1. Information We Collect
1.0 Legal Basis for Processing (GDPR Article 6)
We process your personal data under the following legal bases:
- Contract Performance: Processing necessary to provide the Service you requested (document analysis, account management)
- Legitimate Interests: Service improvement, security, fraud prevention, and analytics (where not overridden by your rights)
- Consent: Newsletter participation, optional analytics cookies, and marketing communications (which you can withdraw at any time)
- Legal Obligation: Compliance with applicable laws, regulations, and legal processes
1.1 Document Data (Temporary Processing Only)
When you upload or capture a contract for analysis:
- Document Content: The text and images from your contract are processed by our AI to generate your analysis report.
- Processing Time: Documents are processed in real-time and are NOT stored on our servers after analysis is complete.
- No Retention: We do not keep copies of your contracts. Once your analysis is delivered, the document data is immediately deleted from our processing systems.
1.2 Account Information (If You Create an Account)
If you choose to create an account, we collect:
- Email address
- Name (optional)
- Password (encrypted)
- Subscription status
1.3 Analysis Preferences
When you analyze a contract, you may optionally provide preferences to customize your analysis:
- User Persona: Your role or situation (e.g., "senior", "creator", "executive") to tailor risk explanations
- State Residence: Your U.S. state to highlight applicable consumer protections
These preferences are stored with your scan history to improve future analyses and are never shared with third parties.
1.4 Newsletter Subscription
If you subscribe to the Weekly WTF newsletter, we collect:
- Email Address: Required to send you the newsletter
- Subscription Source: Where you signed up (website, analyzer page, etc.)
- Contribution Preference: Whether you opted in to contribute anonymized clause data
You can unsubscribe at any time via the link in any newsletter email.
1.5 Usage Data
We collect anonymous usage data to improve our service:
- Number of scans performed
- Types of documents analyzed (e.g., "car loan", "gym membership") - NOT the actual content
- App performance metrics
- Feature usage statistics
1.6 Device Information
- Device type and operating system
- App version
- General location (country/region level only)
2. How We Use Your Information
| Data Type | Purpose | Retention |
|---|---|---|
| Document Content | AI analysis only | Deleted immediately after analysis |
| Analysis Results | Displayed to you | Stored on your device only (not our servers) |
| Analysis Preferences | Personalized analysis, state-specific protections | Stored with scan history until account deletion |
| Account Info | Authentication, subscription management | Until account deletion |
| Newsletter Subscription | Sending Weekly WTF newsletter | Until you unsubscribe |
| Usage Data | Service improvement, debugging | Aggregated, anonymized, 12 months |
3. Information We Do NOT Collect
We explicitly do NOT collect, store, or have access to:
- Copies of your contracts or documents
- Your financial account numbers
- Your Social Security number
- Specific contract amounts or parties involved
- Your precise GPS location
- Your contacts, photos, or other personal files
- Your browsing history outside our service
- Data from other apps on your device
We know this list seems obvious, but you'd be surprised how many apps collect this stuff. We wanted to be crystal clear: we don't.
4. Data Sharing
4.1 AI Processing Partners
Your document text is processed by our AI analysis engine using enterprise-grade language model APIs. All providers operate under zero-retention terms, meaning your data is not stored after processing and is never used for model training. The text is transmitted encrypted and deleted immediately after analysis.
AI Model Training
YOUR DATA IS NEVER USED TO TRAIN AI MODELS.
We maintain Data Processing Agreements with all AI providers that prohibit use of your data for model training. Request DPA copies: legal@sign-safe.app
Subprocessors (GDPR Article 28)
We use third-party service providers for AI processing, database hosting, email delivery, and application infrastructure. All subprocessors are bound by Data Processing Agreements with appropriate safeguards for international transfers.
For the current subprocessor list or to object to a new subprocessor: privacy@sign-safe.app
4.1.1 International Data Transfers
Our AI processing partners may process data in the United States. For transfers from the EU/EEA/UK, we rely on:
- Standard Contractual Clauses (SCCs): EU-approved contractual protections for data transfers
- Data Processing Agreements: Binding agreements requiring equivalent data protection
- Technical Safeguards: End-to-end encryption (TLS 1.3) and zero-retention processing
You may request a copy of our data transfer mechanisms by contacting privacy@sign-safe.app.
