Privacy Policy

SIGNBRO FABRICATION LLC ("SignBro," "we," "us," or "our") is a New York limited liability company operating sign-bro.com (the "Site"). This Privacy Policy explains what personal information we collect, how we use and share it, and the rights you have to access or delete it.

We comply with applicable U.S. privacy laws including the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), the New York Stop Hacks and Improve Electronic Data Security Act ("NY SHIELD Act"), and - where applicable - the EU General Data Protection Regulation ("GDPR") and UK GDPR.

This policy applies to information collected through the Site, our customer cabinet, our admin chat, our transactional emails, and our B2B partner portal. It does not apply to third-party websites that we link to.

Account information you provide: full name, email address, password (stored only as a bcrypt hash), phone number, billing address, shipping address, business details for B2B partners (company name, role, tax ID where requested), and preferred language.

Order information: sign configurations, dimensions, fonts, colors, uploaded reference images, project notes, design previews, production photographs, and order status.

Payment information: payment is processed by Stripe, Inc. SignBro receives only the last four digits of the card, the card brand, the Stripe charge / payment-intent identifier, and (where Stripe returns it) the issuing country. We never see, store, or transmit full card numbers, expiration dates, or CVV codes.

Communications: chat messages exchanged with our support and production team, support email correspondence, B2B request descriptions and uploaded drawings.

Automatically collected: Internet Protocol (IP) address, browser user-agent string, device type, pages visited, referring URL, language preference, and session timing. We use these signals for security (rate limiting, fraud detection) and to improve the Site.

Cookies: a session cookie (named "signbro_token") to keep you logged in, a language cookie to remember your locale, and a cart-state cookie. We may add optional analytics cookies (e.g. Google Analytics) in the future; if and when we do, you will see a cookie banner with opt-in / opt-out controls.

To create and operate your account.

To configure, price, fabricate, ship, and install signage you order.

To process payments and prevent fraud (in cooperation with Stripe).

To send transactional emails - order confirmations, quote updates, production progress photos, shipping updates, payment receipts, and password-reset codes.

To respond to your inquiries through chat, email, or the contact form.

To comply with our legal and tax obligations (we are required to keep order and tax records for up to 7 years under New York law).

To improve the Site, the AI Sign Designer, and the configurator based on aggregated and anonymized usage patterns.

To send marketing communications - but only if you opt in. Every marketing email contains a one-click unsubscribe link.

We do NOT sell your personal information, and we do NOT share it with advertisers or data brokers.

We share only the minimum data necessary with the following service providers, each contractually bound to confidentiality:

• Stripe, Inc. - payment processing (https://stripe.com/privacy).

• Cloudinary, Inc. - secure storage of uploaded reference images, design previews, and progress photos (https://cloudinary.com/privacy).

• Twilio SendGrid, Inc. - delivery of transactional and verification emails (https://www.twilio.com/legal/privacy).

• MongoDB Atlas (MongoDB, Inc.) - encrypted database hosting for orders, accounts, and configurations (https://www.mongodb.com/legal/privacy/privacy-policy).

• Vercel, Inc. - website and API hosting (https://vercel.com/legal/privacy-policy).

• Anthropic, PBC - the AI Sign Designer sends only the customer's natural-language prompt to Anthropic's Claude API; no email, name, or other personally identifiable information is forwarded (https://www.anthropic.com/legal/privacy).

We may also disclose information in response to a valid subpoena, court order, or other legal process; to protect our rights, property, or safety, or that of our customers or the public; or in connection with a merger, acquisition, or sale of all or part of our business (with reasonable notice to affected customers).

Order, invoice, and payment records - 7 years from order completion (New York State tax and accounting recordkeeping requirement).

Account information for active accounts - until you request deletion or your account becomes inactive for more than 36 consecutive months.

Chat messages and B2B requests - until you delete them, close your account, or 3 years after the last activity, whichever comes first.

Audit logs of administrator actions - 7 years for compliance and dispute resolution.

When you delete your account, we hard-delete saved designs, chat history, and B2B requests; we anonymize the customer block of your past orders (we keep order numbers, line items, and amounts for accounting integrity, but unlink them from your name, email, phone, and address).

Every customer can, at any time, sign in to /cabinet and:

• Update name, phone, email, address, and password from the Profile tab.

• Download a complete JSON export of all data we hold on you (GET /api/auth/me/export).

• Delete the account permanently (POST /api/auth/me/delete with password confirmation).

California residents (CCPA/CPRA) additionally have:

• Right to know what categories of personal information we have collected, the sources, and the business purpose for collection.

• Right to delete personal information, subject to legal exceptions for tax records and ongoing transactions.

• Right to correct inaccurate personal information.

• Right to opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising - we do not engage in either, so this right is automatically honored.

• Right to limit use of sensitive personal information - we do not collect "sensitive personal information" as defined by CPRA.

• Right to non-discrimination for exercising any of the above rights.

EU and UK residents (GDPR / UK GDPR) additionally have:

• Right of access, rectification, and erasure.

• Right to data portability - covered by the JSON export endpoint.

• Right to restrict or object to processing.

• Right to lodge a complaint with your local supervisory authority.

To exercise any right not covered by the cabinet self-service tools above, email privacy@sign-bro.com from the email on file. We respond within 30 days (45 for complex California requests, as allowed by CCPA).

The Site is intended for adult business customers and is not directed at children under 13. We do not knowingly collect information from anyone under 13. If you believe we have inadvertently collected information from a child, please contact privacy@sign-bro.com and we will delete it promptly.

We implement reasonable administrative, technical, and physical safeguards including: TLS encryption for all data in transit, bcrypt password hashing, JWT-based authentication with revocable sessions, hardened HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options), strict rate limiting on authentication endpoints, EXIF stripping on uploaded images, prototype-pollution sanitization on user-supplied JSON, and a tamper-evident audit log of administrator actions.

No security measures are perfect. If you suspect that your account has been compromised, change your password immediately at /cabinet/profile and email security@sign-bro.com.

In the event of a data breach affecting your personal information, we will notify you by email and any applicable regulator within the time frame required by law (in New York, the NY SHIELD Act requires notification "in the most expedient time possible and without unreasonable delay").

Our service providers (Vercel, MongoDB Atlas, Stripe, Cloudinary, SendGrid, Anthropic) host primarily within the United States. If you access the Site from outside the U.S., your information will be transferred to, stored in, and processed in the United States, where data-protection laws may differ from those in your country.

For transfers from the EU/EEA, the UK, or Switzerland, we rely on the Standard Contractual Clauses adopted by the European Commission and the UK International Data Transfer Addendum, as incorporated into each provider's data-processing agreement.

We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this page reflects the most recent revision. Material changes will be announced by email to all account holders at least 30 days before they take effect. Continued use of the Site after the effective date constitutes acceptance.

Questions, requests to exercise your privacy rights, or complaints:

SIGNBRO FABRICATION LLC

1862 W 8th St

Brooklyn, NY 11223

United States

Privacy inquiries: privacy@sign-bro.com

General inquiries: info@sign-bro.com

Security disclosures: security@sign-bro.com