Your Privacy Matters
At AuthenlySign, we believe privacy is a fundamental right. This policy explains how we protect your data with industry-leading security, give you complete control, and never sell your personal information.
Quick Summary
Enterprise-Grade Security
AES-256 encryption, RSA-4096 signatures, SOC 2 compliant infrastructure
We Never Sell Your Data
Your information is never sold to third parties or data brokers
Complete Transparency
Export all your data anytime, see exactly what we collect
Global Compliance
GDPR, CCPA, HIPAA, eIDAS, ESIGN Act compliant
Privacy Policy
Download PDFLast updated: January 15, 2025 | Version 2.0 | Effective Date: January 1, 2025
1. Information We Collect
We collect information you provide directly to us, information automatically collected through your use of our Service, and information from third-party sources when you authorize us to do so.
1.1 Information You Provide
Account Information:
- Full name and email address (required)
- Company name and job title (optional)
- Password (encrypted with bcrypt, never stored in plain text)
- Phone number for two-factor authentication (optional)
- Profile photo (optional)
Document Content:
- Documents you upload for signing (PDF, DOCX, images)
- Electronic signatures you create (drawn, typed, or uploaded)
- Signature metadata (timestamp, IP address, device info)
- Recipient information (names and email addresses of people you send documents to)
- Form field responses and custom fields
Payment Information:
- Billing details (name, address) - Stored by Stripe, our payment processor
- Last 4 digits of credit card - We do not store full payment card details
- Transaction history and invoice records
- Tax identification numbers (for business accounts)
Communications:
- Support tickets and chat messages
- Feedback and survey responses
- Email correspondence with our team
- Community forum posts and comments
1.2 Automatically Collected Information
Usage Data:
- Pages viewed, features used, and time spent on platform
- Documents created, sent, and signed
- Search queries within the application
- Click patterns and navigation paths
- Error logs and performance metrics
Device & Browser Information:
- IP address and approximate geographic location (city/state level)
- Browser type, version, and language settings
- Operating system and device type
- Screen resolution and device identifiers
- Referral source (how you found our site)
Cookies & Similar Technologies:
- Essential Cookies: Required for authentication and core functionality
- Analytics Cookies: Help us understand usage patterns (opt-out available)
- Preference Cookies: Remember your settings and language preferences
- Security Cookies: Detect suspicious activity and prevent fraud
1.3 Biometric Signature Data
For fraud prevention and signature verification, we collect biometric characteristics of electronic signatures:
- Pressure patterns: Stylus pressure during signing
- Velocity analysis: Signing speed and stroke patterns
- Timing metrics: Duration and rhythm of signature
- Geometric features: Shape, size, and proportions
Note: This data is used solely for fraud detection and signature verification. It is encrypted, never shared with third parties, and you can opt-out of biometric analysis in your privacy settings.
