Privacy Policy

1. Introduction

SignShield ("we", "our", or "us") is operated by EchoForgeX LLC. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our video-verified digital waiver platform at signshield.io (the "Service").

We are committed to protecting your privacy. This policy applies to:

• Tenant Businesses: Organizations that use SignShield to collect waivers from their customers
• Signers: Individuals who sign waivers through our platform
• Website Visitors: Anyone who visits our marketing website

By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

From Tenant Businesses

• Account information: Name, email address, company name, business type
• Billing information: Payment details processed securely by Stripe (we do not store full credit card numbers)
• Usage data: How you use the platform, features accessed, waiver templates created

From Signers

• Personal information: Name, email, phone number (as required by the waiver)
• Signature image: Digital representation of your signature
• Video recording: Recording of your consent statement (where enabled)
• Technical data: IP address, browser type, device information

Automatically Collected Information

• Cookies: Essential cookies for session management and security (CSRF protection)
• Log data: Server logs including IP addresses, access times, pages viewed
• Device information: Browser type, operating system, device type

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide the Service: Process waiver signings, generate PDFs, store records
• Process payments: Bill tenant accounts, manage subscriptions
• Send notifications: Signing links, reminders, account updates
• Improve the Service: Analyze usage patterns, fix bugs, develop new features
• Security: Detect and prevent fraud, unauthorized access, abuse
• Legal compliance: Respond to legal requests, enforce our terms

4. Data Sharing & Disclosure

We do not sell your personal data. We share information only in the following circumstances:

With Tenant Businesses

Signer information is shared with the tenant business that collected the waiver. Tenants are data controllers for their signers' data and have their own privacy policies.

With Service Providers

We use trusted third-party providers to help operate our service:

We will update this list when adding new sub-processors. Material changes will be communicated to account holders via email with 30 days notice.

Legal Requirements

We may disclose information if required by law, court order, or government request, or to protect our rights, property, or safety.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your data becomes subject to a different privacy policy.

5. Data Retention

• Active waivers: Retained according to tenant settings (typically 3-10 years for legal compliance)
• Archived waivers: Per tenant retention policy, then permanently deleted
• Account data: Retained for the duration of the account plus 90 days after closure
• Deleted data: Permanently purged within 30 days of deletion request

We retain data only as long as necessary to fulfill the purposes outlined in this policy or as required by law.

6. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit: All data transmitted using TLS 1.2+
• Encryption at rest: Sensitive data encrypted in our database
• Access controls: Role-based access, principle of least privilege
• Regular audits: Security reviews and vulnerability assessments
• Incident response: Documented procedures for security incidents

While we strive to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

7. Your Rights

All Users

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Portability: Request your data in a machine-readable format
• Withdraw consent: Opt out of optional data processing

California Residents (CCPA)

• Right to know: What personal information we collect and how it's used
• Right to delete: Request deletion of your personal information
• Right to opt-out: We do not sell personal information, so this right is not applicable
• Non-discrimination: We will not discriminate against you for exercising your rights
• Authorized agent: You may designate an agent to submit requests on your behalf

To exercise these rights, contact us at privacy@signshield.io.

8. Cookies & Tracking

Essential Cookies

We use essential cookies that are necessary for the Service to function:

• Session cookies: Maintain your login session
• CSRF tokens: Protect against cross-site request forgery attacks

Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service.

Email Tracking

Our marketing and outreach emails may include the following tracking technologies:

• Open tracking: Outreach emails may contain a small, transparent image (commonly called a "tracking pixel") that lets us know when an email has been opened.
• Click tracking: Links in outreach emails may be routed through our servers so we can measure which links recipients find most useful.

Data collected: When a tracking pixel loads or a link is clicked, we record the time of the event, your IP address, and browser user agent. This data is associated with the outreach record and is not shared with third parties.

Purpose: We use this information to improve the relevance, content, and timing of our communications.

Scope: Email tracking applies only to marketing and outreach emails. Transactional emails (waiver signing links, account notifications, billing alerts) do not contain tracking pixels or redirected links.

How to opt out:

• Every outreach email includes an unsubscribe link. Opting out stops all future marketing emails and associated tracking.
• Most email clients allow you to disable remote image loading, which prevents open tracking.

Do Not Track

We do not currently respond to "Do Not Track" browser signals. We do not use third-party tracking or advertising cookies.

9. International Data Transfers

Our servers are located in the United States. If you access our Service from outside the US, your data will be transferred to and processed in the US.

For EU users, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) with our sub-processors
• Technical safeguards including encryption in transit and at rest
• Data minimization practices

10. GDPR Compliance (EU Users)

Legal Basis for Processing

• Contract performance: Processing necessary to provide the Service you signed up for
• Legitimate interests: Security, fraud prevention, service improvement, email engagement measurement for outreach communications (you may object to this processing by unsubscribing from marketing emails)
• Consent: Marketing communications (opt-in only)
• Legal obligations: Tax records, compliance requirements

Your GDPR Rights

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure / "right to be forgotten" (Article 17)
• Right to restrict processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Right to withdraw consent (Article 7)
• Right to lodge complaint with your supervisory authority

Data Controller vs Processor

• SignShield is the Data Controller for: tenant account data, billing data, website visitor data
• SignShield is the Data Processor for: signer waiver data (the tenant is the controller)
• Tenants are Data Controllers for their signers' personal data

Data Processing Agreements

Standard DPA terms are incorporated into our Terms of Service for all customers. Standalone DPAs are available upon request for Enterprise customers.

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects on individuals.

11. Data Breach Notification

We maintain incident response procedures for data breaches:

• GDPR compliance: Supervisory authority notified within 72 hours of becoming aware of a qualifying breach
• High-risk breaches: Affected individuals notified without undue delay
• Tenant notification: Tenants will be promptly notified of any breach affecting their data

Breach notifications include: nature of the breach, data affected, remedial actions taken, and steps you can take to protect yourself.

12. Children's Privacy

Our Service is not intended for individuals under 18 years of age. Signers must be 18 or older, or have a parent/guardian sign on their behalf.

We do not knowingly collect personal information from children under 13. If we discover we have collected information from a child under 13, we will delete it immediately.

13. Third-Party Links

Our Service may contain links to external websites. We are not responsible for the privacy practices of these third-party sites. We encourage you to review their privacy policies before providing any personal information.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

For material changes that affect how we process your data, we will:

• Update the "Last Updated" date at the top of this page
• Notify account holders via email
• Provide at least 30 days notice before changes take effect

Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15. Contact Us

For privacy-related inquiries or to exercise your rights:

• Privacy inquiries: privacy@signshield.io
• General support: support@signshield.io

When contacting us about data protection, please include "GDPR Request" or "Privacy Request" in your subject line for faster processing.

Response time: We will respond to all data subject requests within 30 days.