What we collect, why, and what we won't do with it.

SignMeHere is operated by [LEGAL: registered entity name and number] ("SignMeHere", "we", "us"). Our registered address is [LEGAL: address]. Privacy questions should be directed to privacy@signmehere.com.

This policy covers personal information we collect when you (a) hold an administrative or end-user account on SignMeHere, (b) are invited to sign or review an envelope, or (c) interact with our marketing website.

When a customer organisation sends you an envelope, that customer is the controller of the data inside the envelope. We process it on their behalf under our Data Processing Agreement. This policy covers the information we hold as a controller in our own right (account, billing, audit and operational data).

The following data flows are operationally true today:

• Account data: name, work email, organisation, role, hashed password (Argon2id), MFA secrets (encrypted), passkey credentials.
• Identity verification data: when a sender requires it, government ID and biometric checks performed by our verification partner. Evidence is stored encrypted; raw images are not retained beyond the verification window.
• Document content: the PDFs you upload, the signed copies we seal, and the field values entered by signers. Encrypted at rest with AES-256-GCM under envelope encryption.
• Audit data: a tamper-evident hash chain of every action against an envelope (view, consent, sign, decline, void, seal). Required for legal validity under ESIGN, UETA and eIDAS.
• Operational telemetry: request logs, error traces and performance metrics. PII is suppressed by default at the logging layer.
• Billing data: processed by our payment partner; we hold customer ID, plan, seat count and invoice history but no card numbers.

• Service delivery: render documents, route envelopes, deliver email, generate certificates of completion.
• Security and integrity: rate limiting, anomaly detection, MFA enforcement, audit-chain verification.
• Legal validity: retaining the audit trail of who did what, where and when, for the lifetime of the envelope.
• Billing: seat-based pricing requires us to know who is using the system.
• Customer support: account holders can authorise our support team to access their data on a per-incident basis. Access is logged.

We do not sell personal information. We do not use customer documents or audit data to train external AI models. [LEGAL: confirm phrasing for CCPA "sale" and "sharing" definitions]

For account, billing and audit data: contract performance and our legitimate interest in operating a secure and auditable service. For verification evidence: explicit consent collected at signing time. For marketing email: consent which can be withdrawn through the unsubscribe link in every message.

[LEGAL: confirm Art. 6 mapping per data category for production launch]

Account data is retained for the life of the account plus 90 days after deletion. Envelope content and audit chains are retained per the customer's configured retention policy (default seven years for completed envelopes, 30 days for drafts). Customers can place envelopes under legal hold to suspend retention deletion.

Operational telemetry is retained for 90 days. Backups are retained for 35 days with point-in-time recovery.

We rely on the sub-processors listed on our Trust centre. Customers can subscribe to change notifications and have a 30-day window to object before a new sub-processor goes live.

Customers can pin envelope storage and audit data to one of: Australia, United States, European Union, APAC. Cross-region replication is opt-in. Where data leaves the EEA or UK we rely on the relevant Standard Contractual Clauses and the UK Addendum.

[LEGAL: confirm SCCs module choice and UK IDTA approach]

Subject to applicable law, you can request access to, correction or deletion of, or a copy of personal information we hold about you. You can also object to processing or restrict it. End-user requests should start with the customer organisation that sent you the envelope; if that organisation cannot resolve the request, contact us directly.

• Right to access and export
• Right to rectification
• Right to deletion (subject to legal hold and our retention obligations)
• Right to restrict or object to processing
• Right to lodge a complaint with a supervisory authority

Technical and organisational measures include MFA enforcement for admin sessions, hash-chained audit logs, envelope encryption with optional customer-managed keys, scoped API keys, IP allowlisting, rate limiting, and a documented incident response runbook.

We notify affected customers within 72 hours of confirming a security incident impacting their data. Sub-processor breaches are reported to us under the same window.

SignMeHere is not directed at children under 16. We do not knowingly collect personal information from anyone under that age. Customers must not configure signer flows that target under-16s without parental consent and an appropriate lawful basis.

Material changes will be announced at least 30 days before they take effect, in-product and via email to account administrators. The current effective version will always be linked from the Trust centre.

Privacy enquiries: privacy@signmehere.com. Data Protection Officer: [LEGAL: appointment status and contact]. EU representative: [LEGAL: required if no EU establishment]. UK representative: [LEGAL: required if no UK establishment].