Doc E Sign Privacy Notice

Last updated: 30 May 2026 Version: 1.0 URL: doc-e-sign.com/privacy

---

About this notice

This privacy notice explains what personal data Doc E Sign collects, why, how long we keep it, and what rights you have. We have written it in plain English. If anything is unclear, contact us at privacy@doc-e-sign.com.

Doc E Sign is used in two distinct ways — as a sender (you upload a document and request signatures) or as a signer (you receive a signing request and sign a document). The data we collect and our legal basis for collecting it differs depending on your role. Both sections apply to you if you sign a document you also sent.

---

Who we are

Doc E Sign is a document signing service operating from the United Kingdom. We are the data controller for the personal data described in this notice.

Contact for data protection matters: privacy@doc-e-sign.com

UK GDPR Article 27 representative: privacy@doc-e-sign.com

---

Part 1 — If you are a sender (Doc E Sign account holder)

What data we collect about you

When you create a Doc E Sign account and use the service to send documents, we collect:

| Data | How we collect it | Why | |---|---|---| | Email address | You provide it at signup | To identify your account and send you signing-related notifications | | Subscription and billing data | Via Stripe when you add a payment method | To manage your subscription | | IP address (at signup and sign-in) | Automatically from your browser | Security and fraud prevention | | Browser type and device information | Automatically from your browser | Security and fraud prevention | | Documents you upload | You upload them | To run the signing service you requested | | Names and email addresses of your signers | You provide them when creating an envelope | To contact your signers and manage the signing process | | Usage data (number of envelopes sent, login history) | Automatically | To enforce plan limits and support your account |

Why we process your data and our legal basis

| Processing activity | Legal basis | |---|---| | Running your account (login, dashboard, sending envelopes) | Contract performance (Article 6(1)(b) UK GDPR / EU GDPR) | | Billing and subscription management | Contract performance (Article 6(1)(b)) | | Security, fraud prevention, and account protection | Legitimate interest (Article 6(1)(f)) | | Communicating with you about your account and service changes | Contract performance (Article 6(1)(b)) | | Legal compliance (tax records, compliance obligations) | Legal obligation (Article 6(1)(c)) |

How long we keep your data

| Data | Retention | |---|---| | Account data (email, billing details) | Until you close your account, then anonymised within 30 days | | Signed documents — Free plan | 30 days after the signing ceremony completes, then permanently deleted. Both parties receive a copy by email at the time of signing. | | Signed documents — Pro and Business plans | For the lifetime of your active subscription; 30 days after cancellation, then permanently deleted. We strongly recommend downloading all documents before cancelling. | | Audit trail records (the cryptographic record of each signing ceremony) | 7 years from the date of signing, regardless of whether your account is still active | | Billing and payment records | 7 years from the transaction date | | Security logs (login IP addresses, sign-in events) | 90 days |

Your data and your signers

When you add a signer's name and email address to an envelope, you are providing us with personal data about another person. You are the data controller for that data — you decided to collect it and share it with Doc E Sign. Doc E Sign acts as your data processor for this data. Our Data Processing Agreement governs this arrangement. You are responsible for having a lawful basis to share your signers' contact details with us.

---

Part 2 — If you are a signer

You may receive a signing request from a Doc E Sign customer (the sender). You do not need a Doc E Sign account to sign. This section explains what data Doc E Sign collects about you during and after the signing process.

Who controls your data

Your signing data is processed under a joint controller arrangement between Doc E Sign and the sender. Under Article 26 of the UK GDPR and EU GDPR, we are required to explain the essence of this arrangement to you in plain English.

What each of us is responsible for:

| Responsibility | Who decides | Contact | |---|---|---| | Whether to collect audit records (IP address, browser, event timestamps) during the signing ceremony | Doc E Sign — we independently determine what technical records are necessary for a legally defensible audit trail | privacy@doc-e-sign.com | | How long audit records are retained (7 years) | Doc E Sign | privacy@doc-e-sign.com | | The security of the audit records | Doc E Sign | privacy@doc-e-sign.com | | The record that you acknowledged this privacy notice | Doc E Sign (jointly with the sender, who benefits from the evidence) | privacy@doc-e-sign.com | | Who receives a signing request (your email address and name) | The sender — they provided your contact details to Doc E Sign | Contact the sender directly | | The content of the document you are signing | The sender | Contact the sender directly | | The sender's lawful basis for using your contact details | The sender | Contact the sender directly |

In short: Doc E Sign determines what audit data is collected and how long it is retained. The sender determines the identity of signers and the content of documents.

The full terms of our arrangement with senders are published at doc-e-sign.com/dca.

Exercising your rights: contact privacy@doc-e-sign.com for rights relating to Doc E Sign's audit records. Contact the sender directly for rights relating to the document content and your contact details. If you do not know how to reach the sender, email us and we will help identify the correct contact.

What data Doc E Sign collects when you sign

| Data | Why | Who controls it | |---|---|---| | Your IP address and browser type | To create a tamper-evident record of where and how the document was signed | Doc E Sign | | The time and sequence of events (when you opened the link, when you signed) | To create the cryptographic audit trail that makes the document independently verifiable | Doc E Sign | | A record that you acknowledged this privacy notice | To demonstrate that the privacy requirements were met during the signing ceremony | Doc E Sign (joint with sender) | | Your signature (typed, drawn, or uploaded) | To embed in the signed PDF | Sender | | Your name, email address, and any other fields on the document | These were provided by the sender or by you during signing | Sender |

What Doc E Sign does NOT collect or store in readable form

Your signature and name are embedded in the signed PDF and stored in encrypted form. Your email address is stored in an encrypted form — it cannot be read without Doc E Sign's server key. Doc E Sign does not hold a searchable database of signer personal data in plaintext.

