Privacy Policy

1. Introduction

This Privacy Policy explains how Signal Studio Limited (NZ Company Number 8135662), a company registered in New Zealand ("Signal Studio", "we", "us", or "our"), collects, uses, and protects personal information in connection with the Split application, website, and related services (the "Service"). Split is a product of Signal Studio Limited.

Our registered office is 7 Fred Taylor Drive, Westgate, Auckland 0814, New Zealand. You can contact us at privacy@withsplit.com for any privacy matter.

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

2. Who This Policy Covers and Our Role

Split involves two distinct groups of people, and our role under data protection law differs for each:

• Dashboard users - the people who sign up for and administer a Split account (typically our customer's marketing, product, or web team). For this group, Signal Studio Limited is a data controller and this Privacy Policy describes the full scope of how we handle your data.
• Visitors to our customers' websites - the people who see and interact with A/B test variations that our customer configures in Split. For this group, Signal Studio Limited is a data processor acting on behalf of our customer. Our customer is the controller of that data and is responsible for the legal basis on which it is processed, including any notice and consent obligations on their own website. A Data Processing Agreement governing this relationship is available on request.

3. Data We Collect

Account data (dashboard users)

When you create a Split account we collect:

• Email address
• Password (stored securely by our authentication provider; we never see your plaintext password)
• Name, where provided
• Google account identifier and basic profile information, if you sign in with Google (see section 7)

Billing data (dashboard users)

When you subscribe to a paid plan, our payment processor Stripe collects billing information on our behalf:

• Payment card details (tokenised and stored by Stripe; we never hold full card numbers)
• Billing name and address
• Transaction and invoice history

Usage data (dashboard users)

• A/B test configurations you create
• Dashboard interactions and feature usage
• Support correspondence

Visitor data (processor role)

When our customer deploys Split on their website, split.js runs in the visitor's browser to assign and record variants. For each visit we may process:

• A random, non-identifying cookie ID used to keep a visitor on the same variant
• The assigned variant, page URL and timestamp
• Conversion events the customer has configured
• IP address, which we truncate on ingest and do not store in raw form
• User agent (browser and operating system) at an aggregate level only

We do not require, collect or store direct identifiers (name, email, phone number) from website visitors through split.js.

Technical data

When you access the Split dashboard we automatically collect standard server and access logs (IP address, browser, device type, referring URL, timestamp). These are used for security, abuse prevention and debugging.

4. How We Use Data

We use the data described above to:

• Provide, operate and maintain the Service
• Process payments and manage subscriptions
• Send transactional communications (account, billing and service updates)
• Respond to support requests
• Compute statistical results of A/B tests for the customer who configured them
• Detect and prevent fraud, abuse and security incidents
• Improve the Service, including by generating anonymised and aggregated analytics
• Comply with legal obligations

We do not sell personal data. We do not use visitor data collected through split.js for any advertising, tracking or profiling purpose.

5. Webflow Integration

Split connects to your Webflow account via Webflow's official OAuth and Designer Extension platform. Through this integration we access only the scopes required to provide A/B testing, which include read access to your site structure (pages and elements) and the ability to publish variation changes that you explicitly configure. We do not modify Webflow content outside of the variations you create, and we do not access Webflow data from sites you have not connected to Split.

6. Cookies and Similar Technologies

We use cookies for:

• Authentication. Session cookies on the Split dashboard keep you signed in.
• Variant assignment on customer websites. split.js sets first-party cookies on the customer's own domain (not on withsplit.com) to keep a visitor assigned to the same variant across pages and sessions. These cookies contain only a random identifier and the assigned variant.
• Product analytics. We use privacy-respecting analytics on the Split dashboard to understand feature usage.

Split does not use cookies for advertising, cross-site tracking, or building behavioural profiles of website visitors.

7. Google Services

Split uses two Google services and is bound by the Google API Services User Data Policy, including the Limited Use requirements, as described at Google's Limited Use policy.

• Sign in with Google. If you choose to sign in with Google we receive your email address and basic profile information through our authentication provider (Supabase). We use this information only to create and authenticate your Split account. We do not use it for advertising, do not sell or transfer it, and do not share it with any third party beyond the technical flow that creates your account.
• Google Analytics 4. We use GA4 only to measure use of the Split dashboard and marketing website. GA4 is not embedded in split.js and does not run on our customers' websites through Split.

8. Subprocessors

We use the following subprocessors to operate Split. Each is bound by a data processing agreement and is only permitted to use your data for the purposes we specify.

• Supabase - authentication and database hosting. Privacy policy.
• Stripe - payment processing. Privacy policy.
• Webflow - Designer Extension platform and customer site integration. Privacy policy.
• Google - Sign in with Google and Google Analytics 4. Privacy policy.

We will provide at least 30 days' notice by email before engaging a new subprocessor that has access to personal data, so that you can object before the change takes effect.

9. Data Retention

• Account data: retained while your account exists. On account deletion we delete account data within 30 days, except where retention is required by law.
• Billing data: retained for 7 years to comply with New Zealand tax and accounting requirements.
• Test configurations and dashboard usage: retained while your account is active.
• Visitor cookies and assignment records: default 30 days from last visit. Customer-configurable in future releases.
• Aggregated, anonymised analytics: retained indefinitely for product research.
• Server and access logs: automatically deleted after 90 days.

10. Security

We use reasonable technical and organisational measures to protect personal data, including TLS encryption in transit, encryption of sensitive data at rest, role-based access controls, and regular review of our infrastructure and code.

Where Signal Studio Limited acts as a processor, we will notify affected customers without undue delay and within 72 hours of becoming aware of a personal data breach affecting their data, so that the customer can meet its own notification obligations.

No method of transmission or storage is completely secure; we cannot guarantee absolute security of your data.

11. Your Rights

Subject to your location, you may have the following rights in relation to personal data we hold about you as a controller: access, rectification, erasure, portability, objection, restriction, and (where processing is based on consent) withdrawal of consent.

To exercise any of these rights, contact privacy@withsplit.com. We will respond within 30 days.

Where you are a website visitor (not a dashboard user), please contact the website owner directly in the first instance; they are the controller of your data. If they escalate to us, we will support them in responding.

We do not currently appoint a representative under Article 27 of the EU GDPR. Data subjects in the European Economic Area and the United Kingdom may contact us directly at the email above to exercise their rights.

12. International Transfers

Split is operated from New Zealand. Your data may be processed in other countries, including the United States, where our subprocessors (Supabase, Stripe, Google) maintain infrastructure. For transfers from the EEA or UK we rely on Standard Contractual Clauses or equivalent transfer mechanisms as required by applicable data protection law.

13. Data Processing Agreement

A Data Processing Agreement is available on request at privacy@withsplit.com. Customers whose websites serve visitors in the European Economic Area, the United Kingdom, or California should execute a DPA with us before going live with Split.

14. Children

The Service is not intended for, or directed at, anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact privacy@withsplit.com and we will delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes we will update the "Last updated" date above. For material changes we will notify you by email or through the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

16. Contact

For any privacy matter, please contact:

Signal Studio Limited (NZ Company Number 8135662)
7 Fred Taylor Drive, Westgate, Auckland 0814, New Zealand
privacy@withsplit.com (privacy)
support@withsplit.com (general support)

‍

If you are in New Zealand you may also contact the Office of the Privacy Commissioner:

Office of the Privacy Commissioner
PO Box 10-094, The Terrace, Wellington 6143
Phone 0800 803 909

‍

If you are in the European Economic Area or United Kingdom, you have the right to lodge a complaint with your local supervisory authority.