2. How We Use Your Information
We process your information based on specific legal grounds and for clearly defined purposes. Below is a comprehensive breakdown of how we use your data:
2.1 Core Service Delivery
- Document Processing: Upload, store, render, and deliver documents for electronic signature
- Signature Execution: Capture, validate, and apply electronic signatures to documents
- Notification Delivery: Send email notifications to signers, reminders, and completion confirmations
- Audit Trail Generation: Create tamper-evident records of all document activities for legal compliance
- Account Management: Authenticate users, manage subscriptions, and process billing
- Team Collaboration: Enable document sharing, role-based permissions, and workspace management
2.2 Security and Fraud Prevention
- Identity Verification: Verify signer identity through email confirmation, access codes, and optional ID verification
- Fraud Detection: Analyze signing patterns, IP addresses, and device fingerprints to detect suspicious activity
- Account Protection: Monitor for unauthorized access attempts, credential stuffing, and account takeover
- Document Integrity: Apply cryptographic hashes and digital certificates to ensure document authenticity
- Rate Limiting: Prevent abuse through intelligent rate limiting and CAPTCHA challenges
2.3 Product Improvement and Analytics
- Usage Analytics: Understand how features are used to prioritize development and improvements
- Performance Monitoring: Track page load times, error rates, and system health metrics
- A/B Testing: Test new features and UI improvements with consenting users
- Aggregated Insights: Generate anonymized statistics about platform usage trends
- Customer Feedback: Analyze support tickets and feedback to identify improvement opportunities
2.4 Communication
- Transactional Emails: Document status updates, signing requests, completion confirmations (cannot be opted out)
- Security Alerts: Notifications about suspicious activity, password changes, or new device logins
- Service Announcements: Important updates about the platform, security patches, or policy changes
- Marketing Communications: Product updates, tips, and promotional content (with explicit opt-in consent)
- Support Correspondence: Responses to your inquiries and follow-up communications
2.5 Legal and Compliance
- Legal Validity: Ensure electronic signatures meet ESIGN Act, UETA, and eIDAS requirements
- Regulatory Compliance: Maintain records required by HIPAA, SOX, FDA 21 CFR Part 11, and other regulations
- Legal Discovery: Produce documents and audit trails in response to valid legal requests
- Dispute Resolution: Provide evidence of signing events in case of contested signatures
- Tax and Financial: Generate invoices, process refunds, and report taxable transactions as required
Legal Basis: We process your data based on: (1) Contractual necessity to provide the Service, (2) Legitimate interests in security and product improvement, (3) Legal obligations for compliance and record-keeping, and (4) Your explicit consent for optional features like marketing.
3. Information Sharing and Disclosure
We are committed to protecting your privacy and only share information when necessary to provide our services, comply with legal requirements, or with your explicit consent. We never sell your personal information to data brokers, advertisers, or any third parties.
3.1 Service Providers (Sub-processors)
We share data with carefully vetted service providers who help us operate the platform:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database & Authentication | All account and document data | US (AWS) |
| Stripe | Payment Processing | Billing info, payment cards | US |
| Vercel | Hosting & CDN | IP addresses, usage logs | Global Edge |
| Resend | Email Delivery | Email addresses, message content | US |
| Vercel Blob | Document Storage | Uploaded documents | US |
| PostHog | Analytics (Optional) | Anonymized usage data | EU/US |
All sub-processors are bound by Data Processing Agreements (DPAs) that require them to protect your data and use it only for the specified purposes.
3.2 Document Recipients
When you send a document for signature, we share information with the recipients you designate:
- Sender Information: Your name, email, and company name (if provided)
- Document Content: The document itself and any attached files
- Signing Instructions: Field locations, required actions, and deadlines
- Completion Status: Notification when all parties have signed
Recipients cannot see other signers' personal information (like IP addresses or device details) unless you enable the shared audit trail feature.
3.3 Legal and Regulatory Disclosure
We may disclose your information when legally required or to protect rights and safety:
- Court Orders & Subpoenas: Valid legal process requiring disclosure
- Government Requests: Lawful requests from law enforcement or regulatory agencies
- Safety Threats: Imminent threats to life, health, or security
- Rights Protection: Defending against legal claims or protecting our legal rights
- Fraud Investigation: Investigating suspected fraud, abuse, or policy violations
Transparency Commitment: Unless legally prohibited, we will notify you before disclosing your information in response to legal requests, giving you the opportunity to object.
3.4 Business Transfers
In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website before your information becomes subject to a different privacy policy. You will have the opportunity to delete your account and data before such a transfer.
3.5 With Your Consent
We may share information for purposes not listed here only with your explicit consent. For example, if you choose to integrate AuthenlySign with third-party applications (CRM, cloud storage), we will share data as necessary to enable those integrations with your authorization.
4. Data Security
We implement comprehensive security measures to protect your information from unauthorized access, alteration, disclosure, or destruction. Security is fundamental to our service - your documents contain sensitive information, and we treat their protection as a top priority.
4.1 Encryption
- In Transit: All data is encrypted using TLS 1.3 with forward secrecy. We enforce HTTPS across all endpoints and use HSTS headers.