4.1.2 Automated Decision-Making (GDPR Article 22)
Our Service uses AI-powered automated analysis. You should be aware that:
- Nature of Processing: Our AI analyzes contracts to identify potential risks, favorable terms, and provides educational summaries
- No Legal Decisions: Our analysis does NOT make legally binding decisions about you or enforce contracts
- Human Review Available: You may request human review of any AI-generated analysis by contacting support@sign-safe.app
- Right to Object: Under GDPR, you may object to automated processing; we will provide alternative analysis methods upon request
The AI analysis is provided for informational purposes only and does not produce legal effects concerning you or similarly significantly affect you.
4.2 We Never Sell Your Data
We do not sell, rent, or trade any personal information to third parties. Period.
4.3 Legal Requirements
We may disclose information if required by law, such as in response to a valid subpoena or court order. However, since we don't retain your documents, we cannot produce what we don't have.
5. Data Security
We implement industry-standard security measures:
- Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption.
- Encryption at Rest: Any data we do store (account info) is encrypted using AES-256.
- Access Controls: Strict employee access policies ensure minimal data exposure.
- Regular Audits: We conduct security assessments to identify and address vulnerabilities.
5.1 Data Breach Notification
In the unlikely event of a data breach affecting your personal information:
- Regulatory Notification: We will notify relevant supervisory authorities within 72 hours as required by GDPR
- User Notification: If the breach is likely to result in high risk to your rights and freedoms, we will notify you without undue delay
- Breach Response: We maintain incident response procedures to contain, investigate, and remediate security incidents
- Documentation: All breaches are documented with details of effects and remedial actions taken
Due to our zero-retention architecture, the risk of document data exposure is minimized—we cannot breach data we do not store.
5.2 Compliance & Audits
We conduct regular Data Protection Impact Assessments and maintain appropriate cyber liability insurance. Enterprise customers may request compliance documentation and audit rights through their Data Processing Agreement. Contact: enterprise@sign-safe.app
5.5 Cookies and Similar Technologies
We use cookies and similar technologies to provide and improve our services:
Essential Cookies (Required)
These cookies are necessary for the website and app to function and cannot be disabled:
- Authentication: Secure session management via httpOnly cookies
- Security: CSRF protection and security tokens
- Preferences: Remembering your cookie consent choice
Analytics Cookies (Optional)
With your consent, we may use analytics cookies to:
- Understand how you use our services
- Improve user experience
- Identify and fix issues
Analytics data is aggregated and does not identify you personally.
Managing Your Cookie Preferences
You can manage your cookie preferences at any time:
- Cookie Banner: When you first visit, choose "Accept All" or "Essential Only"
- Browser Settings: Most browsers allow you to block or delete cookies
- Clear Local Storage: Clear your browser's local storage to reset consent
Note: Blocking essential cookies may prevent some features from working correctly.
5.6 The Weekly WTF Newsletter
SignSafe publishes "The Weekly WTF" - an educational newsletter highlighting concerning contract clauses found across various industries. This section explains how we handle data for this newsletter.
Newsletter Email Subscription
When you subscribe to the Weekly WTF newsletter:
- Email Collection: We store your email address to send you the newsletter
- Verification: We track whether your email has been verified (e.g., via welcome email)
- Unsubscribe Token: A secure token is generated to enable one-click unsubscription
- Subscription Source: We record where you signed up (website, analyzer, etc.) for analytics
Your Control: You can unsubscribe at any time by clicking the unsubscribe link in any newsletter email. Your email will be marked as unsubscribed and you will no longer receive newsletters. If you resubscribe later, we will reactivate your subscription.
