Purpose
At Zignt, protecting privacy is a key priority. The purpose of this document is to set out how Zignt ("us," "our," or "we") collects, uses, stores, or otherwise processes personal information about customers and other individuals (collectively "you") who access or use our website at zignt.com, our electronic signature platform, and any of our other websites, products, or services that link to this Privacy Notice (the "Services").
By using our Services, you understand that we will collect and use your personal information as described in this Privacy Notice.
Zignt's core product and Services help users create, complete, and show the validity of digital or electronic transactions, such as electronically signing contracts, agreements, and other documents. As part of our Services, users want us to collect and record information that helps the parties prove the validity of the transactions, such as the names of the persons involved in the transactions, their email addresses, IP addresses, and timestamps of when documents were signed.
In some cases, we may process your personal information pursuant to an agreement with a third-party organization (such as when you sign a document sent to you by another Zignt user). In those cases, the terms of that agreement and that organization's privacy practices may govern how your personal information is processed. If you believe a third-party organization has asked us to process your personal information on their behalf, please consult with them in the first instance, as they will be responsible for how we process your information.
This Privacy Notice does not apply to any third-party websites and apps that you may use, including those to which we link in our Services. You should review the terms and policies for third-party websites and apps before clicking on any links.
1. Collection of Personal Information
You have choices about whether you visit our website, install our apps, or provide personal information to us. However, if you do not provide us with certain personal information, you may not be able to use some functionalities of our Services. For example, if you do not adopt an electronic signature, then you will not be able to sign electronic documents on our Service.
Personal Information We Collect from You
You provide us with personal information about yourself when you:
- Register or log in to your account
- Start, sign, or review an electronic document
- Create or edit your user profile
- Upload documents or create contract templates
- Create batches and send documents for signature
- Contact customer support
- Subscribe to our service plans
- Connect third-party integrations (e.g., Google Drive)
You also provide us with personal information about others when you use parts of our Services, such as when you:
- Add signers to a document batch
- Invite team members to your workspace
- Include personal information in documents you upload
Categories of Personal Information
Examples of the categories of personal information you may provide are:
- Identifiers and Contact Information: Your name, email address, company name, and electronic signature.
- Commercial Information: Billing and payment information (processed securely by Stripe—we do not store full credit card numbers), subscription plan, and products or services purchased.
- Account Data: Your login information (email and hashed password), user profile information (company name, profile photo if uploaded), and account preferences.
- Document and Signature Data: PDFs and documents you upload, signature images, form field values, and signed document content.
- Signer Information: Names, email addresses, and signatures of individuals who sign documents through our platform.
- ID Verification Data: Government-issued identification documents when ID verification is enabled (Enterprise plan only).
- Customer Service and Communications: Questions, messages, and feedback you address to us through online forms, email, or customer support channels.
Personal Information We Collect Automatically
We may automatically collect personal information from you and your devices when you use our Services, including when you visit our website without logging in:
- Device Data: IP address, unique device identifiers, browser type, operating system, and device attributes.
- Usage Data: Web log data, pages and content viewed, date and time of access, features used, and actions taken within the Service.
- Transactional/Audit Data: IP addresses, timestamps, and authentication methods related to document signing; history of actions taken in connection with a transaction (e.g., view, sign, download); and information about the devices used by signers.
- Authentication Data: Login timestamps, session information, failed login attempts, and two-factor authentication events.
Personal Information from Third Parties
We may receive personal information from third-party sources:
- Google: If you connect Google Drive, we access file metadata and store files you choose to sync. If you use Google OAuth, we receive your name and email from Google.
- Stripe: Subscription status and payment history.