- At Rest: Documents and database records are encrypted using AES-256 encryption. Encryption keys are managed via hardware security modules (HSMs).
- Digital Signatures: RSA-4096 asymmetric encryption for document signing certificates. SHA-256 hashing for document integrity verification.
- Password Storage: User passwords are hashed using bcrypt with unique salts per user. We never store plaintext passwords.
4.2 Infrastructure Security
- Cloud Infrastructure: Hosted on SOC 2 Type II certified infrastructure with geographic redundancy
- Network Security: Web Application Firewall (WAF), DDoS protection, and intrusion detection systems
- Access Controls: Role-based access, principle of least privilege, and mandatory multi-factor authentication for all employees
- Monitoring: 24/7 security monitoring, automated threat detection, and real-time alerting
- Vulnerability Management: Regular penetration testing, automated security scanning, and a responsible disclosure program
4.3 Audit Trail Integrity
- Hash Chains: Every document event is cryptographically chained to prevent tampering
- Timestamping: RFC 3161 compliant timestamps from trusted timestamp authorities
- Immutable Logs: Audit logs are append-only and cannot be modified or deleted
- Certificate of Completion: Signed certificate containing full audit trail attached to completed documents
4.4 Compliance Certifications
SOC 2 Type II
Security, Availability, Confidentiality
HIPAA
Healthcare Data Compliance
GDPR
EU Data Protection
4.5 Incident Response
In the event of a security incident affecting your data, we will:
- Notify affected users within 72 hours of discovery (as required by GDPR)
- Provide details about the nature of the incident and data potentially affected
- Describe the measures taken to address and mitigate the incident
- Offer guidance on steps you can take to protect yourself
- Report to relevant regulatory authorities as required by law
Security Disclosure: If you discover a security vulnerability, please report it to security@authenlysign.com. We offer a bug bounty program and will not pursue legal action against good-faith security researchers.
5. Your Privacy Rights
We believe you should have full control over your personal information. Regardless of where you live, we provide the following rights to all users:
1Right to Access
Request a complete copy of all personal data we hold about you, including:
- Account information and profile data
- Documents you have created or signed
- Audit logs and activity history
- Communication history with our support team
How to exercise: Settings → Privacy → Download My Data (or email privacy@authenlysign.com)
2Right to Rectification
Correct inaccurate or incomplete personal information:
- Update your name, email, phone number, and company information in Settings
- Request corrections to data you cannot edit directly by contacting support
- Note: Signed documents cannot be modified after signing for legal integrity
3Right to Erasure (Right to be Forgotten)
Request deletion of your personal data, subject to legal retention requirements:
- Delete your account and associated profile information
- Remove draft documents that have not been sent
- Delete signature images and biometric data
Limitations: We may retain certain data for legal compliance, dispute resolution, or legitimate business purposes (see Data Retention section).
4Right to Data Portability
Receive your data in a structured, machine-readable format:
- Export documents as PDF with embedded audit trails
- Download account data in JSON format
- Export contact lists and templates
- Transfer data to another service provider upon request
5Right to Restrict Processing
Limit how we use your data in certain circumstances:
- While we verify the accuracy of contested data
- If processing is unlawful but you prefer restriction over deletion
- When we no longer need the data but you require it for legal claims
6Right to Object
Object to processing based on legitimate interests:
- Opt-out of analytics and usage tracking
- Disable biometric signature analysis
- Unsubscribe from marketing communications
- Request human review of automated decisions
7Right to Withdraw Consent
Where we process data based on consent, you can withdraw that consent at any time. This won't affect the lawfulness of processing before withdrawal.
How to Exercise Your Rights
- Self-Service: Most rights can be exercised directly in Settings → Privacy
- Email: privacy@authenlysign.com (include your account email for verification)
- Mail: AuthenlySign Inc., Attn: Privacy Team, 120 19th ST N STE 201 NUM 750307, Birmingham, AL 35203
- Response Time: We will respond within 30 days (45 days for complex requests)
- Verification: We may need to verify your identity before processing requests
- No Fee: Exercising your rights is free, except for manifestly unfounded or excessive requests
6. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). This section describes those rights and how to exercise them.