Anonymized Clause Contribution (Optional)
Separately from subscribing, you may opt-in to "Contribute to Weekly WTF." If enabled, we may collect anonymized, non-identifiable data from your contract analyses:
- Clause Types: Generic categories of risky clauses (e.g., "arbitration clause", "non-compete")
- Industry Category: Generic industry (e.g., "streaming platform", "fitness center") - NOT specific company names
- Risk Severity: Spiciness/toxicity ratings
- Anonymized Quotes: Contract excerpts with ALL identifying information redacted
How We Anonymize Your Data
Before any data is used for the newsletter, we apply strict anonymization:
- Company Names: Replaced with generic industry labels (e.g., "Acme Corp, Inc." becomes "[COMPANY]")
- Dollar Amounts: Converted to ranges (e.g., "$47,500" becomes "$10K-$50K")
- Personal Information: All emails, phone numbers, names, addresses, and SSNs are redacted
- k-Anonymity: We only publish patterns seen in 5+ contracts to prevent identification
- No Traceability: Anonymized items receive hash-based IDs not connected to your account
What We NEVER Include
- Your name, email, or any account information
- Specific company names or identifiable parties
- Exact dollar amounts or dates
- Geographic information more specific than country
- Any data that could be traced back to you or your contracts
Your Control Over Clause Contributions
- Opt-In Required: Clause data contribution is OFF by default. You must explicitly enable "Contribute to Weekly WTF" when subscribing or in Privacy Settings.
- Opt-Out Anytime: Disable the setting to stop all future clause data collection.
- Independent of Subscription: You can subscribe to receive the newsletter without contributing clause data, and vice versa.
- No Impact on Service: Opting out of clause contribution does not affect your access to SignSafe features.
Newsletter Content
The Weekly WTF newsletter includes:
- WTF of the Week: The most concerning clause pattern discovered
- Industry Trends: Which industries have the most problematic contracts
- Statistics: Aggregated data on clause types and risk levels
- Educational Content: Explanations of why certain clauses are risky
All content is for educational purposes only and does not constitute legal advice. The newsletter helps raise awareness about predatory contract practices without exposing any individual's private information.
6. Your Rights
Self-Service Privacy Portal
Exercise your rights instantly through our Privacy Portal. Download your data, manage consents, view activity logs, or delete your account - no email required.
6.1 Access and Portability
You can request a copy of any personal data we hold about you (primarily account information). Use our Privacy Portal to download your data instantly in JSON format.
6.2 Deletion
You can delete your account at any time through the Privacy Portal or app settings. We use a 30-day soft-delete with recovery option, after which all data is permanently purged.
6.3 Opt-Out
You can opt out of analytics tracking in the Privacy Portal or app settings.
6.4 California Residents (CCPA 2026)
California Consumer Privacy Act - January 2026 Update
This section reflects the expanded CCPA regulations effective January 1, 2026, including enhanced consumer rights, automated decision-making transparency, and strengthened privacy protections.
Your California Privacy Rights
As a California resident, you have the following rights under CCPA:
| Right | What It Means | How to Exercise |
|---|---|---|
| Right to Know | Request what personal information we collect, use, share, or sell about you. No 12-month limit - you can request information going back to January 1, 2022. | Privacy Portal or privacy@sign-safe.app |
| Right to Delete | Request deletion of your personal information (with limited exceptions for legal compliance, security, and completing transactions). | Privacy Portal - one-click deletion |
| Right to Correct | Request correction of inaccurate personal information we maintain about you. | Account settings or privacy@sign-safe.app |
| Right to Opt-Out of Sale/Sharing | Opt out of the sale or sharing of personal information for cross-context behavioral advertising. SignSafe does NOT sell or share your data - this right is automatically satisfied. | N/A - we don't sell data |
| Right to Limit Use of Sensitive PI | Limit our use and disclosure of sensitive personal information. We only process sensitive PI as strictly necessary for providing the Service. | Privacy Portal |
| Right to Opt-Out of ADMT | Opt out of automated decision-making technology for significant decisions. Our AI analysis is informational only and does not make significant decisions about you. | Request human review: support@sign-safe.app |
| Right to Non-Discrimination | We will never discriminate against you for exercising your privacy rights. No reduced service, different prices, or degraded quality. | Automatic - we honor all rights equally |
Categories of Personal Information We Collect
Under CCPA, we must disclose the categories of personal information collected. Here's our complete disclosure:
| Category | Examples | Collected? | Sold/Shared? |
|---|---|---|---|
| Identifiers | Email address, account name, IP address | Yes | No |
| Commercial Information | Subscription status, purchase history | Yes | No |
| Internet Activity | Usage logs, feature interactions (anonymized) | Yes | No |
| Geolocation Data | Country/region only (no precise location) | Yes (coarse) | No |
| Professional Information | User persona preferences (optional) | If provided | No |
| Inferences | Contract risk preferences | Minimal | No |
| Sensitive Personal Information | May be present in uploaded contracts (not retained) | Processed only | No |
| Biometric Information | Fingerprints, face scans, neural data | No | No |
| Audio/Visual Information | Photos of contracts (processed, not stored) | Processed only | No |
Sensitive Personal Information (CCPA 2026 Expanded Definition)
CCPA 2026 expands the definition of sensitive personal information to include:
- Neural Data: Data generated by measuring the activity of a consumer's central or peripheral nervous system. SignSafe does NOT collect neural data.
