SigndUp helps you create and manage disposable email accounts for one-time sign-ups. This policy explains exactly what data we collect, how we use it, and your rights.
SigndUp collects only the following personal data:
| Data | Why | Stored? | Retention |
|---|---|---|---|
Disposable email address (@signdup.net) |
Your login ID for one-time sign-ups | Yes — encrypted | Until you delete it |
| Inbox password | Password for the disposable email account | Yes — AES encrypted | Until you delete it |
| One-time code (OTP) | Verification code received in inbox | No — memory only | Not stored |
| Website domain | Match correct credentials to current site | No | Not stored |
| Device fingerprint (Visitor ID) | Fraud prevention and rate limiting | Yes — opaque hash | Until account deletion |
| IP address | Rate limiting and abuse prevention | Yes — short term | Up to 24 hours |
| Supabase User ID (UUID) | Internal account identifier | Yes | Until account deletion |
We do not collect your real name, real email address, location, payment information, contacts, or any browsing history beyond the active tab's domain.
We do not use any data for advertising, behavioural analytics, profiling, or any purpose not described here. We never sell, rent, or trade your data.
Inbox passwords are AES-encrypted client-side before being sent to our servers. Only ciphertext is stored — we cannot retrieve your plaintext password.
All communications between the extension, our Cloudflare Worker, and Supabase use HTTPS/TLS.
One-time codes are processed in memory only and discarded immediately after being displayed to you.
Your device fingerprint (Visitor ID) is stored in a field that only our backend can write to using an admin key. You cannot modify it from the extension.
Inbox creation is limited to 4 per site per hour and 10 globally per hour, enforced via Upstash Redis. These limits survive account deletion since they are stored independently of your account records.
| Service | Role | Data Received | Region |
|---|---|---|---|
| Cloudflare Email Routing | Receives emails to @signdup.net addresses |
Email content (max 1 hour) | Global edge |
| Cloudflare Worker + KV | Backend API, temporary email storage | Auth tokens, inbox addresses, emails, IP addresses | Global edge |
| Supabase | Authentication and encrypted credential storage | User ID, encrypted email, encrypted password, Visitor ID | EU region |
| Upstash Redis | Rate limiting | IP address, request counts (auto-expires in 24h) | Global |
| FingerprintJS (open source) | Client-side device fingerprinting | Runs in browser only — no external API calls | Client only |
None of these providers use your data for advertising. Each processes only what is necessary for their specific role.
When you delete an inbox or account, records are immediately removed from Supabase. Cloudflare KV entries expire automatically within 1 hour.
EU users may also file a complaint with their local data protection authority under GDPR.
SigndUp does not use tracking cookies. We use Chrome's storage.local API to save extension
preferences, session information, and the active inbox locally on your device. This data is cleared when you
uninstall the extension. No analytics or tracking cookies are used.
SigndUp is intended for lawful personal use only. The following activities are strictly prohibited:
Violations may result in immediate account suspension and reporting to relevant authorities. To report abuse, email [email protected]. We investigate all credible reports promptly and cooperate with lawful law enforcement requests.
In compliance with India's Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, SigndUp has appointed a Grievance Redressal Officer:
We may update this policy to reflect changes in our practices or applicable laws. Significant updates will be posted at www.signdup.net/privacy-policy. The "Last Updated" date at the top of this page always reflects the most recent revision.