6.1 Categories of Personal Information Collected
In the past 12 months, we have collected the following categories of personal information:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, IP address, account ID | Yes |
| Commercial Information | Purchase history, subscription details | Yes |
| Internet Activity | Browsing history, search queries, interactions | Yes |
| Geolocation Data | Approximate location from IP address | Yes |
| Professional Information | Job title, company name | Yes |
| Biometric Information | Signature characteristics | Yes |
| Sensitive Personal Information | Account credentials, payment info | Yes |
6.2 Your California Rights
- Right to Know: Request disclosure of categories and specific pieces of personal information collected
- Right to Delete: Request deletion of personal information (subject to exceptions)
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising
- Right to Limit Use of Sensitive Information: Restrict use of sensitive personal information to necessary purposes only
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
6.3 Notice of Financial Incentive
We do not offer financial incentives in exchange for the retention or sale of personal information.
6.4 Authorized Agents
You may designate an authorized agent to make requests on your behalf. The agent must provide written authorization signed by you, and we may require you to verify your identity directly with us.
6.5 Shine the Light
California Civil Code Section 1798.83 permits California residents to request information regarding disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.
7. GDPR Compliance (EU/EEA/UK Users)
If you are located in the European Union, European Economic Area, or United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR provide you with specific rights regarding your personal data.
7.1 Legal Basis for Processing
We process your personal data based on the following legal grounds:
- Contract Performance: Processing necessary to provide the services you requested (account creation, document signing, email notifications)
- Legitimate Interests: Security, fraud prevention, product improvement, and analytics (where our interests do not override your rights)
- Legal Obligation: Compliance with tax laws, anti-money laundering regulations, and legal discovery requirements
- Consent: Marketing communications, optional analytics, and biometric signature analysis (you can withdraw consent anytime)
7.2 Additional GDPR Rights
In addition to the rights listed in Section 5, EU/EEA/UK residents have:
- Right to Lodge a Complaint: You may file a complaint with your local data protection authority (supervisory authority)
- Right to Object to Automated Decision-Making: Request human review of decisions made solely by automated processing that significantly affect you
7.3 Data Protection Authority Contact
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at: https://edpb.europa.eu
7.4 EU Representative
For GDPR inquiries, you may contact our EU representative at: eu-privacy@authenlysign.com
8. Data Retention
We retain your information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Below are our specific retention periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Information | Duration of account + 30 days | Service provision, account recovery |
| Signed Documents | 7 years (default, configurable) | Legal validity, statute of limitations |
| Audit Trails | 7 years (cannot be shortened) | Legal evidence, regulatory compliance |
| Draft Documents (unsent) | 90 days of inactivity | User convenience, storage efficiency |
| Billing Records | 7 years | Tax and accounting requirements |
| Support Tickets | 3 years after resolution | Service improvement, dispute resolution |
| Usage Analytics | 26 months (anonymized after) | Product improvement, trend analysis |
| Security Logs | 1 year | Security monitoring, incident response |
| Marketing Consent Records | 3 years after consent withdrawal | Compliance documentation |
| Biometric Signature Data | Same as signed document | Signature verification, fraud prevention |
Custom Retention Settings
Enterprise customers can configure custom retention periods through workspace settings:
- Minimum: 1 year (to ensure legal validity of signed documents)
- Maximum: Indefinite (for regulated industries requiring permanent records)
- Auto-Delete: Configure automatic deletion after a specified period
- Legal Hold: Suspend deletion for documents subject to litigation or investigation
After Account Deletion
When you delete your account, we will delete or anonymize your personal information within 30 days, except for data we are legally required to retain (signed documents, audit trails, billing records). Documents you signed as a recipient for other users remain in their accounts with your signature intact.