- Minors' Data: Enhanced protections for consumers under 16. SignSafe requires users to be 18+.
- Government IDs: Social Security numbers, driver's license numbers. We do NOT collect these.
- Financial Account Info: Account numbers with access credentials. We do NOT store financial account details.
- Precise Geolocation: We only collect country/region - never precise GPS location.
- Racial/Ethnic Origin: We do NOT collect this data.
- Health Information: May appear in uploaded contracts but is NOT retained after analysis.
Automated Decision-Making Technology (ADMT) Disclosure
CCPA 2026 requires disclosure of ADMT use for significant decisions.
SignSafe uses AI-powered contract analysis. This technology:
- Analyzes contract text to identify potential risks and concerns
- Generates educational summaries and explanations
- Does NOT make any legally binding or significant decisions about you
- Does NOT affect your access to housing, employment, credit, education, or healthcare
- Is purely informational and educational in nature
Your ADMT Rights:
- Right to Information: You can request information about the logic involved in our AI analysis
- Right to Human Review: Request human review of any AI-generated analysis by contacting support@sign-safe.app
- Right to Opt-Out: Because our ADMT does not make "significant decisions" as defined by CCPA, formal opt-out is not required. However, we honor opt-out requests voluntarily.
Dark Pattern Prohibition Commitment
CCPA 2026 prohibits "dark patterns" - manipulative design that impairs consumer choice. SignSafe commits to:
- Equal Steps: Opting out requires the same (or fewer) steps as opting in
- Neutral Design: No visual tricks making "accept" more prominent than "decline"
- No Forced Consent: Closing a pop-up is never treated as consent
- No Guilt Trips: No shaming language when you exercise privacy rights
- No Fake Urgency: No countdown timers or artificial scarcity around consent decisions
- Clear Language: All consent requests in plain English, not legalese
Opt-Out Preference Signals
SignSafe honors the following opt-out preference signals:
- Global Privacy Control (GPC): We detect and honor GPC signals from your browser. If your browser sends a GPC signal, we treat it as a valid opt-out request.
- Do Not Track (DNT): We respect DNT browser signals for analytics purposes.
- Opt-Out Confirmation: When you submit an opt-out request, we will confirm within 15 business days that your request has been processed.
Response Timeframes
- Acknowledgment: Within 10 business days of receiving your request
- Completion: Within 45 calendar days (may extend to 90 days for complex requests with notice)
- Verification: We will verify your identity using reasonable methods before processing
Authorized Agents
You may designate an authorized agent to submit privacy requests on your behalf. The agent must:
- Provide written authorization signed by you
- Verify their own identity
- Contact us at privacy@sign-safe.app with documentation
Financial Incentives
SignSafe does not offer financial incentives for the collection, retention, or sale of personal information. We do not discriminate against consumers who exercise their privacy rights.
Shine the Light (California Civil Code § 1798.83)
California residents may request information about disclosure of personal information to third parties for direct marketing purposes. SignSafe does not disclose personal information to third parties for their direct marketing purposes.
