Privacy Policy

Your privacy is fundamental to our mission. This policy explains how we collect, use, and protect your information in compliance with ESP requirements and international privacy laws.

Last updated: August 2025

1. Information We Collect

1.1 Personal Information

We collect personal information that you voluntarily provide when using our services:

  • Identity Information: Full name, email address, phone number, job title, company name
  • Account Credentials: Username, encrypted passwords, security questions and answers
  • Contact Information: Mailing address, billing address, emergency contact details
  • Profile Data: Profile picture, bio, preferences, notification settings
  • Verification Data: Government-issued ID numbers for identity verification (when required)
  • Communication Records: Support tickets, chat logs, email correspondence

1.2 Document and Signature Data

As an e-signature platform, we process sensitive document-related information:

  • Document Content: PDFs, Word documents, images, and other file formats uploaded for signature
  • Digital Signatures: Biometric signature data, typed signatures, drawn signatures
  • Signature Metadata: Timestamp, IP address, device information, geolocation (if enabled)
  • Audit Trails: Complete history of document actions, views, downloads, modifications
  • Signer Information: Names, email addresses, and roles of all document signers
  • Authentication Data: SMS verification codes, email verification tokens, ID verification results

1.3 Technical and Usage Information

We automatically collect technical information to provide and improve our services:

  • Device Information: Device type, operating system, browser version, screen resolution
  • Network Data: IP address, ISP, connection type, network performance metrics
  • Usage Analytics: Pages visited, features used, time spent, click patterns
  • Performance Data: Load times, error rates, crash reports, system performance
  • Security Logs: Login attempts, security events, suspicious activity detection
  • Cookies and Tracking: Session cookies, preference cookies, analytics cookies

1.4 Payment and Billing Information

For paid services, we collect billing information through secure third-party processors:

  • Payment Methods: Credit card details, bank account information, digital wallet data
  • Billing Address: Complete billing address for payment verification
  • Transaction History: Payment records, invoices, refunds, subscription changes
  • Tax Information: VAT numbers, tax exemption certificates (when applicable)

2. How We Use Your Information

2.1 Service Provision and Core Functionality

  • • Process and store documents for electronic signature workflows
  • • Facilitate signature collection from multiple parties
  • • Generate legally compliant audit trails and certificates
  • • Provide document storage, organization, and retrieval services
  • • Enable real-time collaboration and document sharing
  • • Deliver notifications and status updates via email and SMS

2.2 Account Management and Authentication

  • • Create and maintain user accounts and profiles
  • • Authenticate user identity and prevent unauthorized access
  • • Process subscription payments and manage billing
  • • Provide customer support and technical assistance
  • • Manage user preferences and notification settings

2.3 Communication and Marketing (ESP Compliant)

  • • Send transactional emails related to your account and documents
  • • Deliver security alerts and important service notifications
  • • Provide product updates and feature announcements (with consent)
  • • Send marketing communications only to opted-in subscribers
  • • Conduct customer satisfaction surveys and feedback collection
  • • Maintain suppression lists to honor unsubscribe requests

2.4 Legal and Compliance Purposes

  • • Comply with electronic signature laws (ESIGN Act, eIDAS, etc.)
  • • Maintain records for legal discovery and litigation support
  • • Prevent fraud, abuse, and unauthorized access
  • • Respond to legal requests and regulatory inquiries
  • • Enforce our Terms of Service and user agreements

3. Anti-Spam Policy and Email Compliance

3.1 Consent and Permission

  • Explicit Consent: We only send marketing emails to users who have explicitly opted in
  • Double Opt-In: Marketing subscriptions require email confirmation
  • Transactional Emails: Service-related emails are sent based on legitimate business interest
  • Clear Purpose: All email communications clearly state their purpose and sender
  • Consent Records: We maintain detailed records of all consent with timestamps and IP addresses

3.2 Email Authentication and Deliverability

  • SPF Records: Properly configured Sender Policy Framework authentication
  • DKIM Signing: All emails are signed with DomainKeys Identified Mail
  • DMARC Policy: Domain-based Message Authentication, Reporting & Conformance implemented
  • Reputation Monitoring: Continuous monitoring of sender reputation and deliverability metrics
  • Bounce Handling: Automatic processing of hard and soft bounces
  • Feedback Loops: Registered with major ISPs for complaint feedback

3.3 List Management and Hygiene

  • Suppression Lists: Comprehensive suppression lists for unsubscribed users
  • List Cleaning: Regular removal of invalid, bounced, and inactive email addresses
  • Engagement Tracking: Monitoring of open rates, click rates, and engagement metrics
  • Re-engagement Campaigns: Targeted campaigns to re-engage inactive subscribers
  • Automatic Removal: Inactive subscribers automatically removed after 12 months