2. Use of Personal Information and Lawful Bases for Processing
We use your personal information for the following purposes:
Providing Our Services
- Creating and managing your account
- Processing document uploads and electronic signatures
- Generating and storing signed documents with audit trails
- Sending signing invitations, notifications, and reminders to signers
- Processing payments and managing subscriptions
- Providing customer support and responding to inquiries
- Enabling team collaboration and workspace management
- Facilitating third-party integrations (Google Drive)
Establishing, Exercising, or Defending Legal Claims
- Collecting and recording audit trail information (IP addresses, timestamps, signer details)
- Retaining signed documents and evidence of electronic signatures
- Complying with legal obligations and responding to legal process
Service Improvement and Development
- Analyzing usage patterns to improve features and user experience
- Developing new features and functionality
- Troubleshooting technical issues
- AI-powered contract date extraction for renewal tracking (Enterprise plan)
Communications
- Sending transactional emails (account verification, signing notifications, password resets)
- Contract expiration and renewal reminders (when tracking is enabled)
- Service announcements and updates
- Marketing communications (with your consent, and you can opt out anytime)
Security and Fraud Prevention
- Protecting against fraud, unauthorized access, and abuse
- Detecting and preventing security threats
- Enforcing our Terms of Service and Acceptable Use Policy
Lawful Bases for Processing (GDPR)
Under the GDPR and similar laws, we process your personal information based on the following legal grounds:
- Contract Performance (Art. 6(1)(b)): Processing necessary to provide you with the Services you requested
- Legitimate Interests (Art. 6(1)(f)): Processing for service improvement, security, fraud prevention, and establishing legal claims, where our interests do not override your rights
- Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws
- Consent (Art. 6(1)(a)): For marketing communications and optional features, which you can withdraw at any time
3. Disclosure of Personal Information
We do not sell your personal information. We disclose your personal information only in the following circumstances:
Service Providers (Sub-processors)
We share personal information with trusted third-party service providers who help us operate our Services. All service providers are bound by data processing agreements:
- Cloudinary: Document and image storage
- Neon: Database hosting (PostgreSQL)
- Resend: Transactional email delivery
- Stripe: Payment processing
- Vercel: Application hosting and infrastructure
- Google Cloud: Google Drive integration (when enabled by user)
- OpenAI: AI-powered contract date extraction (for renewal tracking)
At Your Direction
- When you send documents to signers, we share document content and your contact information with those signers
- When you connect third-party integrations, we share data as necessary for those integrations
- When you invite team members to your workspace
Legal Requirements
We may disclose your information if required by law, subpoena, court order, or governmental request, or when we believe disclosure is necessary to:
- Comply with applicable law or legal process
- Protect our rights, privacy, safety, or property
- Protect the rights, privacy, safety, or property of you or others
- Enforce our Terms of Service
Business Transfers
In the event of a merger, acquisition, bankruptcy, or sale of assets, your personal information may be transferred to the acquiring entity. We will notify you of any such change and your options regarding your data.
4. Retention of Personal Information
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements:
- Account Data: Retained while your account is active and for a reasonable period after closure for legal and operational purposes
- Signed Documents and Audit Trails: Retained for the duration required to establish the validity of signatures, typically 7+ years or as required by applicable law
- Transaction Records: Retained as required by tax and financial regulations
- Log Data: Generally retained for up to 90 days for security and troubleshooting
- Marketing Data: Retained until you opt out or withdraw consent
When personal information is no longer needed, we will securely delete or anonymize it.
5. Your Choices
You have choices about how your personal information is collected and used:
Account Information
You can review and update your account information at any time by logging into your account and accessing your settings.
Marketing Communications
You can opt out of receiving marketing emails by clicking the "unsubscribe" link in any marketing email or by contacting us. Note that you will continue to receive transactional communications related to your account and use of the Services.
Cookies and Tracking
You can control cookies through your browser settings. See our Cookie Policy for more information. Note that we only use essential cookies necessary for the operation of our Service.
Do Not Track
Some browsers have a "Do Not Track" feature. Since we do not engage in tracking activities or use advertising cookies, we treat all users the same regardless of DNT settings.
Third-Party Integrations
You can disconnect third-party integrations (such as Google Drive) at any time through your account settings.
6. Your Privacy Rights
Depending on your location, you may have certain rights regarding your personal information:
Rights Under GDPR (EEA/UK Residents)
- Right of Access: Request a copy of your personal data
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Restriction: Request limitation of processing
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or for direct marketing
- Right to Withdraw Consent: Where processing is based on consent
- Right to Lodge a Complaint: File a complaint with a supervisory authority
How to Exercise Your Rights
To exercise any of these rights, please contact us at privacy@zignt.com. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.
