SignaSeal Watermark
SignaSeal Logo

Privacy Policy

Last Updated: February 2026

Data Controller: Aramantos Digital

This Privacy Policy explains how SignaSeal ("we", "our", "us") collects, uses, and protects your personal information when you use our blockchain-verified digital signature platform.

1. Information We Collect

  • Account Data: name, email, and profile image from GitHub or Google authentication providers.
  • Personal Profile Data: legal name, professional title (e.g., Mr/Mrs/Dr/CEO), full mailing address (street, city, country, postal code), contact email address, and party role in agreements.
  • Document Data: agreement text (including NDAs, freelance contracts, employment terms, and custom agreements), custom templates, typed or drawn signatures, placeholder values (project scopes, deliverables, payment terms, invention names, patent details, etc.), timestamps, and document metadata.
  • Audit & Security Data: IP address, user agent (browser information), signature timestamps, document hashes (SHA-256), blockchain timestamp proofs (OpenTimestamps), verification history, and share tokens.
  • Blockchain Data: Document hashes (SHA-256) and OpenTimestamps proof files are submitted to the Bitcoin blockchain via OpenTimestamps. This creates a permanent, public record that a hash existed at a specific time (but does NOT expose the document content itself).
  • Technical Data: essential cookies for authentication and session management.

2. Purpose of Processing

We process your data to:

  • Authenticate users via third-party OAuth providers (GitHub, Google);
  • Enable creation and signing of various legal agreements (NDAs, freelance contracts, employment terms, custom agreements);
  • Generate and verify cryptographic hashes (SHA-256) for document integrity;
  • Timestamp document hashes on the Bitcoin blockchain via OpenTimestamps for immutable proof of existence;
  • Send automated email notifications to parties involved in agreements;
  • Generate legally valid audit trails with signature timestamps, IP addresses, and blockchain verification;
  • Facilitate multi-party document signing via secure share links;
  • Allow document archiving, organization, and dashboard storage (subject to service tier);
  • Maintain service reliability, security, and compliance with applicable laws.

3. Legal Basis (GDPR)

Our lawful bases for processing include:

  • Performance of a contract (to facilitate signing);
  • Legitimate interest (security, audit);
  • Consent (for optional features and communications).

4. Data Retention

Agreements and signatures are retained based on your service tier:

  • Free Tier: Documents are available for download immediately after signing. Documents and associated data are retained for 48 hours after completion, then permanently deleted. Dashboard storage is not provided.
  • Individual Tiers: Documents are stored in your dashboard for long-term access. Upon account deletion, all data is permanently deleted within 30 days.
  • Enterprise Tiers: Documents are stored with extended retention and organisation features. Upon account deletion, all data is permanently deleted within 90 days.

Logs and audit events may be anonymised or deleted after 24 months. Blockchain timestamps, once recorded on the Bitcoin blockchain, are permanent and cannot be deleted (this is by design for immutability).

5. Blockchain Data & Permanence

Important: When you sign an agreement, the document's cryptographic hash (SHA-256) is timestamped on the Bitcoin blockchain via OpenTimestamps. This means:

  • The hash becomes part of the permanent, public Bitcoin blockchain record;
  • This record cannot be deleted or modified (immutability is the core feature);
  • The hash itself does NOT reveal the document's content - it's a one-way cryptographic fingerprint;
  • Anyone can verify the timestamp independently using the OpenTimestamps proof file;
  • Deleting your account or agreement does NOT remove the blockchain timestamp (it remains forever).

Blockchain timestamping is provided via OpenTimestamps, a free, open-source service. We do not control the Bitcoin blockchain and cannot remove data once timestamped.

6. Data Sharing

We do not sell user data. We share data as follows:

  • With Other Parties to Your Agreements: When you sign an agreement, your personal information (legal name, email address, mailing address, professional title, and signature) is shared with all other parties to that specific agreement. This is essential for contract formation and legally required for the agreement to be valid. By creating or signing an agreement, you explicitly consent to this data sharing.
  • Third-Party Service Providers: We use the services listed in Section 7 below to operate the platform. Each provider processes only the data necessary for their specific function.
  • Legal Authorities: We may disclose data if required by law, court order, or legal process.

