Privacy Policy

Privacy Policy

Last updated: 10 June 2026

This privacy notice explains what personal data Signal-Scout collects, how it is used, and the rights you have over it. It is written to satisfy the GDPR's transparency obligations (Art. 13 / 14). It is not legal advice; if you intend to rely on Signal-Scout for sensitive operations or to integrate it into a regulated workflow, get your own counsel to review.

Who we are

Signal-Scout is operated by Hubert Cylwik as an independent project. The dataset surfaced by this app comes from Urząd Komunikacji Elektronicznej (UKE), the Polish telecommunications regulator, and is publicly licensed.

  • Data controller: Hubert Cylwik
  • Contact: hcylwik@gmail.com
  • Data Protection Officer: none — a solo project at this scale is not required to appoint a DPO (GDPR Art. 37). Contact the controller directly at the address above for any privacy matter.
  • Service URL: https://signal-scout.com

What we collect

When you visit the public site (no account)

  • A session cookie (session=...) created by Flask. It is a signed client-side cookie (the payload is carried in the cookie itself and cryptographically signed; there is no server-side session store). It carries no identifying information for anonymous visitors — it remembers your last clicked location plus a couple of anonymous anti-bot counters (request count, a "JavaScript ran" flag). Lifetime: up to 7 days, or until logout. Strictly necessary for the app to function, so no consent is required (ePrivacy Art. 5(3) strictly-necessary exemption).
  • A CSRF token stored in the session, used to protect form submissions (e.g. registration, login).
  • An ss_sid cookie — a random, meaningless identifier (no account data, no fingerprint) with a 30-day lifetime. Its only purpose is anti-abuse: it lets us tell a returning browser from a fresh automated scraper, which feeds our bot-detection scoring. It is not used for analytics, visitor counting or profiling, and is never shared with any third party. Because it exists purely to protect the service from abuse, it is treated as strictly necessary (ePrivacy Art. 5(3) exemption), so no consent is required.
  • Edge access logs generated by the reverse proxy in front of the application for service diagnostics and abuse prevention. These contain your full IP address, HTTP method, path, status code, response time, and user-agent string. Retention: 30 days, then deleted by log rotation.
  • Application access logs written by the app server itself. These contain the requested path including query parameters (for map endpoints that means the coordinates you clicked), status code, response time and user-agent — but not your IP (requests reach the app through the proxy tunnel, so the app only sees the proxy's address). Rotated by size (max ~30 MB retained).
  • Application audit log entries written by Signal-Scout itself with the IP truncated to /24 for IPv4 / /48 for IPv6 (the full IP is never persisted by the app).
  • Map tiles are fetched by your browser directly from third-party tile servers (CARTO, Esri/ArcGIS, and OpenStreetMap on the embed widget). Like any web request, those providers see your IP address, user-agent and the coordinates of the map area you are viewing. See "Sub-processors" below.

When you create an account

  • The email address you registered with.
  • A bcrypt hash of your password (we never store the plaintext). If you sign in with Google, GitHub or Facebook instead, there is no password — we store only the verified email address the provider returns (no provider ID or tokens are kept; see "Sub-processors").
  • The company name you optionally provided.
  • An API key stored as a SHA-256 hash plus a non-secret prefix for display (we never store the plaintext token after creation).
  • If you enable 2FA: an encrypted TOTP secret and bcrypt hashes of one-time recovery codes.
  • An audit log of security-relevant actions on your account (logins, logouts, password changes, API key creation/revocation, 2FA changes) including the truncated IP and the browser's User-Agent string (up to 256 characters). This is shown back to you on /account so you can spot suspicious activity.
  • Email delivery events. When we send you a transactional email (security alerts, coverage alerts, password reset), our email provider reports back delivery / bounce / spam-report events, which we store (your address, the event type and the provider's raw event payload) to monitor deliverability and to stop mailing addresses that bounce or complain. If the provider's open/click tracking is enabled, that raw payload can include the IP address and user-agent your mail client reported when it opened the message. Retention: 90 days, purged automatically; addresses that hard-bounced or marked us as spam stay on a suppression list (address + reason only) so we never email them again.

