Signal is a metadata-spreader in the sence of the US-Services.

All traffic of the SignalApp goes over the clouds of Google, Amazon, Microsoft & Cloudflare - here are the subdomains:

Amazon:
textsecure-service.whispersystems.org, cdn.signal.org, sfu.voip.signal.org
Google:
storage.signal.org, contentproxy.signal.org
Microsoft:
api.directory.signal.org, api.backup.signal.org
Cloudflare:
cdn2.signal.org

You can check it by yourself by making a tracert on these subdomains in your console!

Signal only talks about "third partys"! Not telling their users how long they store their (encrypted) messages and who got access to them.

As 85% of all smartpones run on googles Android - which sends information to google about their users every day - incl. the IP !

So with all the messages from signal google can easily tell who is talking to who. Which gives them a huge amount of metadata.

Especially in combination with US (Spy) Cloud-Act
https://en.wikipedia.org/wiki/CLOUD_Act
all US Services can access the cloudstorage of Signal Messages.

If you are looking for a really secure messenger: Check out Threema - which is no. 1 in all messenger-comparison-charts!