Privacy Policy
Effective March 5, 2026
1. Overview
2. Data We Collect
During a signing session, we temporarily process the following data:
From the sender
- Name and email address
- IP address and user agent (browser identifier)
- The uploaded PDF document (stored encrypted)
From each signer
- Name and email address
- IP address and user agent
- Public signing key (generated in browser; private key never leaves the device)
- Cryptographic signature over the signing statement
- Photo (only if the sender enabled photo capture for the session)
Automatically collected
- Email verification codes (temporary, deleted after use or expiry)
- Rate limiting counters (by IP address, temporary)
3. How We Use Your Data
We use the collected data exclusively to:
- Verify email addresses via one-time codes
- Serve the document to authorized signers during the signing window
- Record signatures and produce the signed PDF
- Deliver the signed document to designated recipients via email
- Send completion and cancellation notifications
- Enforce rate limits and prevent abuse
We do not use your data for advertising, analytics, profiling, or any purpose other than facilitating the signing session.
4. Data Retention and Deletion
All server-side data is permanently deleted when a signing session ends.
A signing session ends when any of the following occurs:
- All signers complete signing and the signed document is delivered
- The session expires (default: 72 hours after creation)
- The sender or a signer cancels the session
Upon session end, we delete the encrypted document, all encryption keys, metadata records (names, emails, IP addresses, signatures), and any captured photos. This deletion is permanent and irreversible. We do not retain backups of signing session data.
The signed PDF itself, once delivered to recipients, exists only in those recipients' possession. We do not retain a copy.
5. Data Storage and Security
- Documents are encrypted with AES-256-GCM before storage
- Each signing session uses a unique encryption key
- Encryption keys are destroyed when the session ends
- All data is transmitted over HTTPS (TLS)
- Email verification uses time-limited, single-use codes
- Session tokens are stored as cryptographic hashes, not plaintext
- Signing keys are generated in the signer's browser; private keys never reach our servers
6. Cookies and Tracking
7. Your Rights
Because all data is automatically deleted when a signing session ends, most data rights are satisfied by design. Specifically:
- Right to deletion: Satisfied automatically. All data is deleted when the session ends.
- Right to access: During an active session, signers can view the document and their signing status. After session end, no data exists on our servers to access.
- Right to cancel: Both the sender and any signer can cancel a signing session at any time, which triggers immediate data deletion.
For EU/EEA residents: our legal basis for processing is legitimate interest (facilitating the signing session you initiated or were invited to). Given the ephemeral nature of the data processing and guaranteed deletion, we believe this is proportionate and minimally intrusive.