Privacy Policy
1. Overview
SignFlow ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data. By using SignFlow, you agree to the practices described here.
2. Information We Collect
Account information: When you register, we collect your name, email address, and a hashed password. We never store your password in plain text.
Document content: PDF files you upload for signing are temporarily stored on our server during the signing process and then deleted after completion.
Signer information: We collect the names and email addresses of people you designate as signers. This information is used solely to send signing invitations and is stored in our database associated with your account.
Signing activity: When someone signs a document, we record their IP address, browser user agent, and timestamp. This information forms part of the tamper-evident audit trail appended to the completed PDF.
Billing information: Payment is processed by Stripe. We do not store credit card numbers or payment details. We retain a Stripe customer ID and subscription status to manage your account.
Usage data: We track the number of documents sent per billing period to enforce plan limits. We do not use tracking pixels, behavioral analytics, or advertising cookies.
3. How We Use Your Information
- To provide and operate the document signing service
- To send transactional emails (signing invitations, completion notifications, account verification, password resets)
- To enforce subscription limits and manage billing
- To generate tamper-evident audit trails on signed documents
- To respond to support requests
We do not sell your personal information to third parties. We do not use your data for advertising purposes.
4. Third-Party Services
We use the following third-party services to operate SignFlow:
- Resend — transactional email delivery. Signer email addresses are transmitted to Resend to send signing invitations. See Resend's Privacy Policy.
- Stripe — payment processing and subscription management. See Stripe's Privacy Policy.
5. Data Retention
We retain your account information for as long as your account is active. Envelope metadata (signer names, emails, document names, audit logs) is retained in our database as a record of completed transactions. Original PDF files are deleted from our servers after signing is complete or after 7 days, whichever comes first.
If you delete your account, we will remove your personal information from our active database within 30 days, except where retention is required by law.
6. Security
We take reasonable measures to protect your information, including encrypted connections (HTTPS), hashed passwords (bcrypt), cryptographically signed signer tokens, and session-based authentication. However, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security.
7. Your Rights
Depending on your location, you may have rights to access, correct, or delete your personal data. To exercise these rights, contact us at [email protected]. We will respond within 30 days.
8. Cookies
We use a single session cookie to keep you logged in. This cookie contains no personal information — only an encrypted session identifier. We do not use advertising cookies, tracking pixels, or analytics cookies.
9. Children's Privacy
SignFlow is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you by email of material changes. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.
11. Contact
For privacy-related questions or requests, contact us at [email protected].
SignFlow · dylanholliday.com · Terms of Service