Contact for California Privacy Rights
To exercise your CCPA rights:
- Self-Service: Privacy Portal (instant, no waiting)
- Email: privacy@sign-safe.app
- Response Time: Within 45 days (typically under 7 days)
6.5 EU/EEA Residents (GDPR)
If you're in the EU/EEA, you have rights under GDPR including:
- Right of Access: Obtain confirmation of processing and a copy of your data
- Right to Rectification: Correct inaccurate personal data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restriction: Limit how we process your data
- Right to Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing
- Right to Lodge a Complaint: File a complaint with your local supervisory authority
Response Time: We will respond to all GDPR requests within 30 days. Contact us at privacy@sign-safe.app to exercise these rights.
EU Representative (Article 27)
For users in the European Union, our designated EU Representative is:
- Name: SignSafe EU Privacy Representative
- Email: eu-representative@sign-safe.app
- Address: Available upon request to privacy@sign-safe.app
Data Protection Officer
For data protection inquiries, contact our Data Protection Officer:
- Email: dpo@sign-safe.app
- Response Time: Within 5 business days
Supervisory Authority
You have the right to lodge a complaint with a supervisory authority in your member state. You can find your local authority at: EDPB Members Directory. Common authorities include:
- Ireland: Data Protection Commission (dataprotection.ie)
- Germany: Your regional Datenschutzbehörde
- France: CNIL (cnil.fr)
- Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)
6.6 UK Residents (UK GDPR)
Following Brexit, the UK operates under the UK GDPR and Data Protection Act 2018. UK residents have equivalent rights to EU GDPR. The UK is recognized as providing adequate data protection. Contact: privacy@sign-safe.app.
6.7 Virginia Residents (VCDPA)
Virginia residents have rights under the Virginia Consumer Data Protection Act (effective January 1, 2023):
- Right to access, correct, and delete personal data
- Right to data portability
- Right to opt out of targeted advertising, sale of personal data, and profiling
- Right to appeal our decisions regarding your requests
6.8 Colorado Residents (CPA)
Colorado residents have rights under the Colorado Privacy Act (effective July 1, 2023):
- Right to access, correct, and delete personal data
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
- Universal opt-out mechanism recognition
6.9 Connecticut Residents (CTDPA)
Connecticut residents have rights under the Connecticut Data Privacy Act (effective July 1, 2023):
- Right to access, correct, and delete personal data
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
6.10 Utah Residents (UCPA)
Utah residents have rights under the Utah Consumer Privacy Act (effective December 31, 2023):
- Right to access and delete personal data
- Right to data portability
- Right to opt out of sale of personal data and targeted advertising
6.11 Texas Residents (TDPSA)
Texas residents have rights under the Texas Data Privacy and Security Act (effective July 1, 2024):
- Right to access, correct, and delete personal data
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
- Right to appeal denied requests
6.12 Oregon Residents (OCPA)
Oregon residents have rights under the Oregon Consumer Privacy Act (effective July 1, 2024):
- Right to access, correct, and delete personal data
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
- Right to obtain a list of third parties to whom data was disclosed
6.13 Montana Residents (MTCDPA)
Montana residents have rights under the Montana Consumer Data Privacy Act (effective October 1, 2024):
- Right to access, correct, and delete personal data
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
6.14 Delaware Residents (DPDPA)
Delaware residents have rights under the Delaware Personal Data Privacy Act (effective January 1, 2025):
- Right to access, correct, and delete personal data
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
- Right to obtain a list of categories of third parties to whom data was disclosed
6.15 Iowa Residents (ICDPA)
Iowa residents have rights under the Iowa Consumer Data Protection Act (effective January 1, 2025):
- Right to access and delete personal data
- Right to data portability
- Right to opt out of targeted advertising and sale of personal data
6.16 New Jersey Residents (NJDPA)
New Jersey residents have rights under the New Jersey Data Privacy Act (effective January 15, 2025):
- Right to access, correct, and delete personal data
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
- Right to appeal denied requests
6.17 New Hampshire Residents (NHDPA)
New Hampshire residents have rights under the New Hampshire Privacy Act (effective January 1, 2025):
- Right to access, correct, and delete personal data
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
6.18 Tennessee Residents (TIPA)
Tennessee residents have rights under the Tennessee Information Protection Act (effective July 1, 2025):
- Right to access, correct, and delete personal data
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
6.19 Indiana Residents (INCDPA)
Indiana residents have rights under the Indiana Consumer Data Protection Act (effective January 1, 2026):
- Right to access, correct, and delete personal data
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
6.20 Universal Opt-Out Recognition
SignSafe recognizes and honors Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we will treat it as a valid opt-out request for the sale of personal data and targeted advertising, as required by applicable state laws.