Why we process your data and our legal basis

Doc E Sign's processing of signer technical data (IP address, browser, timestamps, acknowledgment record) is based on legitimate interest (Article 6(1)(f) UK GDPR / EU GDPR). Our legitimate interest is in creating a tamper-evident, legally defensible record of the signing ceremony — an interest shared by both the sender and the signer, who benefit from having a document that cannot be altered after signing.

We have carried out a Legitimate Interest Assessment concluding that this processing is necessary, proportionate, and does not override your rights and interests. You may request a copy by contacting privacy@doc-e-sign.com.

How long we keep your data

| Data | Retention | |---|---| | Audit trail records (IP address, browser type, event sequence) | 7 years from the date of signing | | Signed PDF (stored in the sender's account) | If the sender is on the Free plan: 30 days after the signing ceremony. If the sender is on a Pro or Business plan: for the duration of the sender's active subscription, then 30 days after cancellation. | | Your acknowledgment record | 7 years (accountability obligation) |

After 7 years, your IP address and browser information are deleted permanently. The record that a signing ceremony occurred on a given date remains, but it contains no data that identifies you individually.

Your right to object

You have the right to object to Doc E Sign's processing of your technical signing data on the grounds of your particular situation (Article 21 UK GDPR / EU GDPR). We may decline your objection where we can demonstrate compelling legitimate grounds — specifically, where retaining the audit record is necessary for the establishment, exercise, or defence of legal claims arising from the document you signed. If we decline your objection, we will explain why in writing within 30 days and tell you how to complain to the supervisory authority.

---

Part 3 — Sub-processors and third parties

Doc E Sign uses the following third-party services that process personal data on our behalf:

| Provider | Purpose | Location | DPA in place | |---|---|---|---| | Supabase | Database, authentication, file storage, encryption key management | EU (Frankfurt, Germany) | Yes | | Nuntly | Transactional email (signing links, notifications) | EU (EU-native) | Pending — DPA will be executed before production deployment | | Stripe | Payment processing and subscription management | EU / US | Yes |

We do not sell personal data to any third party. We do not use personal data for advertising.

---

Part 4 — Your rights

Your rights under UK GDPR and EU GDPR

| Right | Description | Who to contact | |---|---|---| | Access (Art. 15) | Request a copy of the personal data we hold about you | Doc E Sign: privacy@doc-e-sign.com (for Doc E Sign-controlled data); the sender (for document content and your contact details) | | Rectification (Art. 16) | Ask us to correct inaccurate data | Doc E Sign: privacy@doc-e-sign.com | | Erasure (Art. 17) | Ask us to delete your data | Doc E Sign: privacy@doc-e-sign.com; note that we may decline erasure of audit records where they are needed for legal claims — we will explain any refusal in writing | | Restriction (Art. 18) | Ask us to restrict processing while a dispute is resolved | Doc E Sign: privacy@doc-e-sign.com | | Portability (Art. 20) | Receive your data in a machine-readable format | Doc E Sign: privacy@doc-e-sign.com | | Object (Art. 21) | Object to processing based on legitimate interest | Doc E Sign: privacy@doc-e-sign.com |

Response time (UK GDPR / EU GDPR): We will respond to all rights requests within 30 days of receipt. Where a request is complex or we receive a high volume, we may extend this by a further two months — we will notify you within the initial 30-day period if an extension is needed and explain why.

Your rights under CCPA / CPRA (California residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act). These rights are separate from, and in addition to, any rights you may have under UK GDPR or EU GDPR:

• Right to know: the categories and specific pieces of personal information we collect and how we use them
• Right to delete: request deletion of your personal information, subject to applicable exceptions
• Right to correct: request correction of inaccurate personal information
• Right to opt out of sale or sharing: Doc E Sign does not sell personal data and does not share personal data for cross-context behavioural advertising
• Right to limit use of sensitive personal information: Doc E Sign does not use sensitive personal information beyond what is necessary to provide the service
• Non-discrimination: we will not discriminate against you for exercising your CCPA rights

To exercise any of these rights, contact privacy@doc-e-sign.com. Response time (CCPA / CPRA): We will respond within 45 days of receipt. This 45-day window applies to CCPA/CPRA requests from California residents; it is distinct from the 30-day window that applies to UK GDPR and EU GDPR requests.

---

Part 5 — Cookies and analytics

Doc E Sign uses Plausible Analytics for website analytics. Plausible is privacy-preserving — it does not use cookies and does not collect personally identifiable information. No cookie consent banner is required.

Doc E Sign uses a session cookie for authentication on the dashboard. This is a strictly necessary cookie — the site cannot function without it. No consent is required for strictly necessary cookies under UK PECR or EU ePrivacy rules.

---

Part 6 — Changes to this notice

We may update this privacy notice from time to time. If we make a material change (a new processing purpose, a new data category, or a change to your rights), we will notify you by email (if you are a sender) at least 30 days before the change takes effect.

Previous versions of this notice are available on request at privacy@doc-e-sign.com.

---

Part 7 — Complaints and supervisory authorities

If you are unhappy with how we have handled your data, please contact us first at privacy@doc-e-sign.com — we aim to resolve complaints within 30 days.

If you are not satisfied with our response, you have the right to complain to a supervisory authority:

UK: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113

EU: Your national data protection authority. A full list of EU supervisory authorities is available at edpb.europa.eu.

California: California Privacy Protection Agency (CPPA) — cppa.ca.gov