Privacy Policy

SignQuick ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your personal information when you use our electronic signature service at signquick.app. SignQuick is the data controller for all personal data processed through the Service. We are based in the European Union and comply with the General Data Protection Regulation (GDPR), the eIDAS Regulation, and all other applicable data protection laws.

We collect the following categories of personal data: Account Information: Your full name, email address, and hashed authentication credentials when you create an account. If you sign in via Google OAuth, we receive your name, email, and profile picture from Google. Documents & Signatures: PDF documents you upload for signing, electronic signatures (drawn, typed, or uploaded), and any fields you fill in on signing requests. Documents are encrypted end-to-end using AES-256 encryption. Signing Metadata: Signer names, email addresses, IP addresses, browser user-agent strings, and precise timestamps. This data is collected to produce legally-compliant audit trails. Payment Information: When you subscribe to a paid plan, Stripe (our payment processor) collects your payment card details. We never store or have access to your full card number. Usage & Technical Data: IP address, browser type, operating system, pages visited, features used, and referring URL. We collect this via Vercel Analytics (privacy-focused, no cookies) to improve the Service. Communications: Messages you send through our contact form, feedback submissions, and support correspondence.

We process your personal data for the following purposes, each with a lawful basis under GDPR: Contract Performance: Providing the e-signature service, processing and verifying electronic signatures, generating audit trails, sending signing notifications and reminders, and managing your account. Legitimate Interest: Improving service performance and reliability, detecting and preventing fraud or abuse, and generating aggregated anonymous analytics. Legal Obligation: Maintaining audit trails as required by e-signature laws (ESIGN Act, UETA, eIDAS), responding to lawful data requests from authorities, and tax and financial record-keeping. Consent: Sending marketing emails (only if you opt in), placing non-essential cookies (see Cookie Policy).

All personal data and documents are stored on an EU-hosted PostgreSQL database server. Documents and signature data are encrypted using AES-256 encryption before storage. For email/password users, encryption keys are derived client-side from your password, providing true end-to-end encryption where we cannot read your document contents. For social login (Google OAuth) users, encryption keys are managed server-side, providing encryption at rest. All data in transit is protected by TLS 1.3. Our application is hosted on Vercel's edge network with automatic DDoS protection. Database backups are encrypted and stored in the EU. We conduct regular security reviews and follow industry best practices for application security, including input validation, CSRF protection, and rate limiting.

We do NOT sell, trade, or rent your personal data. We share data only with the following sub-processors, each of which is GDPR-compliant: Stripe (San Francisco, USA; EU data processing): Processes subscription payments and billing. Receives your email, name, and payment details. Privacy policy: stripe.com/privacy. Vercel (San Francisco, USA; EU edge nodes): Hosts the SignQuick application and serves static assets. Processes IP addresses and request metadata. Privacy policy: vercel.com/legal/privacy-policy. SMTP Email Service: Sends transactional emails (signing invitations, notifications, password resets). Receives recipient email addresses and message content. Cloudflare Turnstile: Provides bot protection on public forms. Processes IP addresses and browser fingerprint data. No tracking cookies are set. We require all sub-processors to process data in accordance with GDPR and to maintain appropriate technical and organizational security measures.

Documents & Signatures: Retention depends on your plan. Free plan: 7 days. Starter plan: 30 days. Pro plan: 90 days. After the retention period, documents and associated signatures are permanently and irreversibly deleted from our servers and backups. Account Data: Retained for as long as your account is active. Upon account deletion, all personal data is erased within 30 days, except where we are legally required to retain certain records. Audit Trails: Retained for 1 year after document deletion to comply with e-signature legal requirements, then permanently deleted. Payment Records: Transaction records are retained for 7 years as required by tax and financial regulations. You may request immediate deletion of your data at any time by contacting [email protected] or using the account deletion feature in Settings.

If you are in the European Economic Area (EEA), the United Kingdom, or any jurisdiction with similar data protection laws, you have the following rights: Right of Access: Request a complete copy of all personal data we hold about you, provided in a commonly used electronic format. Right to Rectification: Request correction of any inaccurate or incomplete personal data. Right to Erasure: Request deletion of your personal data ("right to be forgotten"). We will comply unless we have a legal obligation to retain certain data. Right to Data Portability: Receive your personal data in a structured, machine-readable format (JSON/CSV) and transmit it to another controller. Right to Restrict Processing: Request that we limit how we process your data while a complaint or request is being resolved. Right to Object: Object to processing based on legitimate interest. We will cease processing unless we have compelling legitimate grounds. Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time. To exercise any of these rights, email [email protected]. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your national data protection authority.

SignQuick uses a minimal set of cookies: Essential Cookies: Session token (better-auth.session_token) for authentication and CSRF protection. These are strictly necessary and cannot be disabled. Security: Cloudflare Turnstile uses short-lived cookies/tokens for bot detection on public forms. No personal data is tracked. Analytics: Vercel Analytics collects anonymous page view data without setting cookies. No personally identifiable information is tracked. We do NOT use advertising cookies, social media tracking pixels, or third-party analytics services that track users across websites. For full details, see our Cookie Policy page. You can manage cookie preferences through our consent banner or your browser settings.

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by email (sent to the address on your account) or by a prominent notice within the Service at least 14 days before the changes take effect. The "last updated" date at the top of this page indicates the most recent revision. We encourage you to review this policy periodically.

For privacy-related questions, data subject requests, or to exercise your data rights: Email: [email protected] Data Controller: SignQuick, European Union We aim to respond to all privacy inquiries within 30 days. For urgent matters related to data breaches or security concerns, please include "URGENT" in your email subject line.