Privacy Policy

SecureSign Digital Signature Portal ("SecureSign", "we", "us", or "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital signature services.

1. Definitions

For the purposes of this Privacy Policy:

• "Personal Information" means information about an identifiable individual, as defined under PIPEDA and applicable provincial privacy laws
• "Service" means the SecureSign digital signature platform, including website, applications, and related services
• "User Content" means documents, signatures, and other content you upload or create using the Service
• "Processing" means any operation performed on personal information, including collection, use, disclosure, storage, and destruction

2. Information We Collect

2.1 Information You Provide Directly

Account Information

When you create an account, we collect:

• Identity Information: Full name, username, email address
• Contact Information: Email address, phone number (optional), business address (for business accounts)
• Account Credentials: Username, encrypted password
• Profile Information: Company name, job title, profile picture (optional)
• Payment Information: Credit card information, billing address (processed securely through third-party payment processors)

Document and Signature Information

• Documents: PDF files you upload for signature
• Signatures: Electronic signatures, initials, and signature field placements
• Recipient Information: Names and email addresses of individuals you send documents to
• Metadata: Document titles, descriptions, tags, and organizational information

Communications

• Support Requests: Information you provide when contacting customer support
• Feedback: Survey responses, feature requests, and other feedback
• Email Communications: Content of emails you send to us

2.2 Information Collected Automatically

Usage Information

When you use the Service, we automatically collect:

• Device Information: Device type, operating system, browser type and version, screen resolution
• Log Data: IP address, access times, pages viewed, referring/exit pages
• Activity Data: Features used, documents created, signatures completed, time spent in application
• Performance Data: Application errors, crash reports, performance metrics

Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain your session and keep you logged in
• Remember your preferences and settings
• Analyze usage patterns and improve the Service
• Provide security features and detect fraudulent activity

Cookie Type	Purpose	Duration
Essential Cookies	Required for service functionality and security	Session/1 year
Preference Cookies	Remember your settings and preferences	1 year
Analytics Cookies	Help us understand how you use the Service	2 years
Performance Cookies	Monitor service performance and reliability	1 year

2.3 Information from Third Parties

We may receive information from:

• Payment Processors: Transaction confirmation and payment status
• Identity Verification Services: Verification results for enhanced security (if applicable)
• Analytics Providers: Aggregated usage statistics
• Business Partners: If you access the Service through a partner integration

3. How We Use Your Information

3.1 Primary Purposes

We use your personal information to:

Service Provision

• Create and maintain your account
• Process and store your documents
• Facilitate electronic signatures
• Send documents to designated recipients
• Track signature status and provide notifications
• Store and retrieve signed documents

Communication

• Send service-related notifications (signature requests, document completion)
• Respond to your inquiries and support requests
• Send important updates about the Service
• Provide customer support and technical assistance

Payment Processing

• Process subscription payments and manage billing
• Issue invoices and receipts
• Handle refunds and billing disputes
• Prevent payment fraud

3.2 Secondary Purposes

With your consent or as permitted by law, we may use your information to:

• Improve the Service: Analyze usage patterns, develop new features, enhance user experience
• Security: Detect and prevent fraud, abuse, and security incidents
• Research: Conduct internal research and analytics (with anonymized data)
• Marketing: Send promotional communications about new features (you can opt-out anytime)
• Compliance: Comply with legal obligations and enforce our Terms of Service

4. Legal Basis for Processing (PIPEDA Compliance)

Under PIPEDA, we collect, use, and disclose personal information only with your knowledge and consent, except where otherwise permitted or required by law. Our legal bases for processing include:

4.1 Consent

• Express Consent: Obtained for sensitive information and marketing
• Implied Consent: Inferred from your actions (e.g., providing information for account creation)
• Opt-Out Consent: For certain non-sensitive communications

4.2 Contractual Necessity

Processing necessary to provide the Service under our Terms of Service

4.3 Legal Obligations

Processing required to comply with Canadian laws and regulations

4.4 Legitimate Interests

Processing necessary for fraud prevention, security, and service improvement (where not overridden by your privacy rights)

5. How We Share Your Information

5.1 Service Recipients

When you send a document for signature, we share necessary information with designated recipients:

• Recipient name and email address
• Document content
• Sender information
• Instructions and messages you include

5.2 Service Providers

We share information with trusted third-party service providers who assist us in operating the Service:

Service Provider Type	Purpose	Data Shared
Cloud Hosting	Store and process data	All account and document data
Payment Processors	Process payments	Payment information, billing address
Email Services	Send notifications and communications	Email addresses, notification content
Analytics Services	Analyze usage and improve Service	Anonymized usage data
Customer Support	Provide technical support	Account information, support tickets

All service providers are contractually obligated to protect your information and use it only for specified purposes.

5.3 Business Transfers

If SecureSign is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice and options regarding your information in such circumstances.

5.4 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities, including to:

• Comply with legal process (subpoenas, court orders)
• Enforce our Terms of Service
• Respond to claims of rights violations
• Protect the rights, property, or safety of SecureSign, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues

5.5 With Your Consent

We may share your information for any other purpose with your explicit consent.

6. International Data Transfers

6.1 Data Storage Location

Your data is primarily stored on secure servers located in Canada. We maintain data residency within Canada wherever possible to comply with Canadian privacy laws.