Authorized Agents
You may authorize an agent to make a request on your behalf. We will require proof of your identity and the agent's authorization.
7. Children's Privacy
Our Services are not intended for children under 18 years of age (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@zignt.com, and we will take steps to delete such information.
8. Notice to California Residents
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.
Your CCPA Rights
- Right to Know: Request disclosure of the categories and specific pieces of personal information collected, used, and disclosed
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising
- Right to Non-Discrimination: Not be discriminated against for exercising your rights
We Do Not Sell Your Personal Information
Zignt does not "sell" personal information as defined by the CCPA/CPRA. We do not disclose personal information to third parties for monetary or other valuable consideration.
Categories of Information Collected
In the preceding 12 months, we have collected the following categories of personal information:
- Identifiers (name, email address, IP address)
- Commercial information (subscription plan, payment history)
- Internet or network activity (usage data, device information)
- Professional or employment-related information (company name)
- Inferences drawn from the above
How to Exercise Your Rights
California residents can exercise their rights by contacting us at privacy@zignt.com. We will verify your identity and respond within 45 days.
Shine the Light Law
Under California Civil Code Section 1798.83 (the "Shine the Light" law), California residents may request information about the disclosure of personal information to third parties for direct marketing purposes. Zignt does not disclose personal information to third parties for their direct marketing purposes.
9. How We Protect Your Personal Information
We have implemented appropriate technical, physical, and organizational measures to protect your personal information from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition, or access:
- Encryption: 256-bit SSL/TLS encryption for all data in transit; encryption at rest for stored data
- Access Controls: Role-based access controls and authentication requirements
- Password Security: Passwords are hashed using industry-standard algorithms (bcrypt); never stored in plain text
- Two-Factor Authentication: Available for enhanced account security
- Account Protection: Automatic account lockout after failed login attempts
- Secure Infrastructure: Hosting on secure cloud infrastructure with DDoS protection
- Confidentiality: Staff access to personal information is limited and subject to confidentiality obligations
While we implement robust security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
10. International Data Transfers
Your personal information may be transferred to and processed in countries outside your country of residence, including the United States and other countries where our service providers operate.
For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland to countries without an adequacy decision, we implement appropriate safeguards:
- Standard Contractual Clauses (SCCs): EU-approved clauses for international transfers
- Supplementary Measures: Additional technical and organizational measures where required
- Data Processing Agreements: Binding agreements with all service providers
For more details, see our Data Processing Agreement.
11. Changes to This Privacy Notice
We may amend this Privacy Notice to reflect changes in the law, our Services, our data processing practices, or advances in technology. Our use of the personal information we collect is subject to the Privacy Notice in effect at the time such personal information is used.
When we make material changes, we will notify you by posting the updated Privacy Notice on this page with a new version date and, where appropriate, by email.
13. Supplemental Privacy Disclosures for Users in Certain Countries
If you reside in one of the following regions, the additional disclosures below also apply. To the extent there is a conflict between the country-specific language and the provisions above, the country-specific provisions control.
European Economic Area (EEA)
- Data Controller: Zignt is the data controller for personal information collected through the Services.
- Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.
- Legal Basis: See Section 2 for our lawful bases for processing under GDPR.
United Kingdom
- UK GDPR: We comply with the UK General Data Protection Regulation and Data Protection Act 2018.
- Supervisory Authority: You have the right to lodge a complaint with the Information Commissioner's Office (ICO).
Australia
- We comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth).
- To submit a complaint regarding our compliance with Australian law, please contact us. We will take reasonable steps to investigate and respond within a reasonable timeframe.
Canada
- We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).
- Your personal information may be transferred outside Canada for processing, where it will be subject to that jurisdiction's laws.
Brazil
- We comply with the Lei Geral de Proteção de Dados (LGPD).
- In addition to the rights listed above, Brazilian residents have the right to: confirm the existence of processing; request anonymization, blocking, or elimination of unnecessary data; obtain information about entities to which we disclose data; and request revision of automated decisions.