When you save a location for change alerts

  • The name, latitude, longitude, radius and alerting toggle you provided.
  • Snapshots of the BTS dataset within your saved radius (no personal data — just a list of public radio permits).
  • The diff between snapshots, which we use to populate /account/locations/<id>/changes.

A saved location is a coordinate you chose to monitor. Depending on what you pick, it may indirectly reveal a place that matters to you — your home, your workplace, or a business site. We only use these coordinates to run the alert feature you asked for; we don't geocode them to an address or enrich them with anything else.

When you use the map

  • The coordinates you click are stored in your session for the duration of the visit so the sidebar can show "stations near your spot".
  • We write a pseudonymised event for each click — timestamp, coordinates rounded to ~1 km grid, a one-way sha256(session_id) pseudonym, browser class (browser_chrome / mobile / etc., not the full UA string), API tier. We never record your raw IP or the precise coordinates. Used in aggregate to understand which areas of Poland the app is being used in (top spots, browser breakdown, in-PL vs out-of-PL). Retention: 30 days, deleted automatically on every server boot. Legal basis: legitimate interest (Art. 6(1)(f)).

Anti-abuse measures

To keep the service available and protect it from bots and scrapers, we use a few unobtrusive techniques: a hidden "honeypot" field on the sign-up form (invisible to people, but tripped by automated bots), decoy entries planted in the public BTS dataset to detect bulk scraping, plus rate limiting and the truncated-IP audit log described above. These do not collect any extra personal data from ordinary users.

What we don't collect

  • We do not use third-party advertising trackers (Google Ads / Meta Pixel / similar).
  • We do not sell or share your data with third parties for marketing.
  • We do not combine our logs with external profiles to build a marketing identity.

No cookie banner — and why

We don't show a cookie-consent banner because we don't set any cookie that requires consent. The only cookies we use — the Flask session/CSRF cookie and the ss_sid anti-abuse cookie — are strictly necessary to run and protect the service (ePrivacy Art. 5(3) exemption). We run no third-party or cookie-based website analytics. So there is nothing to consent to.

Automated decision-making

We do not carry out automated decision-making that produces legal or similarly significant effects on you (GDPR Art. 22). Our bot-scoring exists only to throttle or block abusive automated traffic (scrapers, bots) — it is never used to make decisions about identified individuals or to profile you.

Why we collect it (legal bases)

Data Purpose Legal basis
Session + CSRF cookie Make the app work Strictly-necessary cookie under ePrivacy Art. 5(3) (no consent needed); GDPR basis: legitimate interest (Art. 6(1)(f)) for anonymous use, and performance of a contract (Art. 6(1)(b)) once it carries account features
Email + password Account authentication Performance of a contract (Art. 6(1)(b))
API key hash Authenticate API requests Performance of a contract (Art. 6(1)(b))
Saved locations / snapshots Deliver the alert feature you asked for Performance of a contract (Art. 6(1)(b))
Audit log Detect and investigate security incidents Legitimate interest (Art. 6(1)(f)) — service security
Edge access logs (incl. full IP) Service diagnostics, security and abuse prevention Legitimate interest (Art. 6(1)(f))
Truncated IPs (app audit log) Abuse prevention, account security review Legitimate interest (Art. 6(1)(f))
Full IP (in memory only) Rate limiting — request counters keyed by IP, held in process memory, never written to disk Legitimate interest (Art. 6(1)(f))
ss_sid cookie Bot / scraper detection (anti-abuse) Strictly-necessary cookie under ePrivacy Art. 5(3) (no consent needed); GDPR basis: legitimate interest (Art. 6(1)(f)) — service security
Email delivery events + suppression list Deliverability monitoring; honouring bounces/complaints Legitimate interest (Art. 6(1)(f)) / legal obligation to honour opt-outs
Pseudonymised map-click events Understand product usage to improve the service Legitimate interest (Art. 6(1)(f))

How long we keep it

Data Retention
Account (email, password, 2FA, locations, snapshots) Until you delete your account
Audit log Lifetime of the account, then cascaded on deletion
Edge access logs (reverse proxy) ~30 days, log-rotated
Application access logs Rotated by size (max ~30 MB retained)
Pseudonymised map-click events 30 days (purged on server boot + scheduled sweep)
Email delivery events 90 days (purged on server boot + scheduled sweep)
Email suppression list Until you ask us to remove the entry
Session cookie Up to 7 days / until logout
ss_sid cookie 30 days

Where it is stored

Most application data — your account, saved locations, snapshots and the app's own databases — is processed and stored within the European Union (the edge proxy runs at Hetzner in Germany; the application itself runs on self-hosted home infrastructure in Poland).

