Skip to main content
AuthenlySign
Back to home

Your Privacy Matters

At AuthenlySign, we believe privacy is a fundamental right. This policy explains how we protect your data with industry-leading security, give you complete control, and never sell your personal information.

Quick Summary

Enterprise-Grade Security

AES-256 encryption, RSA-4096 signatures, SOC 2 compliant infrastructure

We Never Sell Your Data

Your information is never sold to third parties or data brokers

Complete Transparency

Export all your data anytime, see exactly what we collect

Global Compliance

GDPR, CCPA, HIPAA, eIDAS, ESIGN Act compliant

Privacy Policy

Download PDF

Last updated: January 15, 2025 | Version 2.0 | Effective Date: January 1, 2025

1. Information We Collect

We collect information you provide directly to us, information automatically collected through your use of our Service, and information from third-party sources when you authorize us to do so.

1.1 Information You Provide

Account Information:

  • Full name and email address (required)
  • Company name and job title (optional)
  • Password (encrypted with bcrypt, never stored in plain text)
  • Phone number for two-factor authentication (optional)
  • Profile photo (optional)

Document Content:

  • Documents you upload for signing (PDF, DOCX, images)
  • Electronic signatures you create (drawn, typed, or uploaded)
  • Signature metadata (timestamp, IP address, device info)
  • Recipient information (names and email addresses of people you send documents to)
  • Form field responses and custom fields

Payment Information:

  • Billing details (name, address) - Stored by Stripe, our payment processor
  • Last 4 digits of credit card - We do not store full payment card details
  • Transaction history and invoice records
  • Tax identification numbers (for business accounts)

Communications:

  • Support tickets and chat messages
  • Feedback and survey responses
  • Email correspondence with our team
  • Community forum posts and comments

1.2 Automatically Collected Information

Usage Data:

  • Pages viewed, features used, and time spent on platform
  • Documents created, sent, and signed
  • Search queries within the application
  • Click patterns and navigation paths
  • Error logs and performance metrics

Device & Browser Information:

  • IP address and approximate geographic location (city/state level)
  • Browser type, version, and language settings
  • Operating system and device type
  • Screen resolution and device identifiers
  • Referral source (how you found our site)

Cookies & Similar Technologies:

  • Essential Cookies: Required for authentication and core functionality
  • Analytics Cookies: Help us understand usage patterns (opt-out available)
  • Preference Cookies: Remember your settings and language preferences
  • Security Cookies: Detect suspicious activity and prevent fraud

1.3 Biometric Signature Data

For fraud prevention and signature verification, we collect biometric characteristics of electronic signatures:

  • Pressure patterns: Stylus pressure during signing
  • Velocity analysis: Signing speed and stroke patterns
  • Timing metrics: Duration and rhythm of signature
  • Geometric features: Shape, size, and proportions

Note: This data is used solely for fraud detection and signature verification. It is encrypted, never shared with third parties, and you can opt-out of biometric analysis in your privacy settings.

2. How We Use Your Information

We process your information based on specific legal grounds and for clearly defined purposes. Below is a comprehensive breakdown of how we use your data:

2.1 Core Service Delivery

  • Document Processing: Upload, store, render, and deliver documents for electronic signature
  • Signature Execution: Capture, validate, and apply electronic signatures to documents
  • Notification Delivery: Send email notifications to signers, reminders, and completion confirmations
  • Audit Trail Generation: Create tamper-evident records of all document activities for legal compliance
  • Account Management: Authenticate users, manage subscriptions, and process billing
  • Team Collaboration: Enable document sharing, role-based permissions, and workspace management

2.2 Security and Fraud Prevention

  • Identity Verification: Verify signer identity through email confirmation, access codes, and optional ID verification
  • Fraud Detection: Analyze signing patterns, IP addresses, and device fingerprints to detect suspicious activity
  • Account Protection: Monitor for unauthorized access attempts, credential stuffing, and account takeover
  • Document Integrity: Apply cryptographic hashes and digital certificates to ensure document authenticity
  • Rate Limiting: Prevent abuse through intelligent rate limiting and CAPTCHA challenges

