GDPR & Data Privacy

GDPR & Data Privacy

Last updated: 6 July 2026

We process personal data lawfully, minimally and transparently. ICO registered. UK GDPR and EU GDPR compliant.

Your Rights at a Glance

Access your data

Get a copy of everything we hold

Correct inaccuracies

Fix wrong or outdated information

Request deletion

Erase data where no legal hold applies

Restrict processing

Pause how we use your data

Data portability

Export in machine-readable format

Object to processing

Opt out of legitimate-interest uses

To exercise any right, email dpo@signflownow.com — we respond within 30 days.

01

Overview

SignFlow Now Ltd is committed to processing personal data lawfully, fairly and transparently in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), and the Data Protection Act 2018. This page explains who we are, what data we collect, why we collect it, and your rights.

02

Data Controller

SignFlow Now Ltd is the data controller for personal data collected through this platform. Company registered in England & Wales. Registered address: 1 Canada Square, Canary Wharf, London E14 5AB. ICO Registration Number: ZB123456 (example). Data Protection Officer: dpo@signflownow.com.

03

Data We Collect

Account data: name, email address, company name, password (hashed). Professional data: job title, industry, regulatory body membership. Document data: documents you upload, recipient information, signing events, audit trails. Payment data: billing address, last 4 digits of card (full card data processed by Stripe — we never see or store full card numbers). Identity verification data: where you or your clients use ID verification, government ID images and biometric data processed by our KYC provider. Usage data: IP addresses, device information, browser type, pages visited, feature usage. Communications: emails, support chat logs, any feedback or correspondence.

05

Your Rights

Under UK GDPR and EU GDPR you have the following rights. Right of access (Article 15): Request a copy of all personal data we hold about you. Right to rectification (Article 16): Correct inaccurate data. Right to erasure (Article 17): Request deletion of your data where we have no legal obligation to retain it. Note: we are required to retain signed document audit trails for evidential integrity. Right to restriction (Article 18): Restrict processing in certain circumstances. Right to data portability (Article 20): Receive your data in a structured, machine-readable format. Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing. Rights related to automated decision-making (Article 22): We do not make solely automated decisions with legal effects. AI risk scoring is advisory only. To exercise any right, email dpo@signflownow.com. We respond within 30 days.

06

Data Retention

Account data: retained while account is active + 90 days after deletion request. Signed documents and audit trails: 7 years minimum (UK legal requirement for evidential integrity). Payment records: 7 years (HMRC requirement). Identity verification data: 5 years from last transaction (AML/CTF Act requirement). Usage logs: 13 months rolling. Marketing preferences: until you unsubscribe or request deletion. You may request earlier deletion of non-legally-required data at any time.

07

Data Sharing & Processors

We share your data only with processors who are contractually bound to process it only on our instructions. Key processors: AWS (EU-West-2, London — cloud infrastructure), Stripe (payment processing), Anthropic (AI document analysis — document content is sent to Claude API; no personal data is used to train models), Supabase (database), Postmark (transactional email), Vercel (frontend hosting — UK/EU data residency). We do not sell personal data to third parties. We do not share personal data for advertising purposes.

08

International Data Transfers

By default, all data is stored in AWS eu-west-2 (London) and remains in the UK/EEA. Where processors operate in third countries (e.g. Anthropic in the US), we rely on Standard Contractual Clauses (SCCs) and, for UK transfers, the International Data Transfer Agreement (IDTA). We conduct Transfer Impact Assessments for all third-country transfers.

09

Cookies & Tracking

We use strictly necessary cookies for authentication and security. Analytics cookies (Google Tag Manager, Vercel Analytics) require your consent and are used to improve the product. Marketing cookies are only placed with explicit consent. You can manage cookie preferences via our cookie banner or by emailing privacy@signflownow.com. For full details see our Cookie Policy.

10

Data Breach Procedures

We maintain a data breach response plan. In the event of a breach likely to result in high risk to individuals, we notify the ICO within 72 hours and affected individuals without undue delay. All security incidents are logged and reviewed. To report a suspected breach or security vulnerability, contact security@signflownow.com.

11

Data Protection Officer

Our DPO is available to answer any questions about your data rights or our GDPR compliance. Email: dpo@signflownow.com. Post: Data Protection Officer, SignFlow Now Ltd, 1 Canada Square, London E14 5AB. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

12

Changes to This Policy

We update this policy when our data practices change or when legislation requires it. Material changes will be notified by email and with 30 days notice. The effective date of the latest version appears at the top of this page.

Contact Our Data Protection Officer

For any questions about your data, to exercise your rights, or to raise a data protection concern, our DPO is your direct contact.

Email: dpo@signflownow.com

ICO complaints: ico.org.uk · 0303 123 1113