SignaSeal Watermark
SignaSeal Logo

Privacy Policy

Effective Date: November 2025

This Privacy Policy explains how SignaSeal ("we", "our", "us") collects, uses, and protects your personal information when you use our blockchain-verified digital signature platform.

1. Information We Collect

  • Account Data: name, email, and profile image from GitHub or Google authentication providers.
  • Personal Profile Data: legal name, professional title (e.g., Mr/Mrs/Dr/CEO), full mailing address (street, city, country, postal code), contact email address, and party role in agreements.
  • Document Data: agreement text (including NDAs, freelance contracts, employment terms, and custom agreements), custom templates, typed or drawn signatures, placeholder values (project scopes, deliverables, payment terms, invention names, patent details, etc.), timestamps, and document metadata.
  • Audit & Security Data: IP address, user agent (browser information), signature timestamps, document hashes (SHA-256), blockchain timestamp proofs (OpenTimestamps), verification history, and share tokens.
  • Blockchain Data: Document hashes (SHA-256) and OpenTimestamps proof files are submitted to the Bitcoin blockchain via OpenTimestamps. This creates a permanent, public record that a hash existed at a specific time (but does NOT expose the document content itself).
  • Technical Data: essential cookies for authentication and session management.

2. Purpose of Processing

We process your data to:

  • Authenticate users via third-party OAuth providers (GitHub, Google);
  • Enable creation and signing of various legal agreements (NDAs, freelance contracts, employment terms, custom agreements);
  • Generate and verify cryptographic hashes (SHA-256) for document integrity;
  • Timestamp document hashes on the Bitcoin blockchain via OpenTimestamps for immutable proof of existence;
  • Send automated email notifications to parties involved in agreements;
  • Generate legally valid audit trails with signature timestamps, IP addresses, and blockchain verification;
  • Facilitate multi-party document signing via secure share links;
  • Allow document archiving, organization, and dashboard storage (subject to service tier);
  • Maintain service reliability, security, and compliance with applicable laws.

3. Legal Basis (GDPR)

Our lawful bases for processing include:

  • Performance of a contract (to facilitate signing);
  • Legitimate interest (security, audit);
  • Consent (for optional features and communications).

4. Data Retention

Agreements and signatures are retained based on your service tier:

  • Free Tier: Documents are available for download immediately after signing. Dashboard storage is not provided, so documents may not be accessible via your account after the signing session.
  • Paid Storage Tiers: Documents are retained indefinitely in your dashboard unless you delete them.

Logs and audit events may be anonymised or deleted after 24 months. Blockchain timestamps, once recorded on the Bitcoin blockchain, are permanent and cannot be deleted (this is by design for immutability).

5. Blockchain Data & Permanence

Important: When you sign an agreement, the document's cryptographic hash (SHA-256) is timestamped on the Bitcoin blockchain via OpenTimestamps. This means:

  • The hash becomes part of the permanent, public Bitcoin blockchain record;
  • This record cannot be deleted or modified (immutability is the core feature);
  • The hash itself does NOT reveal the document's content - it's a one-way cryptographic fingerprint;
  • Anyone can verify the timestamp independently using the OpenTimestamps proof file;
  • Deleting your account or agreement does NOT remove the blockchain timestamp (it remains forever).

Blockchain timestamping is provided via OpenTimestamps, a free, open-source service. We do not control the Bitcoin blockchain and cannot remove data once timestamped.

6. Data Sharing

We do not sell user data. We share data as follows:

  • With Other Parties to Your Agreements: When you sign an agreement, your personal information (legal name, email address, mailing address, professional title, and signature) is shared with all other parties to that specific agreement. This is essential for contract formation and legally required for the agreement to be valid. By creating or signing an agreement, you explicitly consent to this data sharing.
  • Email Service Provider: We use Resend (EU-West-1 region) to send transactional emails regarding document status, invitations, and confirmations. Resend processes recipient email addresses and message content necessary for delivery.
  • Hosting & Database Providers: Supabase (database and file storage) and Vercel (application hosting) process data necessary to operate the platform.
  • Blockchain Timestamping: Document hashes (SHA-256) are submitted to OpenTimestamps calendar servers and ultimately recorded on the Bitcoin blockchain. This is a public, decentralized network. Only the hash is shared, not the document content.
  • Legal Authorities: We may disclose data if required by law, court order, or legal process.

Important: When you provide another party's email address to invite them to sign an agreement, you confirm that you have their consent to share their email and involve them in the agreement process.

7. International Transfers

Data may be processed in the EU and/or trusted third-country services compliant with GDPR adequacy decisions. Blockchain timestamps are recorded on the global Bitcoin network, which is decentralized and not confined to any single jurisdiction.

8. Security

We implement industry-standard security measures, including:

  • Encrypted database storage for all documents and personal data;
  • Cryptographic hashing (SHA-256) of signed documents to detect tampering;
  • Unique, randomly-generated share tokens for secure document access;
  • Access controls limiting document visibility to authenticated parties;
  • Secure OAuth authentication via GitHub and Google;
  • HTTPS encryption for all data transmission.

While we employ robust security practices, no system is completely immune to unauthorized access. Users should protect their share links and authentication credentials.

9. Templates & Custom Content

Users may create custom templates containing agreement text and placeholder fields. Custom templates are stored in your account and are private to you unless you share a document created from that template. Global templates provided by SignaSeal (NDAs, Freelance Agreements, Employment Terms, etc.) are available to all users. Any personal data you include in custom templates is your responsibility to manage in compliance with applicable data protection laws.

10. Share Links & Access Tokens

When you create an agreement, we generate a unique share token (a random string of characters) that allows other parties to access the document via a share link. Share tokens remain active until the document is fully signed by all parties. Anyone with access to a share link can view the document and associated party details. You should only share these links with intended recipients via secure communication channels. Once all signatures are collected, share links expire automatically.

11. Your Rights

Under GDPR, you may:

  • Access your personal data and documents;
  • Request deletion of your account and associated data;
  • Correct inaccuracies in your profile information;
  • Withdraw consent for optional processing;
  • Object to processing based on legitimate interests;
  • Request data portability (receive your data in a structured format);
  • Lodge a complaint with your national data protection authority.

Important: Deleting your account may affect the legal validity of agreements you've signed. Documents involving other parties may be retained for legal compliance even after account deletion.

Rights requests: signaseal@aramantos.dev

12. Cookies

We use essential cookies for:

  • Authentication and session management (NextAuth);
  • Maintaining your logged-in state;
  • Security and fraud prevention.

These cookies are strictly necessary for the service to function. We may use privacy-friendly analytics (Vercel Analytics, Plausible) to understand traffic and usage patterns without tracking individual users. If we add non-essential cookies in the future, we will implement a consent banner in compliance with GDPR.

13. Automated Email Communications

You will receive automated transactional emails when:

  • You create and sign a new agreement;
  • Another party invites you to sign an agreement;
  • An agreement you're involved in becomes fully executed.

These emails are essential to the service and cannot be opted out of, as they are necessary for contract execution and legal notification. We do not send marketing emails.

14. Updates to This Policy

We may update this policy periodically to reflect changes in our practices, legal requirements, or service features. Significant changes will be announced on the platform or via email. Continued use of SignaSeal after changes constitutes acceptance of the updated policy.

For questions about this Privacy Policy, please email signaseal@aramantos.dev.