2.3 Product Improvement and Analytics

  • Usage Analytics: Understand how features are used to prioritize development and improvements
  • Performance Monitoring: Track page load times, error rates, and system health metrics
  • A/B Testing: Test new features and UI improvements with consenting users
  • Aggregated Insights: Generate anonymized statistics about platform usage trends
  • Customer Feedback: Analyze support tickets and feedback to identify improvement opportunities

2.4 Communication

  • Transactional Emails: Document status updates, signing requests, completion confirmations (cannot be opted out)
  • Security Alerts: Notifications about suspicious activity, password changes, or new device logins
  • Service Announcements: Important updates about the platform, security patches, or policy changes
  • Marketing Communications: Product updates, tips, and promotional content (with explicit opt-in consent)
  • Support Correspondence: Responses to your inquiries and follow-up communications

2.5 Legal and Compliance

  • Legal Validity: Ensure electronic signatures meet ESIGN Act, UETA, and eIDAS requirements
  • Regulatory Compliance: Maintain records required by HIPAA, SOX, FDA 21 CFR Part 11, and other regulations
  • Legal Discovery: Produce documents and audit trails in response to valid legal requests
  • Dispute Resolution: Provide evidence of signing events in case of contested signatures
  • Tax and Financial: Generate invoices, process refunds, and report taxable transactions as required

Legal Basis: We process your data based on: (1) Contractual necessity to provide the Service, (2) Legitimate interests in security and product improvement, (3) Legal obligations for compliance and record-keeping, and (4) Your explicit consent for optional features like marketing.

3. Information Sharing and Disclosure

We are committed to protecting your privacy and only share information when necessary to provide our services, comply with legal requirements, or with your explicit consent. We never sell your personal information to data brokers, advertisers, or any third parties.

3.1 Service Providers (Sub-processors)

We share data with carefully vetted service providers who help us operate the platform:

ProviderPurposeData SharedLocation
SupabaseDatabase & AuthenticationAll account and document dataUS (AWS)
StripePayment ProcessingBilling info, payment cardsUS
VercelHosting & CDNIP addresses, usage logsGlobal Edge
ResendEmail DeliveryEmail addresses, message contentUS
Vercel BlobDocument StorageUploaded documentsUS
PostHogAnalytics (Optional)Anonymized usage dataEU/US

All sub-processors are bound by Data Processing Agreements (DPAs) that require them to protect your data and use it only for the specified purposes.

3.2 Document Recipients

When you send a document for signature, we share information with the recipients you designate:

  • Sender Information: Your name, email, and company name (if provided)
  • Document Content: The document itself and any attached files
  • Signing Instructions: Field locations, required actions, and deadlines
  • Completion Status: Notification when all parties have signed

Recipients cannot see other signers' personal information (like IP addresses or device details) unless you enable the shared audit trail feature.

3.3 Legal and Regulatory Disclosure

We may disclose your information when legally required or to protect rights and safety:

  • Court Orders & Subpoenas: Valid legal process requiring disclosure
  • Government Requests: Lawful requests from law enforcement or regulatory agencies
  • Safety Threats: Imminent threats to life, health, or security
  • Rights Protection: Defending against legal claims or protecting our legal rights
  • Fraud Investigation: Investigating suspected fraud, abuse, or policy violations

Transparency Commitment: Unless legally prohibited, we will notify you before disclosing your information in response to legal requests, giving you the opportunity to object.

3.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website before your information becomes subject to a different privacy policy. You will have the opportunity to delete your account and data before such a transfer.

3.5 With Your Consent

We may share information for purposes not listed here only with your explicit consent. For example, if you choose to integrate AuthenlySign with third-party applications (CRM, cloud storage), we will share data as necessary to enable those integrations with your authorization.

4. Data Security

We implement comprehensive security measures to protect your information from unauthorized access, alteration, disclosure, or destruction. Security is fundamental to our service - your documents contain sensitive information, and we treat their protection as a top priority.