To exercise any state privacy rights: Contact privacy@sign-safe.app with "Privacy Rights Request" in the subject line. Include your state of residence. We will respond within the timeframe required by applicable law (typically 45 days).
7. Children's Privacy & Age Verification
SignSafe is not intended for users under 18 years of age. We do not knowingly collect personal information from children.
7.1 Age Verification Measures
We implement the following age verification measures:
- Registration Gate: Users must affirm they are 18+ during account creation
- Payment Verification: Payment methods (credit cards) serve as secondary age verification
- Detection: If we detect a user may be under 18, we will suspend the account pending verification
7.2 COPPA Compliance
We comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us immediately at privacy@sign-safe.app and we will delete the data within 24 hours.
7.5 Sensitive Data Categories
Contracts may contain sensitive information. Here's how we handle special categories of data:
7.5.1 Health-Related Contracts (HIPAA Awareness)
Important: SignSafe is NOT a HIPAA-covered entity and is NOT designed for Protected Health Information (PHI). We recommend:
- Do not upload contracts containing detailed medical records or treatment information
- If you must analyze health-related contracts, redact patient names and medical record numbers first
- For healthcare organizations requiring HIPAA BAA, contact enterprise@sign-safe.app
Because we operate under zero-retention, any PHI processed is deleted immediately and never stored.
7.5.2 Financial Contracts (GLBA Awareness)
For contracts containing non-public personal financial information (NPI):
- We process but do not store financial data
- Zero-retention architecture minimizes GLBA compliance burden
- We do not share financial information with non-affiliated third parties
- Account numbers and SSNs should be redacted before upload when possible
7.5.3 Biometric Data (BIPA Compliance - Illinois)
SignSafe does NOT collect biometric data:
- We do not use facial recognition
- We do not collect fingerprints, voiceprints, or retina scans
- We do not create biometric identifiers from user data
- Document analysis is text-based only
Illinois residents are protected under BIPA. We comply by not collecting biometric data at all.
7.5.4 Legal Privilege Considerations
Attorney-Client Privilege: Uploading privileged documents to any third-party service (including SignSafe) may affect privilege. Consult your attorney before uploading privileged communications. Our zero-retention architecture minimizes exposure, but privilege considerations are your responsibility.
8. Third-Party Services
Our app may contain links to third-party websites or services. This privacy policy does not apply to those external services. We encourage you to read the privacy policies of any third-party services you use.
9. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of any material changes by:
- Posting the new policy on this page
- Updating the "Last Updated" date
- Sending an email notification (for significant changes)
- Displaying an in-app notification
30-Day Notice: For any material changes that reduce your rights or expand our data collection, we will provide at least 30 days advance notice before the changes take effect, giving you time to review and opt out if desired.
10. Our Commitments to You
We believe privacy policies should protect users, not trap them. Here are our binding commitments:
The SignSafe Privacy Guarantee
- No Binding Arbitration: We will never require you to waive your right to a jury trial or participate in mandatory arbitration. You retain full access to courts.
- No Class Action Waiver: You retain your right to participate in class action lawsuits. We don't hide behind forced individual arbitration.
- No Data Selling - Ever: We will never sell, rent, or trade your personal information to third parties for marketing purposes. This is a binding commitment, not just a policy.
- Free Data Export: You can export all your data at any time, in a standard machine-readable format (JSON), at no cost.
- 30-Day Deletion with Recovery: When you request account deletion, your account is immediately deactivated. Data is permanently purged after a 30-day recovery window (in case you change your mind). You can cancel deletion during this period.