9. International Data Transfers
AuthenlySign is based in the United States, and our primary data processing occurs in the US. If you are located outside the United States, your information will be transferred to and processed in the US, where data protection laws may differ from those in your country.
9.1 Transfer Mechanisms
We rely on the following legal mechanisms to transfer data internationally:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our sub-processors to ensure adequate protection for EU/EEA/UK data
- UK International Data Transfer Agreement: For UK data transfers post-Brexit
- Adequacy Decisions: We leverage adequacy decisions where applicable (e.g., UK, Switzerland)
- Binding Corporate Rules: For transfers to corporate affiliates (where applicable)
9.2 Data Localization Options
For customers with strict data residency requirements:
- US Region: Data stored in AWS US-East (default)
- EU Region: Data stored in AWS EU-West (Ireland) - available on Enterprise plans
- APAC Region: Data stored in AWS Asia-Pacific - available on Enterprise plans
Contact sales@authenlysign.com for information about data residency options for your organization.
9.3 Supplementary Measures
In addition to legal transfer mechanisms, we implement supplementary technical and organizational measures:
- End-to-end encryption for documents in transit and at rest
- Pseudonymization of personal data where possible
- Strict access controls limiting who can view personal data
- Regular security assessments of our sub-processors
- Contractual commitments to challenge overbroad government data requests
10. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to provide functionality, analyze usage, and personalize your experience. For detailed information about the cookies we use and your choices, please see our Cookie Policy.
Managing Your Cookie Preferences
- Browser Settings: Most browsers allow you to block or delete cookies through settings
- Cookie Banner: Use our cookie consent banner to manage preferences (appears on first visit)
- Privacy Settings: Adjust tracking preferences in Settings → Privacy
- Do Not Track: We honor Do Not Track browser signals for analytics cookies
Note: Disabling essential cookies may prevent you from using certain features of the Service, such as staying logged in or completing document signing sessions.
11. Children's Privacy
AuthenlySign is a business service designed for adults. We do not knowingly collect, use, or disclose personal information from children under 18 years of age (or the applicable age of majority in your jurisdiction).
- Our Terms of Service require users to be at least 18 years old
- We do not intentionally market our services to minors
- If we learn that we have collected information from a child, we will promptly delete it
- Parents or guardians who believe their child has provided us information should contact privacy@authenlysign.com
Educational Institutions: If you are an educational institution using AuthenlySign for student records, you are responsible for obtaining appropriate parental consent as required by FERPA, COPPA, and applicable state laws.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
How We Notify You
- Material Changes: We will notify you via email and/or prominent notice on our website at least 30 days before the changes take effect
- Minor Changes: Updates to formatting, clarifications, or non-substantive changes may be made without notice
- Version History: We maintain a version history of this policy (see link at top of page)
Your Acceptance
Your continued use of AuthenlySign after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the changes, you should stop using the Service and delete your account before the changes take effect.
13. Contact Us
We are committed to resolving your privacy concerns. If you have questions, comments, or requests regarding this Privacy Policy or our data practices, please contact us through any of the following channels:
General Privacy Inquiries
Email: privacy@authenlysign.com
Response Time: 2-3 business days
For general questions about our privacy practices
Data Protection Officer
Email: dpo@authenlysign.com
Response Time: 5 business days
For GDPR inquiries and formal data requests
Security Concerns
Email: security@authenlysign.com
Response Time: 24 hours
For reporting security vulnerabilities
Data Subject Requests
Portal: Settings → Privacy → My Data
Processing Time: Within 30 days
Access, delete, or export your data
Mailing Address
AuthenlySign Inc.
Attn: Privacy Team
120 19th ST N STE 201 NUM 750307
Birmingham, AL 35203
United States
EU Representative
For users in the European Union who wish to contact a local representative:
Email: eu-privacy@authenlysign.com
Purpose: GDPR inquiries and data protection matters for EU residents
Escalation: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (for EU/UK residents) or the appropriate regulatory body in your jurisdiction.
