← SignedBy

Privacy Policy

Effective July 14, 2026

This Privacy Policy explains how SignedBy, operated by SPRK10 B.V., a company incorporated in the Netherlands (“we,” “us,” or “our”), collects, uses, and protects personal data when you use signedby.ai, whether as an account holder (“Sender”) or as someone asked to sign a document (“Signer”).

1. Information we collect

We collect the following categories of information:

  • Account information: your name, email address, and organization details when you sign up.
  • Documents and field data: the PDFs you upload, the field values Signers enter (including typed or drawn signature images), and template configurations.
  • Signer information: the name and email address of anyone you send a document to.
  • Audit trail data:for every action taken on a document (created, sent, viewed, consent given, signed, declined, completed, voided), we record a timestamp, IP address, browser/device (“user agent”) string, and a cryptographic hash of the signed document. This exists to make the signing process legally defensible under ESIGN/UETA and is not used for advertising.
  • Engagement data: for Senders on paid plans, we record how long a Signer spends viewing each page of a document before signing (aggregated dwell time per page, not exact scroll position or keystrokes), so the Sender can see whether a document was actually read.
  • Billing information: if you subscribe to a paid plan, our payment processor, Stripe, collects your payment card details directly — SignedBy never sees or stores full card numbers.
  • Usage data: basic technical logs (e.g. request metadata) needed to operate and secure the service.

2. How we use information

We use the information above to:

  • Provide the core service — rendering documents, routing them to Signers, and producing signed PDFs;
  • Send transactional email, such as signing invitations, reminders, and completion notices;
  • Power optional AI-assisted features — suggesting where to place signature and text fields, drafting a document from your description, and summarizing a document's contents — by sending the relevant document text to an AI provider for analysis. By default this is Mistral AI; an organization can instead choose Anthropic for these features in its workspace settings, in which case that organization's document text is sent to Anthropic instead;
  • Maintain the audit trail required for a legally defensible electronic signature;
  • Process subscription payments and manage billing;
  • Secure the service and prevent abuse; and
  • Comply with legal obligations.

We do not sell personal data, and we do not use document content to serve advertising.

3. Who we share data with

We share personal data only with the service providers (“sub-processors”) needed to run SignedBy, each of which is contractually bound to protect it:

  • Supabase — hosts our database and handles account authentication;
  • Cloudflare (R2) — stores uploaded and signed document files;
  • Resend — delivers transactional email (invitations, reminders, notices);
  • Mistral AI— the default AI provider behind optional field-suggestion, document-drafting, and summary features; only document text relevant to a feature you use is sent, and it is not used to train Mistral's models;
  • Anthropic— an alternative AI provider for those same features, used only for an organization that has specifically chosen it in workspace settings instead of Mistral (never both at once); same handling — only relevant document text is sent, and it is not used to train Anthropic's models;
  • Stripe — processes subscription payments;
  • Vercel — hosts the application itself.

We may also disclose information if required by law, subpoena, or legal process, or to protect the rights, property, or safety of SignedBy, our users, or the public. A full sub-processor list is maintained in our Data Processing Addendum.

4. Data retention

We retain signed documents and their audit trail for as long as your account is active, because retrievable, reproducible records are a legal requirement for electronic signatures under ESIGN. If you delete a document or close your account, we will delete the underlying files and personal data within a reasonable period, except where we are required to retain it for legal, tax, or dispute-resolution purposes.

5. Security

Documents are encrypted in transit (TLS) and at rest. Access to signer-facing signing links is controlled by an unguessable, single-use token rather than a shared password. We restrict internal access to Customer Data to what is needed to operate and support the service. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

6. Your rights

Under the EU General Data Protection Regulation (GDPR) and, depending on where you live, other applicable privacy laws, you may have the right to access, correct, export, restrict, or delete personal data we hold about you, or to object to certain processing. You can exercise most of these rights directly from your account settings, or by emailing privacy@signedby.ai. You also have the right to lodge a complaint with your local data protection authority — in the Netherlands, this is the Autoriteit Persoonsgegevens. Where we act as a processor on behalf of a Sender (for example, for a Signer's data), we will direct your request to that Sender or assist them in responding, consistent with our Data Processing Addendum.

7. International users and data transfers

SignedBy is operated by SPRK10 B.V. from the Netherlands. Several of our sub-processors (see Section 3) are based in the United States. Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards recognized under GDPR, such as the European Commission's Standard Contractual Clauses, to protect that data. Mistral AI, the default AI provider for AI-assisted features, is based in France, keeping that processing within the European Economic Area by default; an organization that instead chooses Anthropic (based in the United States) for those features relies on the safeguards described above.

8. Children's privacy

SignedBy is not directed to children under 18, and we do not knowingly collect personal data from them.

9. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice, such as by email or an in-product notice, before the changes take effect.

10. Contact

Questions about this policy, or requests regarding your personal data, can be sent to privacy@signedby.ai.