Privacy

Privacy Policy

Effective 2026-05-08 · Last updated 2026-06-21

SignBoard Planner is a small, independent service. This policy describes what data we collect, why we collect it, who we share it with, and how long we keep it. We try to keep it short, plain, and honest. If something here is unclear, email us at [email protected] and we'll explain.

1. What we collect

We collect different information at different times:

When you sign up for an account

  • Your name (whatever you type into the signup form)
  • Your email address
  • Your password, stored only as a one-way hash — we cannot recover or read your plaintext password
  • The IP address and browser user-agent string of the device that created the session, stored alongside your session record
  • Timestamps for when the account was created and last updated

When you verify your email or reset your password

We generate a short-lived verification or reset token (one hour for email verification) and send it to you through Resend. The token is deleted after use or expiry.

When you subscribe to Pro

  • We pass your email and name to Stripe so they can create a customer record. Stripe handles the actual payment page; we never see your card number, CVV, or full PAN.
  • We store, on our side, the Stripe customer ID, subscription ID, subscription status (active, past due, canceled, etc.), and which plan you're on (monthly or annual). That's it. The card details stay at Stripe.

When you subscribe to the newsletter

  • We pass your email address and a tier tag (free for newsletter signups and free-tier accounts; pro for paid subscribers) to Buttondown, our newsletter service, so they can deliver The Weekly Sign on our behalf.
  • Buttondown sends a confirmation email and adds you to the list only after you click the confirmation link (double opt-in). You can unsubscribe at any time using the link at the bottom of every newsletter; this is honored immediately and no further newsletters are sent.
  • Buttondown records open events (via a tracking pixel embedded in the email) and click events (via rewritten links). We use this data only to evaluate whether the newsletter is reaching subscribers and which signs are interesting; we do not match this back to your account activity on the site.

When you browse the public site

Cloudflare Web Analytics records the URL of the page, your referrer, your browser/OS/device type, your country (derived from IP without storing the IP), screen size, and Core Web Vitals timings. It does not set cookies, does not fingerprint you, and does not track you across sites.

Server logs

Our admin server logs operational events to the system journal on our host machine. These logs may include the email address used in a sign-in attempt (never the password), Stripe customer IDs and subscription IDs in error paths, and IP addresses in rate-limiting and webhook error paths. Logs are kept on the host until disk pressure rotates them out and are not shipped to a third-party log service.

2. Why we collect it

  • Account data — so you can log in, save your subscription, and we can email you about your account when something changes.
  • Session data (IP, user agent, token) — to keep you logged in for thirty days, to detect abuse like credential stuffing, and to let you sign out from a stolen session.
  • Stripe IDs and subscription state — so the site knows you're a Pro subscriber and unlocks the full library for you.
  • Cloudflare Web Analytics — so we can tell which pages people read and which we should improve. We chose Cloudflare specifically because it does this without cookies or tracking.
  • Logs — to debug problems and respond to security incidents.

We do not sell your data. We do not use it to train AI models. We do not show you advertising. There is no advertising on this site.

3. Who we share it with

We use a small number of third-party services to run SignBoard Planner. Each one only sees the data it needs to do its job.

  • Stripe — processes payments. Receives your email, name, and card details (which you enter directly on Stripe's page, not ours). Stores your subscription history. stripe.com/privacy
  • Resend — sends transactional email (verification links, password resets). Receives the recipient's email address and the contents of the email. resend.com/legal/privacy-policy
  • Cloudflare — serves the site (Cloudflare Pages and Cloudflare Tunnel) and runs Web Analytics. Sees normal HTTP request data plus the analytics fields described above. cloudflare.com/privacypolicy
  • Buttondown — sends our newsletter, The Weekly Sign. Receives the email address of subscribers, a tier tag, and (for delivered emails) open and click events. Only used when you've opted in via the signup form, the account-creation checkbox, or the Stripe checkout checkbox. buttondown.com/legal/privacy

We do not share your data with anyone else. We have not sold, rented, or traded user data to any other party, and we have no plans to. If we are ever required by law to disclose information (e.g. a valid subpoena), we will comply only with the specific request and will tell you about it unless we are legally prohibited from doing so.

4. How long we keep it

  • Account record — for as long as your account exists. When your account is deleted, the user record and all attached sessions are removed from our database.
  • Sessions — up to thirty days from last use, then automatically expire.
  • Email-verification and password-reset tokens — one hour, then deleted.
  • Server logs — on our host until disk pressure rotates them out (typically weeks to a few months).
  • Stripe data — Stripe retains payment and subscription history per their own retention policy, which we do not control. Cancelling your subscription stops further billing but does not erase past invoices from Stripe.
  • Backups — we keep two kinds of backups: a nightly export of sign content to a private GitHub repo (does not include user data), and a weekly encrypted snapshot of the full database to a separate machine, retained for eight weeks. A deleted account can persist in the most recent encrypted snapshot for up to eight weeks before it ages out. We do not actively read from backups except during recovery.
  • Newsletter list — your email and tag are stored at Buttondown for as long as you are subscribed. Unsubscribing immediately removes you from active sends; Buttondown retains the historical record per their own retention policy. Buttondown also retains open / click events for delivered issues; we do not export or store those events on our side.