4.1 Encryption

  • In Transit: All data is encrypted using TLS 1.3 with forward secrecy. We enforce HTTPS across all endpoints and use HSTS headers.
  • At Rest: Documents and database records are encrypted using AES-256 encryption. Encryption keys are managed via hardware security modules (HSMs).
  • Digital Signatures: RSA-4096 asymmetric encryption for document signing certificates. SHA-256 hashing for document integrity verification.
  • Password Storage: User passwords are hashed using bcrypt with unique salts per user. We never store plaintext passwords.

4.2 Infrastructure Security

  • Cloud Infrastructure: Hosted on SOC 2 Type II certified infrastructure with geographic redundancy
  • Network Security: Web Application Firewall (WAF), DDoS protection, and intrusion detection systems
  • Access Controls: Role-based access, principle of least privilege, and mandatory multi-factor authentication for all employees
  • Monitoring: 24/7 security monitoring, automated threat detection, and real-time alerting
  • Vulnerability Management: Regular penetration testing, automated security scanning, and a responsible disclosure program

4.3 Audit Trail Integrity

  • Hash Chains: Every document event is cryptographically chained to prevent tampering
  • Timestamping: RFC 3161 compliant timestamps from trusted timestamp authorities
  • Immutable Logs: Audit logs are append-only and cannot be modified or deleted
  • Certificate of Completion: Signed certificate containing full audit trail attached to completed documents

4.4 Compliance Certifications

SOC 2 Type II

Security, Availability, Confidentiality

HIPAA

Healthcare Data Compliance

GDPR

EU Data Protection

4.5 Incident Response

In the event of a security incident affecting your data, we will:

  • Notify affected users within 72 hours of discovery (as required by GDPR)
  • Provide details about the nature of the incident and data potentially affected
  • Describe the measures taken to address and mitigate the incident
  • Offer guidance on steps you can take to protect yourself
  • Report to relevant regulatory authorities as required by law

Security Disclosure: If you discover a security vulnerability, please report it to security@authenlysign.com. We offer a bug bounty program and will not pursue legal action against good-faith security researchers.

5. Your Privacy Rights

We believe you should have full control over your personal information. Regardless of where you live, we provide the following rights to all users:

1Right to Access

Request a complete copy of all personal data we hold about you, including:

  • Account information and profile data
  • Documents you have created or signed
  • Audit logs and activity history
  • Communication history with our support team

How to exercise: Settings → Privacy → Download My Data (or email privacy@authenlysign.com)

2Right to Rectification

Correct inaccurate or incomplete personal information:

  • Update your name, email, phone number, and company information in Settings
  • Request corrections to data you cannot edit directly by contacting support
  • Note: Signed documents cannot be modified after signing for legal integrity

3Right to Erasure (Right to be Forgotten)

Request deletion of your personal data, subject to legal retention requirements:

  • Delete your account and associated profile information
  • Remove draft documents that have not been sent
  • Delete signature images and biometric data

Limitations: We may retain certain data for legal compliance, dispute resolution, or legitimate business purposes (see Data Retention section).

4Right to Data Portability

Receive your data in a structured, machine-readable format:

  • Export documents as PDF with embedded audit trails
  • Download account data in JSON format
  • Export contact lists and templates
  • Transfer data to another service provider upon request

5Right to Restrict Processing

Limit how we use your data in certain circumstances:

  • While we verify the accuracy of contested data
  • If processing is unlawful but you prefer restriction over deletion
  • When we no longer need the data but you require it for legal claims

6Right to Object

Object to processing based on legitimate interests:

  • Opt-out of analytics and usage tracking
  • Disable biometric signature analysis
  • Unsubscribe from marketing communications
  • Request human review of automated decisions

7Right to Withdraw Consent

Where we process data based on consent, you can withdraw that consent at any time. This won't affect the lawfulness of processing before withdrawal.

