TL;DR. We collect what we need to deliver document signing, evidence collection, and customer support — and nothing more. EU storage by default. Hash-chained audit trails are kept for 10 years on completed envelopes, anonymised after that. Recipients can exercise rights via the form linked below. AI features off by default; never trained on your content.
1. Who we are
Signatur Labs AS (org-nr placeholder), Oslo, Norway. We are the controller of personal data we process about our website visitors, customer admins, recipients of customer documents, and support contacts. For documents and recipient data uploaded by our customers, we act as a processor on behalf of the customer (the controller).
Data Protection Contact: privacy@signatur.app. Postal: Signatur Labs AS, Oslo, Norway. Supervisory authority: Datatilsynet (Norway).
2. What personal data we collect
Visitors
- Browser data (IP, user-agent), page interactions, anonymised analytics (with consent)
- Cookie preferences
Customer admins (you)
- Name, work email, company name, password hash, MFA secret (encrypted), locale
- Billing data (handled by Stripe — see sub-processor list)
- Login IP, device, timestamp, session metadata
Customer documents and recipient data (we are processor)
- Document title, body, metadata, version history
- Recipient name, email, role label
- Recipient interaction telemetry: IP, device, user-agent, geo estimate, page views, time spent, OTP attempts, signature image, declared phone (if used), declined reasons
- Audit trail with hash chain
Support contacts
- Email, message contents, ticket metadata
3. Why we process (purposes and lawful bases)
| Purpose | Lawful basis |
|---|---|
| Account creation, billing | Art. 6(1)(b) Contract |
| Sending and processing documents for signing (for customer) | Art. 6(1)(b) Contract (with you); for recipients, the customer establishes their own basis |
| Audit trail and evidence collection | Art. 6(1)(c) Legal obligation + (f) Legitimate interest (security & evidence) |
| Transactional email (delivery, signing notifications) | Art. 6(1)(b) / (f) |
| Marketing emails | Art. 6(1)(a) Consent |
| Product analytics | Art. 6(1)(a) Consent (cookie) |
| Error and security logs | Art. 6(1)(f) Legitimate interest |
4. Special category data (Art. 9)
Customer documents may contain special category data (e.g. health, union membership). We do not request or process such data on a controller basis ourselves. The customer must warrant a lawful basis. We apply uniform encryption and access controls regardless.
5. Who we share with
Sub-processors only — listed publicly at trust center. Each has signed a GDPR Art. 28 DPA with us and a security review. We notify customers 30 days before adding or replacing one. We may disclose to authorities where legally required (court order, etc.) and will narrow scope and notify customers when permitted.
6. International transfers
Default storage region: EU (eu-north-1, Stockholm). All production sub-processors are EU-domiciled or use EU Data Boundary offerings. We do not use US-resident SaaS for production data without valid transfer mechanism (SCCs + Schrems II supplementary measures).
7. Retention
| Data | Retention |
|---|---|
| Completed signed documents + audit chain | 10 years from completion (anonymised after) |
| Drafts | 90 days from last edit |
| Declined / voided | 5 years |
| OTP codes | 10 minutes |
| ID verification artefacts (if used) | 7 years |
| Operational logs | 30–90 days |
| Billing records (Bokføringsloven) | 5 years from end of fiscal year |
| Backups | 35 days hot + 1 year cold |
Customer can configure shorter or longer retention (within regulatory minimums) in tenant settings.
8. Your rights
- Access (Art. 15) — self-service "Export my data" in Settings → Privacy, or email privacy@signatur.app
- Rectification (Art. 16) — edit your profile, or email us
- Erasure (Art. 17) — "Delete my account" in Settings; for embedded data, email us
- Restriction (Art. 18) — email us
- Portability (Art. 20) — same export endpoint returns JSON + PDF
- Objection (Art. 21) — email us
- No automated decision-making with legal/significant effects on you (Art. 22)
Recipients of customer documents can exercise rights via /legal/data-rights. Right to lodge complaint with Datatilsynet (or your local DPA) at any time.
9. Security
See the trust center for the security overview. Highlights: TLS 1.3, AES-256 at rest, envelope encryption for PII columns, RBAC + Postgres Row-Level Security, immutable hash-chained audit, EU-only production sub-processors, mandatory MFA for admin/owner roles, annual third-party pen test.
10. Cookies
See the cookies notice for the full list. Strictly necessary cookies set without consent (session, CSRF, language). Analytics and functional cookies require opt-in. Reject as easily as accept per Datatilsynet guidance.
11. Children
Signatur is not directed to persons under 16. We do not knowingly collect data from children.
12. Changes
We post version history at the bottom. Material changes notified by email to admins at least 30 days in advance.
13. Contact
privacy@signatur.app · Norwegian Bokmål version available on request.