Privacy Policy

When you create or manage a SignBona account, we may collect:

• name;
• email address;
• password and authentication credentials, processed through our authentication provider;
• account identifiers;
• profile settings;
• avatar or profile image, if you upload one;
• language, time zone, region, date format, time format, and notification preferences;
• multi-factor authentication settings;
• hashed backup codes for account recovery;
• account status, account deletion requests, and account activity records;
• records showing your acceptance of our Terms of Service and Privacy Policy, including version numbers, timestamp, IP address, user-agent, email address, and source of acceptance.

When you use SignBona to upload, prepare, send, sign, store, or verify documents, we may collect and process:

• document titles and envelope names;
• uploaded PDF files and related document metadata;
• document page counts, file paths, file hashes, and integrity records;
• signature fields, initials fields, text fields, date fields, email fields, checkboxes, and other document fields;
• typed, drawn, uploaded, or otherwise submitted signatures and initials;
• values entered into document fields;
• user-created templates, reusable document setups, recipient roles, field placements, and related template metadata;
• custom messages, subjects, reminders, expiration settings, and workflow settings;
• final signed PDFs, stamped PDFs, certificates of completion, audit records, and verification records;
• document status, including draft, sent, in progress, completed, declined, expired, voided, archived, deleted, or retained status.

You are responsible for the documents, templates, and information that you upload or submit to SignBona. Documents may contain personal information, confidential information, financial information, legal information, business information, or other sensitive content. You should only upload documents and invite recipients when you have the right to do so.

If an account holder invites you to sign, view, receive, or otherwise interact with a document through SignBona, we may process information provided by the account holder or generated during the signing process, including:

• name;
• email address;
• company, title, role, or position, if provided;
• recipient order and signing role;
• signing token and signing request status;
• whether you viewed, opened, signed, declined, or completed a document;
• timestamps of signing-related events;
• IP address and user-agent associated with signing-related events;
• electronic record and signature consent version, consent timestamp, consent locale, IP address, and user-agent;
• one-time passcode verification status, attempts, expiration, and related security metadata, where email verification is enabled;
• decline reason, if you choose to decline signing and provide a reason;
• delivery status information, such as email bounce or delivery-failure information.

To support document integrity, legal evidence, fraud prevention, platform security, and verification, we may collect and generate:

• event logs for document creation, sending, viewing, consent, signing, declining, completion, reminders, voiding, and verification;
• IP addresses and user-agents associated with significant events;
• cryptographic hashes and integrity records;
• chained audit records designed to detect tampering;
• certificate serial numbers, fingerprints, signer certificate metadata, and related public-key infrastructure records;
• RFC 3161 timestamping metadata from our timestamp authority provider;
• public verification page status, such as valid, warning, or tampered indicators;
• security logs, rate-limit events, webhook verification records, and abuse-prevention records.

SignBona offers a Personal plan with a 30-day free trial when a user registers. Payments and subscription billing are processed through Stripe. We may collect or receive:

• Stripe customer identifiers;
• subscription identifiers;
• selected plan;
• trial status;
• subscription status;
• billing period information;
• cancellation status;
• payment method brand and limited payment method details, such as last four digits and expiration information, where made available by Stripe;
• invoice, checkout, payment failure, and billing portal metadata.

We do not store full credit card numbers or full payment credentials on our own servers. Stripe processes payment information according to its own policies and applicable payment security requirements.

If you contact us, we may collect:

• your name and email address;
• the content of your message;
• attachments or screenshots you provide;
• account, billing, document, or technical details needed to respond;
• records of our communications with you.

Please do not send sensitive document contents to support unless necessary for your request.

We may use cookies, local storage, session storage, and similar technologies to operate and improve the Services. These may include:

• authentication cookies used to keep you signed in;
• session and security cookies;
• locale or language preference cookies;
• pre-launch access cookies, where applicable;
• local storage or session storage used for interface preferences, viewer state, signing drafts, field clipboard features, or similar product functionality;
• analytics and performance technologies used to understand site performance and improve reliability.

At this time, SignBona is not designed around third-party behavioral advertising. We do not sell personal information, and we do not use personal information to build third-party advertising profiles.

We use information to:

• create and manage accounts;
• authenticate users;
• enable multi-factor authentication;
• upload, prepare, send, sign, complete, archive, and verify documents;
• generate final signed PDFs, certificates of completion, and audit trails;
• enable signer access through secure links;
• deliver email notifications, one-time passcodes, reminders, completed-document notices, and related transactional messages;
• provide billing, subscriptions, trials, cancellation access, and payment-related account status;
• provide support and respond to inquiries.

We use information to:

• record consent to electronic records and signatures;
• record intent to sign and signing-related actions;
• generate and preserve audit trails;
• apply electronic seals, PDF signatures, timestamps, and certificates of completion;
• verify the integrity and status of completed documents;
• help parties prove what happened during a signing workflow;
• detect tampering, unauthorized changes, abuse, or technical failures.

We use information to:

• prevent unauthorized access;
• detect suspicious activity;
• enforce rate limits;
• verify webhook signatures;
• investigate potential abuse, fraud, spam, phishing, malware, or misuse;
• maintain logs needed for security and reliability;
• protect users, signers, recipients, SignBona, and third parties.

We use information to:

• send transactional emails;
• send account, security, billing, and service notices;
• respond to support, privacy, legal, billing, and security requests;
• notify you about material changes to the Services or our legal terms;
• provide information about your account, documents, trial, subscription, or cancellation status.

We use information to:

• monitor performance and reliability;
• debug errors;
• analyze product usage at a technical and operational level;
• improve workflows, user experience, accessibility, and service stability;
• develop and test new features.

