Privacy Policy

Calibrated Signal (“the Site,” “we,” “us”) is operated by Nick Hanson through Calibrated Signal LLC. This Privacy Policy explains what information we collect, why we collect it, who else sees it, how long we keep it, and how to exercise your rights. It applies to every page on calibratedsignal.com, the Calibrated Signal newsletter, and any free or paid tools offered under the Calibrated Signal brand. A parallel policy governs our sister property at calibratedage.com; the underlying data infrastructure is the same.

1. What we collect, and why

Newsletter subscribers

If you subscribe to the newsletter, we collect your email address and (optionally) your first name. These are stored in our own database (Supabase) in a single subscriber record that may also reflect your status with our sister property at calibratedage.com if you have an account there. We do not use a third-party email-list service like Mailchimp or Kit. Standard engagement metadata (whether you opened a given email, whether you clicked a link, whether you unsubscribed, the date you subscribed, and which form you used) is recorded in our own database against your subscriber record. You can unsubscribe at any time using the link at the bottom of every email; doing so suppresses future sends immediately.

Heart Screening Quiz and other quizzes

When you take the Heart Screening Quiz (or any future quiz), we collect your answers and your email address (if you choose to receive your results by email). Your quiz answers stay in our database (Supabase) and never flow to any external service.They do not go to our email provider, to ad platforms, to analytics tools, or to anyone else. This is a hard rule, not a preference: even classification labels (like an “awareness tier”) are stored only as internal identifiers and are never attached as readable attributes on any record that leaves our database. See “The health-data boundary” below for the full picture.

Paid members (when subscriptions launch)

If you become a paid Calibrated Member, payment is processed by Stripe. Stripe stores your billing details (card number, billing address, transaction history); we do not store card numbers on our servers. We store your subscription status, plan, and start date in our own database so we can give you access to member content. Payment records are retained for seven years per IRS requirements.

Site analytics

To understand which articles get read and how visitors find and move through the Site, we use Vercel Web Analytics, a first-party, cookie-less analytics service provided by our hosting platform. Vercel Web Analytics records aggregate pageview counts, referring URLs, country-level (not city-level) location, and device and browser type. It does not set cross-site tracking cookies, does not build a behavioral profile of you across other sites, and does not share data with advertising networks.

We also record some attribution data in our own database to understand how readers find the Site. If you arrive with a utm_source, utm_medium, or utm_campaign parameter in the URL (for example, from a social-media post), we store the source, the medium, the campaign, the page you landed on, and a randomly generated anonymous identifier in our public.attribution_sessions table. If you later subscribe to the newsletter, take a quiz, or become a member, we connect that conversion event back to the original source so we can understand which channels actually reach readers. No personally identifying information is captured in attribution sessions before a conversion event happens.

We do not use Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Snap Pixel, Pinterest Tag, or any third-party advertising or behavioral-tracking tag on any page of the Site. We do not run retargeting campaigns. We do not build custom audiences from your visit. We do not load any third-party analytics or tracking on quiz pages or quiz-result pages.

Email delivery

We use Resend as our email-delivery service for newsletter sends, transactional emails (account confirmations, password resets, subscription receipts, quiz-result emails), and any system-generated mail. Resend sees your email address, the subject line, the rendered message body, and standard delivery metadata (whether the message was delivered, bounced, opened, or clicked). Resend does not receive your quiz answers, biomarker values, medication lists, or any other clinical content as structured data; any health-related content stays inside the rendered HTML of an email body we send to you, never attached as a property on your subscriber record.

Comments and reader email

If you leave a comment on an article or email us directly, we receive your name (if provided), your email address, and your message. Comments and the email address used to post them are stored in our database. If you email us, your message is retained in our inbox until resolved, then archived per our retention schedule below.

Server logs and security

Our hosting provider, Vercel, collects standard server logs: IP address, user-agent string, request path, response code, and timestamps. These are used to monitor performance, debug issues, and detect abusive traffic. Logs are retained for up to 30 days unless a security incident requires longer retention.

2. The health-data boundary

We treat heart-quiz data as consumer health information under the framing the FTC has used in its 2023–2026 enforcement actions (against GoodRx, BetterHelp, Cerebral, Monument, and Premom). Although Calibrated Signal is not a HIPAA-covered entity, we hold ourselves to a stricter standard: we do not share, sell, lease, or upload health-related data to any third party for any purpose. We do not build custom audiences from quiz-taker emails. We do not run retargeting based on quiz interaction.

This rule is enforced in our codebase via continuous-integration checks that scan every commit for forbidden data fields in external-service calls, and that verify no advertising pixels load on quiz or quiz-result pages.

3. Who sees your data

We use the following service providers, each of which sees only the data necessary to do its job:

• Vercel— site hosting, server logs, and first-party Web Analytics for pageview metrics.
• Supabase— primary database for subscriber records, member accounts, quiz responses, and attribution data (US-hosted).
• Resend— email delivery for newsletter, transactional, and authentication mail.
• Stripe— payment processing for paid subscriptions.
• GitHub— source-code hosting (no personal user data).