3.4 Unsubscribe and Opt-Out

  • One-Click Unsubscribe: Every marketing email includes a prominent unsubscribe link
  • Processing Time: Unsubscribe requests processed within 24 hours
  • Confirmation: Unsubscribe confirmation sent to verify the action
  • Granular Control: Options to unsubscribe from specific email types
  • No Re-subscription: Unsubscribed users cannot be re-added without explicit consent

3.5 Compliance and Monitoring

  • CAN-SPAM Compliance: Full compliance with US CAN-SPAM Act requirements
  • GDPR Compliance: Adherence to EU General Data Protection Regulation
  • CASL Compliance: Compliance with Canada's Anti-Spam Legislation
  • Regular Audits: Quarterly reviews of email practices and compliance
  • Staff Training: Regular training for all staff handling email communications
  • Incident Response: Immediate response protocol for spam complaints

Report Spam or Abuse

If you receive unsolicited emails claiming to be from SigTouch:

  • • Email: abuse@sigtouch.com
  • • Include full email headers and content
  • • We investigate all reports within 24 hours
  • • Confirmed violations result in immediate account suspension

4. Information Sharing and Disclosure

4.1 Service Providers and Processors

We share information with trusted third-party service providers who assist in delivering our services:

  • Cloud Infrastructure: AWS, Google Cloud, Microsoft Azure for hosting and storage
  • Payment Processors: Stripe, PayPal for secure payment processing
  • Email Service Providers: Amazon SES, SendGrid for transactional and marketing emails
  • Analytics Providers: Google Analytics, Mixpanel for usage analytics
  • Customer Support: Zendesk, Intercom for customer service platforms
  • Security Services: Cloudflare, Auth0 for security and authentication

All service providers are bound by data processing agreements and must maintain equivalent privacy protections.

4.2 Legal and Regulatory Disclosure

  • Legal Compliance: When required by law, regulation, or court order
  • Law Enforcement: To assist in criminal investigations with proper legal authority
  • Safety Protection: To protect the safety of our users, employees, or the public
  • Rights Enforcement: To enforce our Terms of Service or protect our legal rights
  • Fraud Prevention: To investigate and prevent fraudulent or illegal activities

4.3 Business Transfers

In the event of a business transaction, user information may be transferred:

  • • Merger, acquisition, or sale of assets
  • • Bankruptcy or insolvency proceedings
  • • Corporate restructuring or reorganization
  • • Users will be notified of any such transfer via email and website notice
  • • The acquiring entity must honor existing privacy commitments

4.4 Consent-Based Sharing

  • • With your explicit consent for specific purposes
  • • Integration with third-party applications you authorize
  • • Sharing with business partners for joint services (with opt-in consent)

What We Never Do

  • • Sell, rent, or trade personal information to third parties
  • • Share information for third-party marketing without explicit consent
  • • Provide access to documents without proper authorization
  • • Share aggregated data that could identify individual users

5. Data Security and Protection

5.1 Encryption and Data Protection

  • Encryption at Rest: AES-256 encryption for all stored data
  • Encryption in Transit: TLS 1.3 for all data transmission
  • End-to-End Encryption: Document content encrypted from upload to signature
  • Key Management: Hardware Security Modules (HSMs) for encryption key storage
  • Database Security: Encrypted database connections and field-level encryption

5.2 Access Controls and Authentication

  • Multi-Factor Authentication: Required for all user accounts
  • Role-Based Access: Granular permissions based on user roles
  • Zero Trust Architecture: Continuous verification of all access requests
  • Session Management: Automatic session timeout and secure session handling
  • API Security: OAuth 2.0 and API key authentication for integrations

5.3 Infrastructure Security

  • Cloud Security: SOC 2 Type II certified cloud infrastructure
  • Network Security: Firewalls, intrusion detection, and DDoS protection
  • Vulnerability Management: Regular security scans and penetration testing
  • Backup and Recovery: Encrypted backups with geographic redundancy
  • Monitoring: 24/7 security monitoring and incident response

5.4 Compliance and Certifications

  • SOC 2 Type II: Annual compliance audits for security controls
  • ISO 27001: Information security management system certification
  • GDPR Compliance: Full compliance with EU data protection requirements
  • HIPAA Ready: Business Associate Agreement available for healthcare clients
  • eIDAS Compliance: European electronic signature regulation compliance