How to Exercise Your Rights

  • Self-Service: Most rights can be exercised directly in Settings → Privacy
  • Email: privacy@authenlysign.com (include your account email for verification)
  • Mail: AuthenlySign Inc., Attn: Privacy Team, 120 19th ST N STE 201 NUM 750307, Birmingham, AL 35203
  • Response Time: We will respond within 30 days (45 days for complex requests)
  • Verification: We may need to verify your identity before processing requests
  • No Fee: Exercising your rights is free, except for manifestly unfounded or excessive requests

6. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). This section describes those rights and how to exercise them.

6.1 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

CategoryExamplesCollected
IdentifiersName, email, IP address, account IDYes
Commercial InformationPurchase history, subscription detailsYes
Internet ActivityBrowsing history, search queries, interactionsYes
Geolocation DataApproximate location from IP addressYes
Professional InformationJob title, company nameYes
Biometric InformationSignature characteristicsYes
Sensitive Personal InformationAccount credentials, payment infoYes

6.2 Your California Rights

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected
  • Right to Delete: Request deletion of personal information (subject to exceptions)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising
  • Right to Limit Use of Sensitive Information: Restrict use of sensitive personal information to necessary purposes only
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

6.3 Notice of Financial Incentive

We do not offer financial incentives in exchange for the retention or sale of personal information.

6.4 Authorized Agents

You may designate an authorized agent to make requests on your behalf. The agent must provide written authorization signed by you, and we may require you to verify your identity directly with us.

6.5 Shine the Light

California Civil Code Section 1798.83 permits California residents to request information regarding disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

7. GDPR Compliance (EU/EEA/UK Users)

If you are located in the European Union, European Economic Area, or United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR provide you with specific rights regarding your personal data.

7.1 Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide the services you requested (account creation, document signing, email notifications)
  • Legitimate Interests: Security, fraud prevention, product improvement, and analytics (where our interests do not override your rights)
  • Legal Obligation: Compliance with tax laws, anti-money laundering regulations, and legal discovery requirements
  • Consent: Marketing communications, optional analytics, and biometric signature analysis (you can withdraw consent anytime)

7.2 Additional GDPR Rights

In addition to the rights listed in Section 5, EU/EEA/UK residents have:

  • Right to Lodge a Complaint: You may file a complaint with your local data protection authority (supervisory authority)
  • Right to Object to Automated Decision-Making: Request human review of decisions made solely by automated processing that significantly affect you

7.3 Data Protection Authority Contact

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at: https://edpb.europa.eu

7.4 EU Representative

For GDPR inquiries, you may contact our EU representative at: eu-privacy@authenlysign.com

8. Data Retention

We retain your information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Below are our specific retention periods:

Data TypeRetention PeriodReason
Account InformationDuration of account + 30 daysService provision, account recovery
Signed Documents7 years (default, configurable)Legal validity, statute of limitations
Audit Trails7 years (cannot be shortened)Legal evidence, regulatory compliance
Draft Documents (unsent)90 days of inactivityUser convenience, storage efficiency
Billing Records7 yearsTax and accounting requirements
Support Tickets3 years after resolutionService improvement, dispute resolution
Usage Analytics26 months (anonymized after)Product improvement, trend analysis
Security Logs1 yearSecurity monitoring, incident response
Marketing Consent Records3 years after consent withdrawalCompliance documentation
Biometric Signature DataSame as signed documentSignature verification, fraud prevention

Custom Retention Settings

Enterprise customers can configure custom retention periods through workspace settings:

  • Minimum: 1 year (to ensure legal validity of signed documents)
  • Maximum: Indefinite (for regulated industries requiring permanent records)
  • Auto-Delete: Configure automatic deletion after a specified period
  • Legal Hold: Suspend deletion for documents subject to litigation or investigation

After Account Deletion

When you delete your account, we will delete or anonymize your personal information within 30 days, except for data we are legally required to retain (signed documents, audit trails, billing records). Documents you signed as a recipient for other users remain in their accounts with your signature intact.