We do not use the contents of your documents to train public artificial intelligence models.

Information may be shared with account holders, signers, recipients, carbon-copy recipients, and other workflow participants as needed to complete or evidence a transaction. For example:

• a signer may see the document and fields they are asked to complete;
• an account holder may see document status, recipient status, timestamps, and audit information;
• completed-document recipients may receive final signed PDFs or certificates of completion;
• verification pages may show limited document integrity status without exposing unnecessary personal information.

We use third-party providers to host, operate, secure, bill, email, monitor, and timestamp the Services. These providers may process personal information only as needed to provide services to us.

Current providers may include:

• Supabase — authentication, database, storage, and related backend infrastructure;
• Vercel — hosting, deployment, analytics, speed insights, and infrastructure services;
• Stripe — checkout, payment processing, subscription billing, customer portal, invoices, and payment-related webhooks;
• Resend — transactional email delivery, including signing requests, one-time passcodes, reminders, support-related emails, and completed-document notices;
• Sentry — error monitoring, diagnostics, and reliability monitoring;
• DigiCert Timestamp Authority — RFC 3161 timestamping for PDF signing workflows, generally using document hashes rather than document contents.

We may update our providers as the Services evolve. If we make a material change to how we use subprocessors, we may update this Privacy Policy or provide other notice as appropriate.

We may disclose personal information when we believe disclosure is reasonably necessary to:

• comply with applicable law, regulation, subpoena, court order, legal process, or government request;
• enforce our Terms of Service, policies, agreements, or rights;
• investigate fraud, abuse, security incidents, spam, phishing, malware, unauthorized access, or misuse;
• protect the rights, property, safety, or security of SignBona, our users, recipients, signers, or others;
• preserve legal claims, evidence, or audit records;
• respond to privacy, security, or legal requests.

If SignBona is involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction, personal information may be disclosed or transferred as part of that transaction, subject to appropriate confidentiality, legal, and operational protections.

We do not sell personal information. We also do not share personal information for cross-context behavioral advertising as those terms are commonly used under U.S. state privacy laws. If this changes, we will update this Privacy Policy and provide any required notices and choices.

We generally retain account data while your account is active. If you request account deletion and complete any required confirmation process, we may apply a grace period before final deletion. During this period, you may be able to cancel the deletion request.

After account deletion is finalized, we may delete or de-identify account profile data, preferences, contacts, billing records stored in our system, account consent records, and other account-level data, except where retention is required or permitted for legal, security, billing, fraud-prevention, dispute-resolution, or electronic-signature evidence purposes.

Draft documents may be deleted when an account is deleted or when a user deletes them, subject to system retention, backup, security, or operational limitations.

Documents that have been sent but not completed may be voided or expired if the account holder deletes the account or if a workflow is terminated. We may retain related records needed to show that the workflow was voided, expired, or otherwise not completed.

Completed documents, final signed PDFs, certificates of completion, audit trails, consent records, integrity logs, signing event records, verification records, and related evidence may be retained after account deletion. This retention helps preserve legally relevant evidence for signers, recipients, account holders, and other parties to a transaction.

Completed envelopes may be archived or removed from an account holder’s active view, but they may not be fully deleted from SignBona systems if deletion would compromise auditability, legal evidence, transaction records, or the ability of parties to verify a completed document.

Billing and subscription records may be retained as required for accounting, tax, fraud-prevention, chargeback, legal, and compliance purposes. Stripe may retain payment and billing information according to its own policies and legal obligations.

Residual copies of information may remain in backups, logs, or disaster-recovery systems for a limited period according to our providers’ retention practices and our operational needs. We may not be able to immediately delete information from backups, but we will handle retained backup information according to this Privacy Policy.

Depending on your interaction with the Services, we may collect the following categories of personal information:

• identifiers, such as name, email address, account ID, IP address, user-agent, signing token, Stripe customer ID, and similar identifiers;
• customer records information, such as billing-related information and account contact information;
• commercial information, such as subscription status, trial status, plan, invoices, and payment-related metadata;
• internet or electronic network activity information, such as login events, document events, page performance, device/browser metadata, and usage logs;
• geolocation-related information derived from IP address, such as approximate location;
• professional or employment-related information, if included in recipient details, templates, documents, or account profile information;
• audio, electronic, visual, or similar information, such as uploaded avatars, signature images, initials, document images, or PDF contents;
• inferences related to preferences, such as language, time zone, notification preferences, and product settings;
• sensitive personal information if you or another user includes it in documents, templates, fields, support messages, or signing workflows.

We do not intentionally collect sensitive personal information for the purpose of inferring characteristics about you. However, because users control document contents, documents uploaded to SignBona may contain sensitive information.

We may collect personal information from:

• you;
• account holders who invite signers or recipients;
• signers and recipients;
• documents, templates, and fields submitted to the Services;
• your browser, device, or network connection;
• payment, hosting, email, authentication, monitoring, and infrastructure providers;
• fraud-prevention, security, and operational systems.

We collect, use, and disclose personal information for the purposes described in this Privacy Policy, including providing the Services, processing payments, delivering emails, preserving signing evidence, maintaining security, preventing abuse, complying with law, and improving reliability.

We may disclose personal information to:

• service providers and subprocessors;
• account holders, signers, recipients, and other workflow participants;
• payment processors;
• hosting, authentication, database, storage, email, monitoring, analytics, and timestamping providers;
• legal, compliance, safety, and security recipients where required or appropriate;
• business transaction parties in connection with a merger, acquisition, financing, or similar transaction.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

We retain each category of personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including electronic signature evidence, document integrity, legal compliance, billing, security, and dispute resolution.