5.5 Incident Response

  • Response Team: Dedicated security incident response team
  • Detection: Automated threat detection and alerting systems
  • Containment: Immediate isolation and containment of security incidents
  • Notification: User notification within 72 hours of confirmed data breaches
  • Recovery: Comprehensive recovery and remediation procedures

6. Data Retention and Deletion

6.1 Retention Periods

  • Account Data: Retained while account is active plus 7 years after closure
  • Document Data: Retained for legal compliance periods (typically 7-10 years)
  • Audit Trails: Maintained for 10 years to support legal validity of signatures
  • Payment Data: Retained for 7 years for tax and accounting purposes
  • Marketing Data: Retained until unsubscribe or 3 years of inactivity
  • Technical Logs: Retained for 2 years for security and performance analysis

6.2 Secure Deletion

  • Cryptographic Erasure: Secure deletion through encryption key destruction
  • Multi-Pass Overwriting: Physical storage overwritten multiple times
  • Backup Purging: Systematic removal from all backup systems
  • Third-Party Deletion: Coordination with service providers for complete removal
  • Verification: Confirmation of successful deletion across all systems

6.3 Legal Hold Exceptions

Data may be retained beyond normal periods when:

  • • Subject to legal hold for litigation or investigation
  • • Required by regulatory authorities
  • • Necessary for ongoing legal proceedings
  • • Part of active fraud investigation

7. Your Rights and Controls

7.1 Access and Portability Rights

  • Data Access: Request a copy of all personal data we hold about you
  • Data Portability: Receive your data in a structured, machine-readable format
  • Account Dashboard: View and manage your personal information online
  • Activity Logs: Access logs of all actions taken on your account
  • Document History: Complete audit trail of all document activities

7.2 Correction and Update Rights

  • Profile Updates: Modify personal information in your account settings
  • Data Correction: Request correction of inaccurate or incomplete data
  • Preference Management: Update communication and privacy preferences
  • Contact Information: Keep email addresses and phone numbers current

7.3 Deletion and Restriction Rights

  • Account Deletion: Request complete deletion of your account and data
  • Selective Deletion: Delete specific documents or data categories
  • Processing Restriction: Limit how we process your personal data
  • Objection Rights: Object to processing based on legitimate interests

7.4 Communication Controls

  • Email Preferences: Granular control over email types and frequency
  • Unsubscribe Options: One-click unsubscribe from marketing communications
  • Notification Settings: Customize in-app and push notifications
  • Do Not Track: Honor browser Do Not Track signals where technically feasible

7.5 Exercising Your Rights

To exercise any of these rights:

  • Online: Use your account settings and privacy dashboard
  • Email: Contact privacy@sigtouch.com with your request
  • Verification: We may require identity verification for security
  • Response Time: We respond to all requests within 30 days
  • No Cost: Exercising your rights is free of charge

8. International Data Transfers

8.1 Transfer Mechanisms

  • Adequacy Decisions: Transfers to countries with adequate protection levels
  • Standard Contractual Clauses: EU-approved clauses for international transfers
  • Binding Corporate Rules: Internal data protection rules for multinational processing
  • Certification Schemes: Transfers under approved certification programs

8.2 Data Localization

  • Regional Storage: Data stored in regions closest to users when possible
  • EU Data: EU user data primarily processed within the European Economic Area
  • Backup Locations: Encrypted backups may be stored in multiple geographic regions
  • Processing Locations: Clear documentation of where data is processed

9. Contact Information and Complaints

9.1 Privacy Contacts

Privacy Officer:

Email: privacy@sigtouch.com

Phone: +1 (916) 442‑9181

Response Time: Within 48 hours

9.2 Mailing Address

SigTouch Privacy Team

624 N St 201

Sacramento, CA 95814

United States

9.3 Regulatory Complaints

If you're not satisfied with our response to your privacy concerns, you may file a complaint with:

  • EU Users: Your local Data Protection Authority
  • UK Users: Information Commissioner's Office (ICO)
  • US Users: Federal Trade Commission (FTC)
  • Canadian Users: Office of the Privacy Commissioner of Canada

10. Policy Updates and Changes

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations.

10.1 Notification of Changes

  • Material Changes: 30-day advance notice via email and website banner
  • Minor Updates: Posted on website with updated "Last Modified" date
  • Legal Changes: Immediate notification if required by law
  • Version History: Previous versions available upon request

10.2 Your Options

  • Continued Use: Continued use of services constitutes acceptance of updates
  • Objection: Contact us if you object to material changes
  • Account Closure: Close your account if you disagree with changes
  • Data Export: Export your data before account closure