A limited set of technical and authentication data may be handled by service providers based in the United States (for example DNS, the admin mesh-tunnel control plane, transactional email, TLS certificate issuance, and — only if you choose them — third-party sign-in providers). These transfers are covered by the providers' data-processing agreements and EU Standard Contractual Clauses where applicable. Each provider, its role and its jurisdiction are listed below.

Sub-processors

Provider Purpose Jurisdiction
Hetzner Online GmbH Edge reverse proxy + TLS termination. Its access logs hold your full IP for ~30 days EU (Germany)
Tailscale, Inc. Encrypted admin mesh-tunnel control plane (key exchange / coordination only — your traffic does not transit Tailscale's servers) United States
Twilio SendGrid Transactional email delivery (account, security and alert emails) — receives your email address and the message content United States
Let's Encrypt (ISRG) TLS certificate issuance — no personal data; certificate requests contain only the public domain name United States
Cloudflare, Inc. Authoritative DNS nameservers for signal-scout.com (DNS records + DNS-01 ACME challenges only; DNS-only — no Cloudflare HTTP proxy, no traffic interception) United States
Squarespace Domains LLC Domain registrar for signal-scout.com United States
Google, GitHub, Meta (Facebook) Optional third-party sign-in (OAuth) — engaged only if you choose to sign in with that provider. The provider then confirms your identity / email to us; revoking the app at the provider stops it United States
CARTO (basemaps.cartocdn.com) Map tile delivery — your browser fetches tiles directly, so CARTO sees your IP, user-agent and the coordinates of the map area you view. We never send them anything ourselves United States / EU CDN
Esri (ArcGIS Online) Satellite-imagery tiles, fetched browser-direct like CARTO — engaged only when you switch the map to the satellite layer United States
OpenStreetMap Foundation Map tiles for the embeddable widget (/embed/*) only, fetched browser-direct United Kingdom

OAuth providers act independently as their own controllers for the sign-in step; we only ever receive the minimum identity data needed to create or match your account.

We do not use any third-party analytics, advertising, or tracking processors. Any web analytics we run are self-hosted on our own infrastructure — no third party receives that data.

Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you. For account-derived data this is visible directly on /account. For anything else, email us.
  • Rectify inaccurate data — change your company name directly on /account; to correct your email address, email us (we verify it's you and update it manually).
  • Erase your data ("right to be forgotten") — /account has a "Delete account" action that immediately and irreversibly wipes your active account data: your email, password hash, audit log, saved locations, snapshots, API keys and email delivery events (cascade delete). Three things outlive the deletion: full IPs in the edge proxy's access logs (rotated out within ~30 days), truncated IPs and masked email addresses (h***@example.com) in retained app logs, and — if your address ever hard-bounced or reported us as spam — the suppression-list entry, which we keep so we never email that address again (you can ask us to remove it). We keep disaster-recovery backups of the account database on our own infrastructure (EU, same physical custody as the live database), retained for 14 days — a deleted account can therefore persist in backups for up to 14 days before it is gone everywhere. We keep these backups on the basis of our legitimate interest (Art. 6(1)(f)) in being able to recover the service after a failure, since selectively editing an encrypted point-in-time backup to remove one account is not technically practical. Backups are used only for disaster recovery, never restored selectively to "un-delete" data.
  • Restrict processing or object to it on legitimate-interest grounds — email us.
  • Portability — export of saved locations / snapshots is available on request.
  • Lodge a complaint with the Polish supervisory authority (Urząd Ochrony Danych Osobowych, https://uodo.gov.pl).

To exercise any of these rights, email hcylwik@gmail.com with the email address you registered with. We aim to respond within 30 days.

Children

Signal-Scout is not directed at children under 16 and we do not knowingly collect their data. If you believe a child has registered, email us and we will delete the account.

Changes to this notice

We will update this page when we change what we collect or how we use it. Material changes will be flagged in the footer with the "Last updated" date above. The current version always lives at /privacy.

Contact