Privacy Policy

Last updated: February 27, 2026

This Privacy Policy describes how GoSignHere ("we", "us", or "our") collects, uses, and protects your personal information when you use our electronic signature platform ("the Service").

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password (stored as a bcrypt hash — we never store plaintext passwords). If you create a team account, we also collect your organization name.

Documents

When you upload documents for signing, we store the document files on our servers as binary data. Documents are used only to provide the signing service.

Signing Data

When signers interact with documents, we collect:

  • Signature images (drawn, typed, or uploaded)
  • Field values (text, dates, checkboxes, initials, dropdowns, and other field types)
  • IP addresses and user agent strings (for the audit trail)
  • Timestamps of all signing actions
  • Consent records (explicit e-sign consent before submission)

This data is necessary to create a legally valid audit trail and certificate of completion.

Usage Data

We collect activity logs for account actions (document uploads, package creation, user management) to provide the activity log feature and for security monitoring. These logs include the action type, timestamp, and the user who performed the action.

Feedback

If you submit feedback through the in-app feedback form, we collect the topic, message body, and any screenshots you choose to attach. Your name and email address are included so we can respond.

Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers or bank account details on our servers. Stripe's privacy policy governs the handling of your payment information.

2. How We Use Your Information

We use your information to:

  • Provide and operate the Service (document storage, signing workflows, email notifications)
  • Authenticate your identity and secure your account
  • Generate certificates of completion with legally required audit data
  • Apply digital signatures (PKCS#7) to completed documents
  • Send transactional emails (signing invitations, completion notices, account notifications)
  • Create time-limited download links for signers to retrieve completed documents
  • Process billing and payments through Stripe
  • Monitor for abuse and enforce our Terms of Service

We do not sell your personal information. We do not use your documents or signing data for advertising or marketing purposes.

3. Data Retention

Data TypeRetention Period
Documents (completed/voided/expired packages)30 days after the event, then permanently deleted
Certificates of completionRetained for the life of the account
Signing events (audit trail)Retained for the life of the account
Digital signature recordsRetained for the life of the account
Activity logs90 days, then automatically deleted
Account informationRetained while the account is active
Login attempt records7 days, then automatically deleted
Download tokens (signer access links)7 days from creation, then expired
Top-up purchase records12 months from purchase

When data reaches the end of its retention period, it is permanently deleted from our servers using irreversible database operations. We do not retain copies after deletion.

4. Third-Party Services

We use the following third-party services to operate the platform:

ServicePurposeData Shared
StripePayment processingBilling information (name, email, payment method)
Postal (self-hosted)Transactional email deliveryRecipient email addresses, email content

Postal is self-hosted on our own infrastructure — email data does not leave our servers except for SMTP delivery to the recipient's mail provider. We do not use third-party analytics, advertising, or tracking services.

5. Data Security

We implement the following security measures to protect your data:

  • Encryption in transit: All connections use TLS (HTTPS)
  • Encryption at rest: Database storage is encrypted using MariaDB's file key management with AES-256
  • Passwords: Hashed with bcrypt (never stored in plaintext)
  • API keys: Stored as bcrypt hashes; only a short prefix is stored in plaintext for identification
  • Session tokens: Hashed with SHA-256 before storage
  • Document integrity: SHA-256 hashes computed at signing and completion; PKCS#7 digital signatures applied to completed documents
  • CSRF protection: All portal forms are protected against cross-site request forgery
  • Rate limiting: Authentication endpoints enforce progressive lockouts after failed attempts
  • Content Security Policy: Enforced on the signing portal to prevent code injection

6. Signer Privacy

Signers who receive signing links do not need to create an account. We collect only the information necessary for the signing transaction: their name, email address (provided by the sender), signature, field values, IP address, and user agent. This data is associated with the specific package and is subject to the same retention policies.

Signers can decline to sign any document. Declining is recorded in the audit trail.

After a package is completed, signers receive a time-limited download link (valid for 7 days) to retrieve their signed documents. These links are single-use tokens that expire automatically.

7. Your Rights

You have the right to:

  • Access your personal data — your profile and activity log are available in the application
  • Correct inaccurate data — you can update your name and email in your profile settings
  • Delete your account — contact us to request account deletion
  • Export your data — you can download your documents and certificates at any time
  • Withdraw consent — you can stop using the Service at any time
For California Residents (CCPA)

Under the California Consumer Privacy Act, you have the right to know what personal information we collect, request deletion of your data, and opt out of the sale of personal information. We do not sell personal information.

For EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation, including the right to data portability, the right to restrict processing, and the right to lodge a complaint with a supervisory authority. Our legal basis for processing your data is contract performance (providing the Service you signed up for) and legitimate interests (security, abuse prevention).

8. Cookies

The marketing site (gosignhere.com) does not use cookies or tracking technologies. The application (app.gosignhere.com) uses a session cookie for authentication purposes only. We do not use advertising cookies, analytics cookies, or third-party tracking cookies.

9. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

11. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at hello@gosignhere.com.