Important: When you provide another party's email address to invite them to sign an agreement, you confirm that you have their consent to share their email and involve them in the agreement process.

7. Third-Party Services

SignaSeal relies on the following third-party services to operate. Each provider processes only the data necessary for their specific function:

  • Cloudflare — DNS management and email routing. All traffic to SignaSeal passes through Cloudflare's network. Privacy Policy
  • Vercel — Application hosting and CDN. Serves the SignaSeal web application and serverless functions. Privacy Policy
  • Google Cloud Platform — Authentication and identity infrastructure. Aramantos Core runs on Cloud Run and handles OAuth/identity for all Aramantos products. Privacy Notice
  • Supabase — Database and file storage. Stores user accounts, documents, signatures, and related data. Privacy Policy
  • Stripe — Payment processing. Handles subscription billing and payment card data. SignaSeal does not store your payment card details. Privacy Policy
  • Resend — Transactional email delivery. Processes recipient email addresses and message content necessary for sending agreement notifications. Privacy Policy
  • OpenTimestamps — Bitcoin blockchain timestamping protocol. Document hashes (SHA-256) are submitted to OpenTimestamps calendar servers and recorded on the Bitcoin blockchain. OpenTimestamps is an open-source protocol and does not collect personal data.

8. International Transfers

Data may be processed in the EU and/or trusted third-country services compliant with GDPR adequacy decisions. Blockchain timestamps are recorded on the global Bitcoin network, which is decentralized and not confined to any single jurisdiction.

9. Security

We implement industry-standard security measures, including:

  • Encrypted database storage for all documents and personal data;
  • Cryptographic hashing (SHA-256) of signed documents to detect tampering;
  • Unique, randomly-generated share tokens for secure document access;
  • Access controls limiting document visibility to authenticated parties;
  • Secure OAuth authentication via GitHub and Google;
  • HTTPS encryption for all data transmission.

While we employ robust security practices, no system is completely immune to unauthorized access. Users should protect their share links and authentication credentials.

10. Templates & Custom Content

Users may create custom templates containing agreement text and placeholder fields. Custom templates are stored in your account and are private to you unless you share a document created from that template. Global templates provided by SignaSeal (NDAs, Freelance Agreements, Employment Terms, etc.) are available to all users. Any personal data you include in custom templates is your responsibility to manage in compliance with applicable data protection laws.

11. Share Links & Access Tokens

When you create an agreement, we generate a unique share token (a random string of characters) that allows other parties to access the document via a share link. Share tokens remain active until the document is fully signed by all parties. Anyone with access to a share link can view the document and associated party details. You should only share these links with intended recipients via secure communication channels. Once all signatures are collected, share links expire automatically.

12. Your Rights

Under GDPR, you may:

  • Access your personal data and documents;
  • Request deletion of your account and associated data;
  • Correct inaccuracies in your profile information;
  • Withdraw consent for optional processing;
  • Object to processing based on legitimate interests;
  • Request data portability (receive your data in a structured format);
  • Lodge a complaint with your national data protection authority.

Important: Deleting your account may affect the legal validity of agreements you've signed. Documents involving other parties may be retained for legal compliance even after account deletion.

Rights requests: signaseal@aramantos.dev

13. Cookies

We use essential cookies for:

  • Authentication and session management;
  • Maintaining your logged-in state;
  • Security and fraud prevention.

These cookies are strictly necessary for the service to function. We may use privacy-friendly analytics (Vercel Analytics, Plausible) to understand traffic and usage patterns without tracking individual users. If we add non-essential cookies in the future, we will implement a consent banner in compliance with GDPR.

14. Automated Email Communications

You will receive automated transactional emails when:

  • You create and sign a new agreement;
  • Another party invites you to sign an agreement;
  • An agreement you're involved in becomes fully executed.

These emails are essential to the service and cannot be opted out of, as they are necessary for contract execution and legal notification. We do not send marketing emails.

15. Updates to This Policy

We may update this policy periodically to reflect changes in our practices, legal requirements, or service features. Significant changes will be announced on the platform or via email. Continued use of SignaSeal after changes constitutes acceptance of the updated policy.

For questions about this Privacy Policy, please email signaseal@aramantos.dev.