- No Dark Patterns: Unsubscribing is as easy as subscribing. One click. No guilt trips. No "Are you sure?" gauntlets.
- Plain Language: We commit to writing our policies in clear, understandable language. If something is confusing, email us and we'll clarify it.
Cancellation and Refund Rights
We believe you should never feel trapped:
- Right to Cancel: You may cancel your subscription at any time with no cancellation fee or penalty. Cancellation takes effect immediately.
- 14-Day Right to Rescind: New subscribers have a 14-day cooling-off period. If you change your mind within 14 days of purchase, you are entitled to a full refund with no questions asked.
- Pro-Rata Refunds: If you cancel after 14 days, you will receive a pro-rata refund for the unused portion of your billing period.
- No Auto-Renewal Traps: We will send you a reminder email at least 7 days before any subscription renewal. You can disable auto-renewal at any time in your account settings.
- Instant Cancellation: Cancel through your account settings with one click. No phone calls required. No "retention specialists." No guilt.
Limitation of Liability - Fair to Both Sides
Unlike many services that limit their liability to $0, we believe in mutual fairness:
- Our Liability Cap: Our liability to you is limited to the greater of (a) the amount you paid us in the 12 months prior to the claim, or (b) $100 USD.
- Exceptions: This cap does NOT apply to breaches of our data security obligations, gross negligence, or willful misconduct.
- No Indemnification Trap: We do not require you to indemnify us for our own mistakes. You are only responsible for your own misuse of the service.
Yes, we used our own AI to analyze this privacy policy. It scored well. If you're reading this because you analyzed our policy with SignSafe - nice work! You're exactly the kind of person who reads the fine print. We respect that.
Governing Law and Disputes
If we ever have a dispute (and we hope we don't):
- Your Choice of Venue: You may bring claims against us in the courts of your state of residence or in Delaware. We won't force you to travel.
- Small Claims Court: You may always bring claims in small claims court in your jurisdiction if your claim qualifies.
- Class Actions Permitted: You may participate in class action lawsuits. We do not require class action waivers.
- 30-Day Resolution Period: Before initiating any legal action, we agree to attempt good-faith resolution for 30 days via email.
11. Contact Us
If you have questions about this privacy policy or our data practices, please contact us:
- Email: privacy@sign-safe.app
- Data Protection Contact: privacy@sign-safe.app
- Response Time: Within 30 days (typically under 24 hours)
Version History
We believe in transparency. Here are the recent changes to this policy:
- v4.0 (Jan 21, 2026): CCPA 2026 Comprehensive California Privacy Rights Act 2026 compliance: Enhanced Right to Know (no 12-month limit), expanded sensitive PI definition (neural data), ADMT transparency disclosure, dark pattern prohibition commitments, opt-out confirmation requirements, GPC signal recognition, authorized agent procedures, categories of personal information table, financial incentive disclosure, Shine the Light compliance
- v3.0 (Jan 13, 2026): Enterprise-grade update: Added subprocessor list, AI training disclosure, DPIA statement, cyber insurance, audit rights, litigation hold, BIPA/HIPAA/GLBA awareness, age verification, 10 additional state privacy laws (now 20 total), DPO contact, EU Representative
- v2.2 (Jan 12, 2026): Added TL;DR summary, cancellation/refund rights, fair liability cap, governing law clarity
- v2.1 (Jan 12, 2026): Added newsletter subscription disclosure, analysis preferences storage
- v2.0 (Jan 9, 2026): Major update for GDPR/CCPA/State Privacy Laws compliance
- v1.0 (Dec 2025): Initial privacy policy
Important Note: SignSafe is a tool to help you understand contracts, not a substitute for legal advice. If you have concerns about a contract's legal implications, please consult with a qualified attorney.
Achievement Unlocked: Policy Reader
You read our entire privacy policy. Only 1% of users do this. You're now in the elite club of people who actually know what they're agreeing to.
Pro tip: Did you try running this policy through SignSafe? We did. It's... actually pretty good. No dark patterns detected. You're welcome.