6.2 Cross-Border Transfers

In some cases, your information may be transferred to, stored, or processed in jurisdictions outside Canada, including the United States. When we transfer data outside Canada, we ensure:

• Adequate safeguards are in place as required by PIPEDA
• Service providers are contractually bound to protect your information
• We notify you of the countries where your data may be processed
• We provide information about foreign legal requirements that may apply

7. Data Security

7.1 Security Measures

We implement appropriate technical and organizational measures to protect your personal information, including:

Technical Safeguards

• Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Multi-factor authentication, role-based access, least privilege principles
• Network Security: Firewalls, intrusion detection/prevention systems
• Secure Development: Security testing, code reviews, vulnerability assessments
• Monitoring: 24/7 security monitoring and incident response

Organizational Safeguards

• Employee Training: Regular privacy and security training for all staff
• Access Limitations: Need-to-know access policies
• Background Checks: Security screening for employees with access to personal information
• Confidentiality Agreements: All staff bound by confidentiality obligations
• Incident Response: Documented procedures for security incidents

Physical Safeguards

• Secure data centers with restricted physical access
• Environmental controls and disaster recovery systems
• Secure disposal procedures for physical materials

7.2 Data Breach Notification

In the event of a data breach involving personal information that poses a real risk of significant harm, we will:

• Notify affected individuals as soon as feasible
• Report the breach to the Privacy Commissioner of Canada
• Maintain records of all breaches
• Take steps to mitigate harm and prevent future breaches

8. Data Retention

8.1 Retention Periods

We retain personal information only as long as necessary to fulfill the purposes for which it was collected and to comply with legal requirements:

Information Type	Retention Period	Reason
Account Information	Duration of account + 1 year	Service provision, legal compliance
Documents & Signatures	As long as retained by user + 7 years after deletion	Legal/regulatory requirements
Payment Records	7 years	Tax and accounting requirements
Support Communications	3 years	Quality assurance, legal protection
Log Data	90 days - 1 year	Security, troubleshooting
Marketing Data	Until consent withdrawn + 1 year	Marketing compliance

8.2 Deletion and Anonymization

After the retention period expires, we will:

• Securely delete or destroy personal information
• Anonymize data if retained for statistical purposes
• Ensure deletion from backups within a reasonable timeframe

9. Your Privacy Rights

9.1 Rights Under PIPEDA

Under PIPEDA and applicable provincial privacy laws, you have the following rights:

Right to Access

You have the right to request access to your personal information that we hold. We will provide you with:

• A copy of your personal information
• Information about how we use your data
• Information about any third parties with whom we've shared your data

Right to Correction

You can request correction of inaccurate or incomplete personal information. You can update most information directly in your account settings.

Right to Deletion

You can request deletion of your personal information, subject to:

• Legal or regulatory retention requirements
• Legitimate business purposes (e.g., fraud prevention)
• Ongoing contractual obligations

Right to Data Portability

You can request a copy of your data in a structured, commonly used format to transfer to another service provider.

Right to Withdraw Consent

You can withdraw consent for the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions. Note that withdrawing consent may limit our ability to provide certain services.

Right to Object

You can object to:

• Marketing communications (opt-out anytime)
• Certain data processing activities
• Automated decision-making

9.2 Exercising Your Rights

To exercise any of these rights:

1. Account Settings: Many rights can be exercised directly through your account dashboard
2. Email Request: Contact privacy@securesign.ca with your request
3. Written Request: Mail your request to our Privacy Officer (address below)

We will respond to your request within 30 days, or inform you if we need additional time (up to 60 days total).

9.3 Verification

For security purposes, we may need to verify your identity before responding to access, deletion, or correction requests. We may request:

• Account verification
• Government-issued identification
• Additional information to confirm your identity

10. Children's Privacy

SecureSign is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete such information as quickly as possible.

If you believe we have collected information from a child under 18, please contact us immediately at privacy@securesign.ca.

11. Marketing Communications

11.1 Types of Communications

We may send you:

• Service Communications: Essential notifications about your account and documents (cannot opt-out)
• Marketing Communications: Information about new features, promotions, and updates (opt-in or opt-out)

11.2 Consent and Opt-Out

In compliance with Canada's Anti-Spam Legislation (CASL), we will only send commercial electronic messages with your consent. You can:

• Opt-out of marketing emails by clicking "unsubscribe" in any marketing email
• Update your communication preferences in your account settings
• Contact us at privacy@securesign.ca to opt-out

We will process opt-out requests within 10 business days.

12. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices of third parties. We encourage you to review their privacy policies before providing any personal information.

13. Changes to This Privacy Policy

13.1 Notification of Changes

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated Privacy Policy on our website with a new "Last Updated" date
• Sending email notification to your registered email address
• Displaying a prominent notice within the Service

13.2 Your Rights Regarding Changes

If we make material changes that expand our rights to use your personal information, we will:

• Seek your express consent for the new uses
• Provide you with the opportunity to withdraw consent
• Allow you to delete your account if you do not agree

Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy for non-material changes.

14. Contact Information and Complaints

14.1 Privacy Officer

14.2 Filing a Complaint

If you believe we have violated your privacy rights or PIPEDA, you have the right to file a complaint with us. We take all complaints seriously and will investigate thoroughly.

Complaint Process:

1. Submit your complaint in writing to our Privacy Officer
2. We will acknowledge receipt within 5 business days
3. We will investigate and respond within 30 days (or explain if more time is needed)
4. If unsatisfied with our response, you may escalate to the Privacy Commissioner

14.3 Office of the Privacy Commissioner of Canada

If you are not satisfied with our response to your privacy concern, you have the right to contact:

15. Provincial Privacy Legislation

In addition to PIPEDA, the following provincial privacy laws may apply depending on your location:

• Alberta: Personal Information Protection Act (PIPA)
• British Columbia: Personal Information Protection Act (PIPA)
• Quebec: An Act respecting the protection of personal information in the private sector (Quebec Privacy Act)

If you are a resident of these provinces, you may have additional rights under provincial legislation. Please contact our Privacy Officer for more information.

16. Acknowledgment and Consent