Privacy Policy

Last updated: March 23, 2026

1. Introduction

VeloSign, Inc. ("VeloSign," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our electronic signature platform and related services (the "Service"). By using the Service, you consent to the practices described in this policy.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, phone number, company name, and billing information when you create an account.
  • Document Content: Documents you upload, signature images, initials, and any text fields completed during the signing process.
  • Communications: Messages you send to us through support channels, feedback forms, or email.
  • Payment Information: Credit card numbers and billing details are collected and processed by our payment processor, Stripe. We do not store full credit card numbers on our servers.

2.2 Information Collected Automatically

  • Audit Trail Data: IP addresses, timestamps, browser type, device information, and actions taken on documents (e.g., viewed, signed, declined) for legal compliance and document integrity.
  • Usage Data: Pages visited, features used, session duration, and interaction patterns to improve the Service.
  • Device Information: Operating system, browser type and version, screen resolution, and unique device identifiers.
  • Cookies and Tracking Technologies: We use essential cookies for authentication and session management, and optional analytics cookies with your consent.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To provide, maintain, and improve the VeloSign platform, including document processing, signature collection, and audit trail generation.
  • Authentication & Security: To verify your identity, protect against unauthorized access, and maintain the security of your account and documents.
  • Legal Compliance: To generate legally compliant audit trails, certificates of completion, and evidence of signing intent as required by the ESIGN Act, UETA, eIDAS, and other applicable regulations.
  • Communication: To send transactional notifications (signing requests, completion confirmations), service updates, and security alerts.
  • Billing: To process payments, manage subscriptions, and send invoices.
  • Analytics: To understand usage patterns and improve the Service. Analytics data is aggregated and anonymized whenever possible.
  • Support: To respond to your inquiries and provide customer support.

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

  • Signing Parties: When you send a document for signature, recipients will see your name and email address. Signed documents and audit trails are shared with all parties to the document.
  • Service Providers: We share data with trusted third-party providers who assist in operating the Service, including Stripe (payment processing), cloud hosting providers (data storage), and email delivery services. All providers are bound by data processing agreements.
  • Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction with equivalent privacy protections.
  • With Your Consent: We may share information with third parties when you have given explicit consent to do so.

5. Data Security

We implement robust security measures to protect your information:

  • Encryption: 256-bit AES encryption for data at rest and TLS 1.3 for data in transit.
  • Infrastructure: Enterprise-grade secure data centers with 24/7 monitoring and environmental safeguards.
  • Access Controls: Role-based access control, multi-factor authentication, and the principle of least privilege for all employees.
  • Testing: Regular third-party penetration testing, continuous vulnerability scanning, and a responsible disclosure bug bounty program.
  • Audit Trails: Cryptographically secured, tamper-evident audit logs for all document actions.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Document retention periods vary by plan: Free (30 days after document completion), Pro (1 year), Business (configurable retention policies). Account information is retained for 30 days after account deletion. We may retain certain data longer as required by law or for legitimate business purposes such as resolving disputes.

7. Your Rights and Choices

7.1 All Users

  • Access your personal data through your account settings
  • Update or correct inaccurate information
  • Delete your account and associated data
  • Export your documents and data
  • Opt out of marketing communications

7.2 European Economic Area (GDPR)

If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with a supervisory authority

7.3 California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights:

  • Right to know what personal information is collected
  • Right to request deletion of personal information
  • Right to opt out of the sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising your rights

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, data processing agreements with all third-party providers, and encryption of data in transit and at rest.

9. Children's Privacy

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly.

10. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through VeloSign.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where required, by sending you an email notification. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

VeloSign, Inc.

Data Protection Officer

Email: privacy@velosign.com

Address: Dallas, TX

For GDPR-related inquiries, you may also contact our EU representative at eu-privacy@velosign.com.