1. Introduction

SignForge ("we", "us", "our"), operated by Abhishek Kumar Sharma, operates the e-signature platform at signforge.io. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the Indian Information Technology Act, 2000, and other applicable data protection laws.

2. Data We Collect

We collect the following categories of personal data:

• Account information: name, email address, and authentication credentials (hashed password or OAuth provider identity)
• Documents: PDF files you upload for signature
• Signatures: drawn, typed, or uploaded signature images
• Usage data: IP addresses, browser user-agent strings, and timestamps of actions (collected as part of the audit trail)
• Recipient information: names and email addresses of people you send documents to for signing
• Payment information: subscription status and billing details (payment card data is processed directly by our payment partner DODO Payments and is never stored on our servers)
• Analytics data: anonymized page views, performance metrics, and feature usage (privacy-first, no tracking cookies)

3. How We Use Your Data

We use your personal data to:

• Provide and operate the e-signature service
• Manage your account and subscription
• Send transactional emails (signing requests, completion notifications, verification emails, reminders)
• Generate audit certificates that establish the legal validity of electronic signatures
• Process payments and manage billing
• Analyze usage patterns to improve the Service
• Prevent fraud and ensure service security
• Comply with legal obligations

We do not use your data for advertising, profiling, or selling to third parties.

4. Legal Basis for Processing

We process your personal data based on:

• Contract performance (Art. 6(1)(b) GDPR) — processing necessary to provide the e-signature service you signed up for
• Legitimate interests (Art. 6(1)(f) GDPR) — fraud prevention, service security, and audit trail integrity
• Consent — where applicable, for optional features like saving your signature for future use
• Legal obligation (Art. 6(1)(c) GDPR) — retaining audit trails as required by e-signature legislation

5. Data Sharing

We share your data only with the following third-party service providers, solely for the purpose of operating the Service:

• Brevo — transactional email delivery (signing requests, notifications, reminders)
• Cloudflare — Turnstile CAPTCHA for bot protection
• Google — OAuth authentication (only if you choose to sign in with Google)
• DODO Payments — payment processing for paid subscriptions (as Merchant of Record, DODO handles all payment card data directly)

We may also share data with user consent, for legal compliance, to prevent harm, or during business transactions such as mergers or acquisitions.

We do not sell, rent, or trade your personal data. We do not share your documents or signature images with any third party.

6. Data Retention

Your data is retained for as long as your account is active or as necessary to provide the Service. Document retention periods vary by subscription tier (free: 60 days, Pro: 1 year, Business/Enterprise: unlimited). When you delete your account, we permanently delete all your personal data, documents, signatures, and associated files. Audit trail records may be retained for a limited period to comply with legal requirements regarding the validity of electronic signatures.

7. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights:

• Right of access — request a copy of all your personal data
• Right to erasure — permanently delete your account and all data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to rectification — update your name and profile information in Settings
• Right to restriction — request that we limit how your data is processed
• Right to object — object to processing based on legitimate interests
• Right to opt out — opt out of marketing communications at any time

8. How to Exercise Your Rights

You can exercise your rights to data access, correction, and erasure directly from your account settings. For any other requests or questions about your data, contact us at support@signforge.io. We will respond to all requests within 30 days.

9. Data Security

We protect your data using industry-standard security measures:

• All data transmitted over HTTPS (TLS encryption in transit)
• Passwords are hashed using bcrypt — we never store plaintext passwords
• Signing tokens are hashed (SHA-256) — raw tokens are never stored
• Documents are stored in private cloud storage, accessible only through authenticated endpoints
• Document integrity verified with SHA-256 checksums
• Payment card data is processed by DODO Payments and never touches our servers

While we implement robust security measures, no system is completely secure. We continuously monitor and improve our security practices.

10. International Transfers

Our primary servers are located in the EU (Hetzner, Germany). User data may also be processed and stored in India or other countries where SignForge or our service providers operate. Some third-party service providers (Brevo, Cloudflare, Google, DODO Payments) may process data in the United States or other countries. Where data is transferred outside the EU, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions.

11. Cookies & Local Storage

SignForge does not use tracking cookies or analytics cookies. We use browser localStorage solely to store authentication tokens required for the Service to function. These tokens are essential for maintaining your logged-in session and are not used for tracking or advertising. We use sessionStorage for anonymous analytics session tracking (no cookies, no cross-site tracking).

12. Children's Privacy

SignForge is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a minor has provided us with personal data, we will take steps to delete that information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through the Service. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes become effective constitutes acceptance of the updated policy.

14. Contact

If you have questions about this Privacy Policy or want to exercise your data protection rights, contact us at support@signforge.io or visit our Contact page.