreements are in place).
  • Vercel: Web hosting and frontend delivery networks.

Exercise Your GDPR Rights

Contact our Data Protection Officer (DPO) to submit a Data Subject Access Request (DSAR). We respond to all requests within 30 days.

dpo@catalyticsignal.com