Privacy Policy

This Privacy Policy explains how GetItSigned Ltd. ("we", "us") collects and uses personal data when you use the getitsigned.app web app, API, or related services (the "Service"). We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are (data controller)

GetItSigned Ltd. is the controller of personal data described in Sections 2–4 of this policy. We are registered in England & Wales and our ICO registration number will appear here once finalised. For any data-protection question, including to exercise your rights, email hello@getitsigned.app.

2. What personal data we collect

If you are an account holder (sender)

• Identity and contact: name, email address, business name (optional), country.
• Account credentials: password (stored as a bcrypt hash — the plaintext is never persisted), Google OAuth token if you use Google Sign-In.
• Billing: Stripe customer ID, purchase history, VAT status. Card details are held by Stripe, never by us.
• Usage: envelopes you have created, credits you have consumed, timestamps of account activity.
• Session: JWT session identifier, last login timestamp, IP address of last login, user-agent.

If you are a signer

• Identity: the name and email address provided by the sender, the typed name you entered at the signing screen.
• Signature artefacts: the PNG or JPEG image of your drawn or uploaded signature, stored encrypted at rest.
• Audit evidence (ESIGN-grade): your affirmative consent to use electronic records, your affirmative intent to sign, your IP address, your user-agent, the timestamp of each action (viewed, consented, signed), and the version of the consent disclosure shown to you.
• Document content: we process the PDF the sender uploaded and the placements of signature fields solely to produce the signed artefact.

Automatically collected

• Service logs: HTTP access logs, application error logs, webhook delivery logs. These are kept for up to 90 days for operational and security purposes.
• Cookies: we use strictly necessary cookies for authentication and a minimal cookie for CSRF protection. We do not use advertising or cross-site tracking cookies.

3. Why we use your data (purposes and legal bases)

Under UK GDPR every purpose of processing needs a lawful basis. Ours are:

• Providing the Service to you (account holder) — Article 6(1)(b) performance of a contract. Includes authentication, sending envelopes, producing signed artefacts, delivering notifications, billing, and support.
• Providing the Service to the signer — Article 6(1)(b) performance of a contract when the signer is in direct contractual relationship with the sender, and Article 6(1)(f) legitimate interests otherwise, our interest being to deliver the signing workflow requested by the sender and to produce reliable audit evidence.
• Producing and retaining audit evidence — Article 6(1)(c) legal obligation and Article 6(1)(f) legitimate interests, our interest being to be able to demonstrate (to courts, regulators, and counterparties) that a signed document was signed by the person named on it, with their consent, at the time recorded.
• Security, fraud prevention, and abuse monitoring — Article 6(1)(f) legitimate interests, our interest being to protect the Service and its users.
• Product communications — legitimate interests for transactional messages; consent (Article 6(1)(a)) for optional marketing emails, which you can withdraw at any time.

4. Who we share data with

We do not sell personal data and we do not share it with advertisers. We do share data with the following categories of recipients:

• The other parties to an envelope. Senders see signer names, email addresses, completion status, IP addresses of signing actions, and typed names — the audit evidence that makes a signature meaningful. Signers see the sender's name and email.
• Our sub-processors (see Section 12) who host infrastructure, process payments, and deliver email on our behalf.
• Law-enforcement or courts, if we receive a valid legal request and narrowly to the extent the request compels.
• A successor entity, in the event of a merger, acquisition, or sale of all or substantially all our assets — with continued protection under a privacy policy at least as protective as this one.

5. International transfers

Some of our sub-processors are located outside the UK. Where we transfer personal data outside the UK, we rely on transfer mechanisms recognised under UK GDPR — typically the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK addendum, plus supplementary measures where required. A current list of sub-processors and their locations is in Section 12.

6. How long we keep data

• Active account data: for as long as your account is open.
• Signed envelopes and Certificates of Completion: retained for the life of your account and then for at least six years after account closure — aligned with the limitation period for simple contracts under the Limitation Act 1980. Longer if required by law.
• Audit evidence (IP, user-agent, consent, signing timestamps): retained with the corresponding envelope for the period above. Deleting this would undermine the evidentiary value of signatures already produced.
• HTTP and application logs: up to 90 days.
• Billing records: seven years after the relevant transaction, to meet HMRC record-keeping requirements.

After the retention period, we delete personal data or aggregate it so it can no longer be associated with you.

7. How we protect your data

• All traffic between your browser and our servers is encrypted with TLS 1.2+.
• Passwords are stored only as bcrypt hashes with a per-account salt. We never store plaintext passwords.
• Magic-link signing tokens are stored only as SHA-256 hashes. The plaintext token only ever appears in the email link sent to the signer.
• Signed PDFs and signature images are stored on Cloudflare R2 with server-side encryption (AES-256).
• Access to production data is restricted to a small number of named individuals and protected by two-factor authentication.
• We have a security disclosure channel — email security@getitsigned.app if you believe you have found a vulnerability.

8. Your rights under UK GDPR

You have the following rights in relation to personal data we hold about you:

• Access — a copy of the personal data we hold, with context.
• Rectification — correction of inaccurate or incomplete data.
• Erasure ("right to be forgotten") — deletion of your data, subject to our legal and evidentiary retention duties (see Section 6). We cannot erase audit evidence tied to signatures you produced while they remain within their retention window without compromising the legal value of those signatures.
• Restriction — ask us to stop most processing while an objection is resolved.
• Portability — receive the data you provided us in a structured, machine-readable format.
• Object — to processing based on legitimate interests, including direct marketing.
• Withdraw consent — where processing is based on consent. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
• Complain to a supervisory authority — you may lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. We would appreciate the chance to address your concern first, so please contact us if you can.

To exercise any of these rights, email hello@getitsigned.app. We respond within one month.

9. Cookies

We use only cookies that are strictly necessary to operate the Service — authentication session cookies and a CSRF-protection cookie. We do not use analytics, advertising, or cross-site tracking cookies. Because our cookies are strictly necessary, we do not show a cookie banner; under UK law, strictly necessary cookies do not require consent.

10. Children

The Service is not directed to children under 18 and we do not knowingly process data of children under 18. If you believe a child has provided us with personal data, please contact us and we will investigate and delete it where appropriate.

11. When we process signer data as a processor

When our account-holder customers (senders) send an envelope, they determine the purposes and means of processing for the signers' personal data. In that context:

• The sender is the controller of the signer's personal data in the document and the signing flow.
• We are the processor, acting only on the sender's documented instructions (the envelope configuration, the decision to send, void, or archive).
• We will not process signer personal data for any other purpose, except where required by law or necessary for the technical operation of the Service.
• We apply the security measures in Section 7 regardless of controller status.
• We engage sub-processors under Article 28 terms (see Section 12).
• We return or delete signer personal data on the sender's instructions, subject to the retention obligations in Section 6 and any overriding legal requirement.

The terms of this section are intended to function as a baseline data-processing agreement. A full countersigned DPA is available on request to hello@getitsigned.app.

12. Sub-processors

We currently use the following sub-processors. Locations are the regions in which they process our data.

We will give at least 30 days' notice before adding or replacing a sub-processor. To receive those notices, email us and ask to be added to the sub-processor change notification list.

13. Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

14. Changes to this policy

We may update this policy from time to time. Material changes will be notified to the account email address we hold for you, at least 30 days before they take effect.

15. Contact

Data-protection questions, subject-access requests, and complaints: hello@getitsigned.app. Security reports: security@getitsigned.app.