5. Accessing, correcting, or deleting your data

Currently, name and email changes are handled by emailing [email protected] from your account address. Self-service editing on the account page is on our roadmap. You can cancel your subscription any time from your account page via the “Manage billing” button, which takes you to Stripe's customer portal.

Account deletion is currently a manual process. We haven't yet built a self-service “Delete my account” button. To delete your account, email [email protected] from the address on the account, and we will:

  • Cancel your Stripe subscription if it's still active.
  • Delete your user record and sessions from our database.
  • Confirm by reply when it's done, usually within a few business days.

We are tracking the work to add a one-click delete button on your account page. Until it ships, the email path above is the supported way.

You can also ask us for a copy of the data we hold about you, or ask us to correct anything that's wrong. Same email, same response window.

6. Cookies and tracking

  • Better Auth session cookie — one HTTP-only, Secure, SameSite=Lax cookie that holds your session token. This is essential for keeping you logged in. It is not used for tracking.
  • Cloudflare Web Analytics — cookie-free.
  • Stripe Checkout — Stripe sets its own cookies on its checkout page (a different domain) when you are paying. Those cookies are governed by Stripe's privacy policy.
  • Newsletter open / click tracking — newsletter emails contain a 1-pixel image (used to detect when the email is opened) and rewritten links (used to detect when a link is clicked). Both are Buttondown-side features. If you'd rather not be tracked this way, most mail clients can be set to block remote images by default, which suppresses the open pixel; the unsubscribe link in every issue is the simplest way to stop the tracking entirely.

We do not use Google Analytics, advertising pixels, or session replay tools.

7. How we protect your data

We're a small service, but protecting your data is something we take seriously. Here's what we actually do — and, honestly, what we can't promise.

  • Encryption in transit — the whole site is served over HTTPS, and we use HSTS so your browser refuses to connect over an insecure link. Your password reaches us encrypted and is stored only as a one-way hash (see section 1); we never keep it in readable form.
  • Card data never touches our servers — you enter your card on Stripe's page, not ours. We never see or store your card number (see sections 1 and 3).
  • Locked-down access — the database lives on a single private server. Administrative access is limited to the operator over key-based SSH behind a private network boundary (Tailscale plus a firewall). The secret keys that run the service (authentication, Stripe, email) live in root-only files on that server — never in our code and never in version control.
  • Application hardening — we restrict what code is allowed to run in your browser (a Content Security Policy), set strict security headers, limit repeated login attempts to blunt password-guessing, and cryptographically verify that payment notifications genuinely come from Stripe before we act on them.
  • Encrypted backups — database backups are encrypted and kept on a separate machine (see section 4).
  • Regular review — we re-walk our internal security checklist at least quarterly and scan our software dependencies for known vulnerabilities weekly.

If something goes wrong. No system is perfectly secure, and we won't pretend otherwise. If we ever discover a breach affecting your personal data, we will email the affected accounts promptly and without unreasonable delay, and tell you what happened, what was exposed, and what we're doing about it. Parts of the service also run on Stripe, Cloudflare, Resend, and Buttondown; a security failure inside one of those providers is outside our control, though we deliberately chose established providers to keep that risk low.

8. Children's data

SignBoard Planner is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has created an account on our service, email us at [email protected] and we will delete the account.

9. International users

SignBoard Planner is operated from the United States. We are not actively marketing to users in the European Union, the United Kingdom, or other jurisdictions, but if you use the service from one of those places, we apply the standard data subject rights you are entitled to:

  • The right to access the data we hold about you.
  • The right to correct anything that's wrong.
  • The right to delete your account and the data attached to it.
  • The right to receive a portable copy of your data.
  • The right to object to specific uses of your data.

Email [email protected] to exercise any of these. Your data will be transferred to and stored in the United States.

10. Changes to this policy

When we update this policy, we'll change the “Last updated” date at the top of the page. If the change is material — meaning it expands what we collect, who we share it with, or how we use it — we will email everyone with an active account at least thirty days before the change takes effect, so you have time to review and decide whether you still want to use the service.

11. Contact

Privacy questions, data requests, or anything else covered in this policy: [email protected].

SignBoard Planner is operated by an independent owner based in Columbia, Tennessee, United States. Postal address:

SignBoard Planner
PO Box 210
Columbia, TN 38401
United States

The address above is a temporary placeholder while a dedicated PO Box is being acquired locally. We will update this section, the newsletter footer, and our billing records when the permanent box is assigned. Email is the fastest way to reach us in the meantime.

12. Governing law

SignBoard Planner is operated from the United States. This Privacy Policy is governed by the laws of the State of Tennessee and the United States, without regard to conflict-of-laws rules. The full disputes clause — including where disputes are handled — is in our Terms of Service.