01
Overview
SignFlow Now Ltd is committed to processing personal data lawfully, fairly and transparently in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), and the Data Protection Act 2018. This page explains who we are, what data we collect, why we collect it, and your rights.
02
Data Controller
SignFlow Now Ltd is the data controller for personal data collected through this platform. Company registered in England & Wales. Registered address: 1 Canada Square, Canary Wharf, London E14 5AB. ICO Registration Number: ZB123456 (example). Data Protection Officer: dpo@signflownow.com.
03
Data We Collect
Account data: name, email address, company name, password (hashed). Professional data: job title, industry, regulatory body membership. Document data: documents you upload, recipient information, signing events, audit trails. Payment data: billing address, last 4 digits of card (full card data processed by Stripe — we never see or store full card numbers). Identity verification data: where you or your clients use ID verification, government ID images and biometric data processed by our KYC provider. Usage data: IP addresses, device information, browser type, pages visited, feature usage. Communications: emails, support chat logs, any feedback or correspondence.
04
Legal Basis for Processing
Contract performance (Article 6(1)(b)): Processing necessary to deliver the services you signed up for — storing and delivering your documents, processing signatures, sending notifications. Legitimate interests (Article 6(1)(f)): Fraud detection, platform security, service improvement, analytics. We have balanced our interests against your rights and have concluded our interests are not overridden. Legal obligation (Article 6(1)(c)): Compliance with anti-money laundering regulations, tax obligations, court orders. Consent (Article 6(1)(a)): Marketing emails and non-essential cookies. You may withdraw consent at any time. Special category data (Article 9(2)(g)): Where ID verification involves biometric data, we rely on substantial public interest (AML compliance).
05
Your Rights
Under UK GDPR and EU GDPR you have the following rights. Right of access (Article 15): Request a copy of all personal data we hold about you. Right to rectification (Article 16): Correct inaccurate data. Right to erasure (Article 17): Request deletion of your data where we have no legal obligation to retain it. Note: we are required to retain signed document audit trails for evidential integrity. Right to restriction (Article 18): Restrict processing in certain circumstances. Right to data portability (Article 20): Receive your data in a structured, machine-readable format. Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing. Rights related to automated decision-making (Article 22): We do not make solely automated decisions with legal effects. AI risk scoring is advisory only. To exercise any right, email dpo@signflownow.com. We respond within 30 days.
06
Data Retention
Account data: retained while account is active + 90 days after deletion request. Signed documents and audit trails: 7 years minimum (UK legal requirement for evidential integrity). Payment records: 7 years (HMRC requirement). Identity verification data: 5 years from last transaction (AML/CTF Act requirement). Usage logs: 13 months rolling. Marketing preferences: until you unsubscribe or request deletion. You may request earlier deletion of non-legally-required data at any time.
07
Data Sharing & Processors
We share your data only with processors who are contractually bound to process it only on our instructions. Key processors: AWS (EU-West-2, London — cloud infrastructure), Stripe (payment processing), Anthropic (AI document analysis — document content is sent to Claude API; no personal data is used to train models), Supabase (database), Postmark (transactional email), Vercel (frontend hosting — UK/EU data residency). We do not sell personal data to third parties. We do not share personal data for advertising purposes.
08
International Data Transfers
By default, all data is stored in AWS eu-west-2 (London) and remains in the UK/EEA. Where processors operate in third countries (e.g. Anthropic in the US), we rely on Standard Contractual Clauses (SCCs) and, for UK transfers, the International Data Transfer Agreement (IDTA). We conduct Transfer Impact Assessments for all third-country transfers.
09
Cookies & Tracking
We use strictly necessary cookies for authentication and security. Analytics cookies (Google Tag Manager, Vercel Analytics) require your consent and are used to improve the product. Marketing cookies are only placed with explicit consent. You can manage cookie preferences via our cookie banner or by emailing privacy@signflownow.com. For full details see our Cookie Policy.
10
Data Breach Procedures
We maintain a data breach response plan. In the event of a breach likely to result in high risk to individuals, we notify the ICO within 72 hours and affected individuals without undue delay. All security incidents are logged and reviewed. To report a suspected breach or security vulnerability, contact security@signflownow.com.
11
Data Protection Officer
Our DPO is available to answer any questions about your data rights or our GDPR compliance. Email: dpo@signflownow.com. Post: Data Protection Officer, SignFlow Now Ltd, 1 Canada Square, London E14 5AB. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
12
Changes to This Policy
We update this policy when our data practices change or when legislation requires it. Material changes will be notified by email and with 30 days notice. The effective date of the latest version appears at the top of this page.