9. International Data Transfers

AuthenlySign is based in the United States, and our primary data processing occurs in the US. If you are located outside the United States, your information will be transferred to and processed in the US, where data protection laws may differ from those in your country.

9.1 Transfer Mechanisms

We rely on the following legal mechanisms to transfer data internationally:

  • Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our sub-processors to ensure adequate protection for EU/EEA/UK data
  • UK International Data Transfer Agreement: For UK data transfers post-Brexit
  • Adequacy Decisions: We leverage adequacy decisions where applicable (e.g., UK, Switzerland)
  • Binding Corporate Rules: For transfers to corporate affiliates (where applicable)

9.2 Data Localization Options

For customers with strict data residency requirements:

  • US Region: Data stored in AWS US-East (default)
  • EU Region: Data stored in AWS EU-West (Ireland) - available on Enterprise plans
  • APAC Region: Data stored in AWS Asia-Pacific - available on Enterprise plans

Contact sales@authenlysign.com for information about data residency options for your organization.

9.3 Supplementary Measures

In addition to legal transfer mechanisms, we implement supplementary technical and organizational measures:

  • End-to-end encryption for documents in transit and at rest
  • Pseudonymization of personal data where possible
  • Strict access controls limiting who can view personal data
  • Regular security assessments of our sub-processors
  • Contractual commitments to challenge overbroad government data requests

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide functionality, analyze usage, and personalize your experience. For detailed information about the cookies we use and your choices, please see our Cookie Policy.

Managing Your Cookie Preferences

  • Browser Settings: Most browsers allow you to block or delete cookies through settings
  • Cookie Banner: Use our cookie consent banner to manage preferences (appears on first visit)
  • Privacy Settings: Adjust tracking preferences in Settings → Privacy
  • Do Not Track: We honor Do Not Track browser signals for analytics cookies

Note: Disabling essential cookies may prevent you from using certain features of the Service, such as staying logged in or completing document signing sessions.

11. Children's Privacy

AuthenlySign is a business service designed for adults. We do not knowingly collect, use, or disclose personal information from children under 18 years of age (or the applicable age of majority in your jurisdiction).

  • Our Terms of Service require users to be at least 18 years old
  • We do not intentionally market our services to minors
  • If we learn that we have collected information from a child, we will promptly delete it
  • Parents or guardians who believe their child has provided us information should contact privacy@authenlysign.com

Educational Institutions: If you are an educational institution using AuthenlySign for student records, you are responsible for obtaining appropriate parental consent as required by FERPA, COPPA, and applicable state laws.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How We Notify You

  • Material Changes: We will notify you via email and/or prominent notice on our website at least 30 days before the changes take effect
  • Minor Changes: Updates to formatting, clarifications, or non-substantive changes may be made without notice
  • Version History: We maintain a version history of this policy (see link at top of page)

Your Acceptance

Your continued use of AuthenlySign after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the changes, you should stop using the Service and delete your account before the changes take effect.

13. Contact Us

We are committed to resolving your privacy concerns. If you have questions, comments, or requests regarding this Privacy Policy or our data practices, please contact us through any of the following channels:

General Privacy Inquiries

Email: privacy@authenlysign.com

Response Time: 2-3 business days

For general questions about our privacy practices

Data Protection Officer

Email: dpo@authenlysign.com

Response Time: 5 business days

For GDPR inquiries and formal data requests

Security Concerns

Email: security@authenlysign.com

Response Time: 24 hours

For reporting security vulnerabilities

Data Subject Requests

Portal: Settings → Privacy → My Data

Processing Time: Within 30 days

Access, delete, or export your data

Mailing Address

AuthenlySign Inc.
Attn: Privacy Team
120 19th ST N STE 201 NUM 750307
Birmingham, AL 35203
United States

EU Representative

For users in the European Union who wish to contact a local representative:

Email: eu-privacy@authenlysign.com
Purpose: GDPR inquiries and data protection matters for EU residents

Escalation: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (for EU/UK residents) or the appropriate regulatory body in your jurisdiction.