Privacy Policy

1. Introduction

This Privacy Policy explains how iusign ("we," "our," or "us") collects, uses, discloses, and safeguards your information when you use our e-signature platform and related services (collectively, the "Services"). By accessing or using the Services, you consent to the practices described in this policy. If you do not agree, please do not use our Services.

Important: This policy does not apply to information collected through other means (e.g., offline, third-party websites, or services not operated by iusign).

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Customer" means the entity or individual that subscribes to or uses the Services.
• "End User" means any individual whose Personal Data is processed through the Services at the direction of a Customer (e.g., signers, recipients).
• "Content" means documents, signatures, metadata, audit trails, and other materials uploaded to or generated by the Services.

3. Information We Collect

3.1 Information You Provide Directly

• Account Information: Name, email address, organization, job title, phone number when you register.
• Content: Documents, signatures, form fields, comments, and metadata you upload or create.
• Communications: Support requests, survey responses, or other correspondence.
• Payment Information: Billing address and payment method details (processed by PCI-compliant third parties; we do not store full card numbers).

3.2 Information Collected Automatically

• Usage Data: IP address, browser type, device identifiers, pages viewed, time spent, features used, and clickstream data.
• Cookies and Similar Technologies: We use essential cookies for authentication and security. Optional analytics cookies may be used with your consent where required by law.
• Log Data: Server logs including request timestamps, endpoints accessed, and error reports.

3.3 Information from Third Parties

• Integrations: If you connect third-party services (e.g., Google Workspace, Salesforce), we may receive information per your authorization.
• Service Providers: Analytics, infrastructure, and security vendors may provide aggregated or pseudonymized data.
• Legal Requests: We may receive information from law enforcement or legal processes as required.

4. How We Use Your Information

We process information only for legitimate business purposes, including:

• Providing, maintaining, and improving the Services
• Authenticating users, processing transactions, and sending administrative communications
• Enforcing our Terms of Service and protecting against fraud, abuse, or security incidents
• Complying with legal obligations, responding to lawful requests, and protecting rights
• Generating aggregated, anonymized analytics for product development
• With your consent, sending marketing communications (you may opt out anytime)

Legal Basis (EEA/UK): Processing is based on: (a) performance of a contract with you; (b) legitimate interests (security, improvement, fraud prevention); (c) legal compliance; or (d) your consent where required.

5. How We Share Information

We do not sell your Personal Data. We may disclose information only in the following circumstances:

• Service Providers: Trusted vendors who perform services on our behalf (hosting, analytics, email delivery, payment processing) under strict data processing agreements.
• Legal Requirements: To comply with subpoenas, court orders, government requests, or to protect rights, safety, or property.
• Business Transfers: In connection with a merger, acquisition, financing, or sale of assets, where Personal Data may be transferred subject to confidentiality obligations.
• With Your Consent: When you explicitly authorize sharing with third parties (e.g., integrations).
• Aggregated/Anonymized Data: Non-identifiable information may be shared for research, marketing, or industry analysis.

6. Data Retention

We retain Personal Data only as long as necessary for the purposes outlined in this policy, unless a longer retention period is required by law.

• Account Data: Retained while your account is active, plus up to 90 days after deletion for backup/recovery purposes.
• Content: Retained per your organization's retention policy or default settings. You may configure auto-purge via crypto-shredding.
• Audit Logs: Retained for a minimum of 7 years to support legal defensibility and compliance obligations.
• Deleted Data: When you delete Content or your account, we initiate crypto-shredding (destruction of encryption keys) and secure deletion from active systems. Backup copies may persist for up to 90 days before secure overwrite.

7. International Data Transfers

iusign is a global service. Your information may be transferred to, and processed in, countries other than your own, including the United States.

EEA/UK/Swiss Transfers: We comply with applicable data transfer laws by: (a) relying on adequacy decisions; (b) implementing Standard Contractual Clauses (SCCs) approved by the European Commission; and/or (c) obtaining your explicit consent where required.

Questions? Contact us at privacy@iusign.com for a copy of our transfer safeguards.

8. Your Rights and Choices

Depending on your location, you may have rights regarding your Personal Data:

• Access & Portability: Request a copy of your Personal Data in a structured, machine-readable format.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your Personal Data, subject to legal obligations and legitimate interests.
• Restriction/Objection: Request restriction of processing or object to certain processing activities.
• Marketing Opt-Out: Unsubscribe from promotional emails via the link in any email or by contacting us.
• Cookies: Manage cookie preferences via your browser settings or our consent banner where applicable.

How to Exercise Rights: Submit requests to privacy@iusign.com. We will respond within 30 days and may require verification of identity. We do not discriminate against users who exercise their rights.

Authorized Agents (CCPA): California residents may designate an authorized agent to submit requests on their behalf. We may require written authorization and identity verification.

9. Data Security

We implement technical and organizational measures designed to protect your information, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256-GCM envelope encryption via GCP KMS)
• Ephemeral in-memory processing to minimize data persistence
• Hash-chained, tamper-evident audit logs
• Access controls, least-privilege principles, and regular security training
• Third-party security assessments and vulnerability monitoring

Important Disclaimer: No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for activities under your account.

11. Third-Party Links and Integrations

The Services may contain links to third-party websites or integrations with third-party services. This Privacy Policy does not apply to those third parties. We encourage you to review their privacy practices before providing any information. We are not responsible for the content, security, or practices of third-party sites or services.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements. We will post the updated policy on this page with a revised "Last Updated" date. For material changes, we may provide additional notice (e.g., email, in-app banner) where required by law.

Your continued use of the Services after changes take effect constitutes acceptance of the updated policy. If you do not agree, you may discontinue use and request account deletion.

13. Contact Us

For questions about this Privacy Policy or our privacy practices, please contact:

EU/UK Representative: [If applicable, list representative details per GDPR Article 27]