Privacy Policy

Last updated: February 21, 2026

1. Information We Collect

Account information: When you register, we collect your email address and optional display name. We use magic link authentication — we do not store passwords.

Signing data: When you sign a document, we record your name, email, IP address, user agent, timestamp, and electronic signature (typed, drawn, or uploaded image).

Documents: We store documents you create or are invited to sign, including content, signer information, and completed signed PDFs.

Usage data: We collect server logs including IP addresses, page views, and request timestamps for security and analytics purposes.

Payment information: Billing is processed by Stripe. We store your Stripe customer ID and subscription status but never your credit card details.

2. How We Use Your Information
  • To provide the document signing service
  • To send magic link login emails and signing invitations
  • To generate audit trails and signed PDFs
  • To process subscription payments via Stripe
  • To submit participation events to MIR (if you opt in by linking your account)
  • To respond to support and contact inquiries
  • To detect and prevent fraud or abuse
3. MIR Integration

If you link your account to MIR (My Internet Reputation), we share your internal user ID and participation events (e.g., document signed, account created) with MIR. We do not share your email address or document contents with MIR. You can view your MIR data at myinternetreputation.org. Linking is optional and can be managed from your Account page.

4. No Sharing of Personal Information

We will never sell, rent, trade, or share your personally identifiable information (PII) with any third party. Your name, email address, documents, signatures, and any other personal data are yours alone.

The only exception is a lawful, legally binding request from law enforcement or a court of competent jurisdiction. In such cases, we will disclose only the minimum information required by law and will make reasonable efforts to notify you unless legally prohibited from doing so.

5. Service Providers

To operate the Service, we use the following processors strictly to perform their designated function. None of these providers receive your PII for their own purposes:

  • Stripe — processes payments. We send only your email to create a customer record. Stripe's handling of payment card data is governed by their own PCI-DSS compliant privacy policy.
  • MIR — if you voluntarily link your account, we share only an opaque internal user ID and event types (e.g., "document signed"). We never share your name, email, or document contents with MIR.
  • MIR Assertions — receives only cryptographic document hashes for verification. No personal data is transmitted.
  • Zoho Mail — delivers transactional emails (login links, signing invitations) on our behalf.
6. Data Storage and Security

Your data is stored on secure servers with encrypted connections (TLS). Documents and PDFs are stored in DigitalOcean Spaces with access controls. Sessions are managed via Redis with HTTP-only, secure cookies. All document signatures use SHA-256 content hashing and HMAC-SHA256 cryptographic verification.

7. Data Retention

We retain your account data and documents for as long as your account is active. If you delete your account, all your data — including documents, signed PDFs, and personal information — is permanently and irreversibly deleted from our systems within 30 days. Email logs are retained for 90 days for deliverability monitoring, then purged.

8. Your Rights (GDPR & Global Privacy)

Regardless of where you are located, you have the following rights regarding your personal data:

  • Right of Access — You can view all your data via the Dashboard and Account pages at any time. You may also contact us to request a full export of your personal data.
  • Right to Rectification — You can update your name and profile information from the Account page.
  • Right to Erasure ("Right to be Forgotten") — You can permanently delete your account and all associated data from the Account page. This action is irreversible.
  • Right to Data Portability — You can download all your signed documents as PDFs from the Dashboard.
  • Right to Restrict Processing — You may contact us to request that we limit how your data is processed.
  • Right to Object — You may object to any processing of your data by contacting us.
  • Right to Withdraw Consent — Where processing is based on consent (such as MIR linking), you can withdraw at any time by unlinking your MIR account or deleting your account.

We will respond to all rights requests within 30 days. To exercise any of these rights, use the self-service options on your Account page or contact us.

9. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process your data under the following legal bases:

  • Contract performance — Processing necessary to provide the signing service you requested (account creation, document signing, PDF generation, email notifications).
  • Legitimate interest — Server logging for security, fraud prevention, and service reliability.
  • Consent — MIR account linking and optional participation tracking. You can withdraw consent at any time.
  • Legal obligation — Responding to lawful requests from law enforcement.
10. International Data Transfers

Your data may be processed on servers located in the United States. By using the Service, you consent to this transfer. We ensure appropriate safeguards are in place for any international transfers of personal data.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach, as required by GDPR. We will also notify the relevant supervisory authority where required.

12. Cookies

We use a single session cookie to maintain your login state. This cookie is strictly necessary for the Service to function and does not require consent under GDPR. We do not use tracking cookies, advertising cookies, or third-party analytics. No cookie banner is needed because we only use essential cookies.

13. Children's Privacy

The Service is not intended for users under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect information from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

14. Data Protection Officer

For privacy inquiries, data protection concerns, or to exercise your rights, contact our Data Protection Officer at our contact page.

15. Supervisory Authority

If you are in the EEA or UK and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

16. Changes to This Policy

We may update this policy at any time. We will notify registered users of material changes via email at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

17. Contact

For any privacy-related questions, contact us.