We do not sell or rent personal information. We do not share it with data brokers, ad networks, or advertising platforms for marketing purposes. We may disclose data when required by a valid legal process (subpoena, court order, government request) or when necessary to protect the rights, safety, or property of the Site, its readers, or the public.

4. Cookies and tracking

We use the minimum cookies required for the Site to function: a session cookie for logged-in members, a CSRF token for form submissions, and a 90-day first-party identifier cookie that lets us connect your visits to the same anonymous session for attribution purposes. Vercel Web Analytics is cookie-less and does not set any tracking cookie.

We do not use advertising cookies, retargeting cookies, or third-party tracking pixels of any kind. Affiliate links may set a first-party cookie from the affiliate partner (for example, Amazon) when you click through; this does not give us access to your purchase history. See our Disclosures page for the full affiliate policy.

5. Global Privacy Control and Do Not Sell signals

We honor the Global Privacy Control (GPC) browser signal. If your browser sends a GPC header, we treat your visit as an opt-out of any sale or sharing of personal information for cross-context behavioral advertising. As of January 1, 2026, California users who arrive with GPC enabled will see a visible confirmation that the opt-out was honored.

We honor universal opt-out signals in the twelve states that currently require it (California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas), and we extend the same treatment to visitors from any other state by default. Because we do not engage in cross-context behavioral advertising in the first place, the practical effect is the same: we don't sell, share, or transfer your data to advertisers, period.

6. Your privacy rights

Depending on where you live, you have some or all of the following rights:

• Right to know what personal information we have about you and what we do with it.
• Right to access or export a copy of your personal information in a portable format.
• Right to correct inaccurate personal information.
• Right to delete your personal information, subject to limited legal exceptions (payment records required by tax law, security logs required for fraud investigation, etc.).
• Right to opt out of any sale or sharing of your data (we do neither).
• Right to limit the use of sensitive personal information(we do not use it beyond what's required to provide the service).
• Right to non-discrimination for exercising any of these rights.

To exercise any of these rights, email privacy@calibratedsignal.com with the request. We respond within 45 days. We may ask you to verify your identity before acting on a deletion or export request to prevent unauthorized access to your account.

State-specific rights

California (CCPA/CPRA).California residents have the rights listed above plus the right to a “Do Not Sell or Share My Personal Information” opt-out and a “Limit the Use of My Sensitive Personal Information” option. Because we do not sell or share personal information for cross-context behavioral advertising, these opt-outs default to honored. You may designate an authorized agent to make a request on your behalf.

Virginia, Colorado, Connecticut, Utah, Montana, Texas, and other comprehensive-privacy-law states. Residents of these states have the rights listed above. Some rights apply only above certain consumer or revenue thresholds; we extend them to all readers regardless of thresholds.

Washington (My Health My Data Act). Washington residents have the right to confirm whether we collect, share, or sell consumer health data; the right to withdraw consent; and the right to delete consumer health data. We do not share or sell consumer health data. Quiz responses are deleted within 30 days of a verified request.

European Economic Area, UK, Switzerland. If you visit from the EEA, UK, or Switzerland, our legal basis for processing is your consent (for marketing emails), contract performance (for paid subscriptions), and legitimate interest (for site operation and first-party analytics). You have the right to lodge a complaint with your local data-protection authority. We are not currently designated to a specific EU representative; for any inquiry, email privacy@calibratedsignal.com.

7. Data retention

• Newsletter subscribers (active): until you unsubscribe, plus 90 days as a re-subscribe grace buffer.
• Newsletter subscribers (inactive 24+ months): suppressed and removed from the active list.
• Quiz responses:24 months from submission, or until you ask us to delete them — whichever is sooner.
• Member account data: retained while your account is active, plus 12 months after cancellation; payment records retained for seven years per IRS requirements.
• Attribution data: aggregate session and conversion data retained for 24 months; individual anonymous-identifier rows can be deleted on request.
• Server logs: up to 30 days, unless a security incident requires longer.

8. Security

We use HTTPS encryption for all data in transit. Data at rest is encrypted by our service providers (Supabase, Stripe, Resend). We follow standard access-control practices and maintain a small operational footprint to reduce attack surface. If a data breach occurs, we will notify affected individuals within the timeframe required by applicable law (typically 30 to 60 days).

9. Children

Calibrated Signal is a general-audience publication intended for readers 18 and older. We do not direct content to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, please email privacy@calibratedsignal.com and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with a new “Last updated” date, and active newsletter subscribers will be notified by email before the change takes effect.

11. Contact

For privacy questions, requests, or complaints, email privacy@calibratedsignal.com. For other matters, see our Disclosures, Medical Disclaimer, and Corrections pages.