Echo SignBack to home

Privacy Policy

Last updated: February 8, 2026

1. Introduction

SignLeaf ("we," "us," or "our") is committed to protecting the privacy of our users and document signers. This Privacy Policy describes what information we collect, how we use it, and the choices you have regarding your data.

This policy applies to all users of the SignLeaf platform, including account holders who send documents and recipients who sign them.

2. Information We Collect

Account Information

When you create an account, we collect your full name, email address, and a hashed password. We do not store your password in plain text.

Documents and Signatures

We store the PDF documents you upload and the electronic signatures captured from recipients. Signatures may include drawn signature images, typed names, or uploaded signature files. We also store the position and metadata of signature fields placed on documents.

Signer Information

When a document sender adds recipients, we collect their names and email addresses. Recipients do not need to create accounts. We generate a unique, cryptographic access token for each recipient to securely access their documents.

Audit Trail Data

We automatically record document events including creation, delivery, viewing, signing, completion, and any declines or voids. Each event includes a timestamp, IP address, user agent string, and a SHA-256 cryptographic hash linking it to the previous event in the chain.

Usage and Technical Data

We collect standard technical information such as IP addresses, browser type, device information, and pages visited within the Service. This data helps us maintain security, diagnose issues, and improve the platform.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the electronic signature service
  • Deliver documents to recipients and process signatures
  • Generate and maintain tamper-evident audit trails and completion certificates
  • Send transactional emails (signature requests, completion notifications, reminders)
  • Authenticate users and protect account security
  • Enforce rate limits and prevent abuse
  • Comply with legal obligations and respond to lawful requests
  • Improve the Service based on aggregated, anonymized usage patterns

We do not sell your personal information. We do not use the content of your documents for advertising, profiling, or any purpose other than providing the Service.

4. Document Security

Protecting your documents is central to our service. We implement the following security measures:

  • Encryption in transit: All data is transmitted over HTTPS/TLS.
  • Encryption at rest: Documents are stored in encrypted cloud storage provided by Supabase with AES-256 encryption.
  • Cryptographic hashing: SHA-256 hashes are computed for documents at upload and completion to provide tamper-evidence.
  • Hash chain audit trail: Each audit event is cryptographically chained to the previous event, preventing retroactive modification.
  • Access tokens: Signing links use cryptographically random 128-bit tokens that cannot be guessed or enumerated.
  • Row-Level Security: Database access controls ensure users can only access their own documents and data.

5. Data Sharing and Third Parties

We share your information only in the following limited circumstances:

Service Providers

We use trusted third-party services to operate the platform. These providers process data solely on our behalf and under our instructions:

  • Supabase — Authentication, database, and document storage
  • Resend — Transactional email delivery (signature requests and notifications)
  • Vercel — Application hosting and infrastructure

Document Recipients

When you send a document for signing, recipients receive access to the document, your name, and email address as the sender. Completed documents include all signatures and the audit trail.

Legal Requirements

We may disclose information if required by law, court order, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Cookies and Local Storage

SignLeaf uses essential cookies to manage authentication sessions. We do not use tracking cookies, third-party analytics cookies, or advertising cookies. Session data is stored in secure, HTTP-only cookies managed by Supabase Auth.

7. Data Retention

We retain your data according to the following schedule:

  • Account data: Retained while your account is active and for 30 days after deletion.
  • Documents and signatures: Retained while your account is active. After account deletion, documents are permanently deleted within 90 days.
  • Audit trail records: Retained for 7 years after document completion to meet legal record retention requirements under ESIGN and UETA.
  • Transactional emails: Delivery logs are retained for 30 days.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate personal data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Portability: Request your data in a portable, machine-readable format.
  • Objection: Object to certain processing activities.

To exercise these rights, contact us at privacy@signleaf.com. We will respond within 30 days.

Note for document signers: If you signed a document and wish to exercise your rights, please contact the person or organization who sent you the document. They are the data controller for the document contents. We can assist with requests related to your signing data (audit events, signature images) directly.

9. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect, use, and disclose
  • The right to request deletion of your personal information
  • The right to opt out of the sale of personal information — we do not sell personal information
  • The right to non-discrimination for exercising your privacy rights

10. International Data Transfers

SignLeaf is hosted in the United States. If you access the Service from outside the United States, your data may be transferred to and processed in the United States. By using the Service, you consent to this transfer. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

11. Children's Privacy

SignLeaf is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice within the Service at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

13. Contact Us

For privacy-related questions or to exercise your data rights, contact us at:

privacy@signleaf.com