Privacy Policy

Last updated: April 2026

Table of Contents

1. Introduction

SignFlow ("we", "our", "Company") operates a digital document signing platform. We respect the privacy of our users and are committed to protecting the personal information they provide to us.

This Privacy Policy explains what data we collect, how we use it, with whom we share it, how we protect it, and what your rights are with respect to your information.

This Policy applies to all users of SignFlow's services, including website visitors, registered users, and third parties receiving documents for signature.

This Privacy Policy has been written in accordance with:

  • The Privacy Protection Law, 5741-1981 and its regulations.
  • The Privacy Protection Regulations (Data Security), 5777-2017.
  • The General Data Protection Regulation of the European Union (GDPR).

2. Data We Collect

2.1 Information Provided by the User

When registering and using the Service, we collect information the user provides to us directly:

  • Personal details: Full name, email address, phone number.
  • Company details: Company name, company registration number, role.
  • Payment details: Credit card number (processed by an external payment provider — we do not store full card numbers).
  • Account details: Username, encrypted password, account preferences.

2.2 Usage Data

We automatically collect information about the use of the Service:

  • Browsing data: IP address, browser type and version, operating system, screen resolution.
  • Activity data: Pages viewed, actions performed, access times, session duration.
  • Device data: Unique device identifier, device type, operating system language.
  • Referral data: Referring URL, search terms that led to the website.

2.3 Document Data

As part of providing the Service, we process:

  • Documents: Files uploaded by the user for signing, including their content.
  • Signatures: Digital signature data, including a graphical representation of the signature.
  • Audit trail: Timestamps, signers' IP addresses, actions performed on the document, identity verification.
  • Metadata: File name, file size, upload date, number of pages.

Important clarification: SignFlow processes document content solely for the purpose of providing the Service (display, signing, storage). We do not analyze document content for marketing or other commercial purposes.

2.4 Cookies & Tracking Data

We use cookies and similar tracking technologies. For full details, please see our Cookie Policy.

3. Purposes of Data Use

We use the information collected for the following purposes:

  • Providing the Service: Processing documents, executing digital signatures, maintaining an audit trail, account management.
  • Communication: Sending notifications about documents awaiting signature, service updates, responding to inquiries.
  • Billing & payments: Processing payments, issuing invoices, managing subscriptions.
  • Service improvement: Analyzing usage patterns, identifying bugs, developing new features.
  • Security: Detecting suspicious activity, preventing fraud, protecting the system and users.
  • Legal compliance: Maintaining records as required by law, responding to court orders.
  • Marketing (with consent): Sending information about promotions, new features, and relevant content — only to users who have consented.

4. Legal Basis for Processing (GDPR)

In accordance with the General Data Protection Regulation (GDPR), we process personal data on the following legal grounds:

  • Performance of a contract (Art. 6(1)(b)): Processing data necessary for providing the Service — account management, document processing, signature execution, billing.
  • Consent (Art. 6(1)(a)): Sending marketing communications, use of non-essential cookies.
  • Legitimate interests (Art. 6(1)(f)): Service improvement, data security, fraud prevention, aggregate usage analysis.
  • Legal obligation (Art. 6(1)(c)): Maintaining accounting records, responding to regulatory requirements.

The user may withdraw their consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

5. Sharing Data with Third Parties

We do not sell users' personal data. We share data with third parties only in the following cases:

5.1 Service Providers

  • Supabase: Database and document storage (European Union — Paris, France).
  • Payment processing provider: Credit card payment processing.
  • Google Analytics: Website usage analysis (aggregate data).
  • Email provider: Sending notifications and transactional emails.

All our service providers are bound by Data Processing Agreements (DPAs) and are obligated to maintain confidentiality and use data only for the purpose for which it was disclosed.

5.2 Law Enforcement Authorities

We may disclose data to competent authorities pursuant to a court order, a binding legal requirement, or to protect our rights or public safety.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of company assets, personal data may be transferred as part of the transaction, subject to the acquiring party's commitment to maintain a comparable privacy policy.

6. Data Storage

6.1 Storage Location

Data is stored on Supabase servers in the European Union (Paris, France). This location ensures compliance with GDPR requirements regarding the transfer of personal data.

6.2 Retention Period

We retain personal data in accordance with the following principles:

  • Account details: For as long as the account is active + 30 days after closure.
  • Signed documents: For as long as the account is active + 30 days after closure (downloadable before that).
  • Audit trail: 7 years from the date of creation (for legal and accounting purposes).
  • Billing and payment data: 7 years in accordance with VAT and Income Tax Ordinance requirements.
  • Usage data and logs: Up to 24 months.
  • Marketing data: Until consent is withdrawn.

Upon expiry of the retention period, data will be deleted or irreversibly anonymized.

7. Data Security

We employ advanced security measures to protect our users' personal information:

7.1 Encryption

  • Encryption in transit: All communication between the user and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Documents and sensitive data are encrypted using AES-256.

7.2 Access Security

  • Passwords are stored in hashed form and are not accessible to anyone, including SignFlow staff.
  • Access to production systems is restricted and monitored.
  • Support for two-factor authentication (2FA) for user accounts.

7.3 Data Security Regulations

We operate in accordance with the Privacy Protection Regulations (Data Security), 5777-2017, including:

  • Appointment of a Chief Information Security Officer.
  • Conducting periodic risk assessments.
  • Documenting security incidents and response procedures.
  • Restricting access to data on a "need to know" basis only.

7.4 Security Incident Reporting

In the event of a security incident affecting personal data, we undertake to notify affected users and the Privacy Protection Authority in accordance with applicable law, without undue delay.

8. User Rights

Under the Israeli Privacy Protection Law and the GDPR, users have the following rights:

8.1 Right of Access

You may request a copy of all personal data we hold about you.

8.2 Right to Rectification

You may request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure ("Right to be Forgotten")

You may request that we delete your personal data, subject to legal limitations (e.g., maintaining accounting records).

8.4 Right to Restriction of Processing

You may request that we restrict the processing of your data in certain cases, for example if you contest the accuracy of the data.

8.5 Right to Data Portability

You may request to receive your data in a structured, commonly used, machine-readable format, and to transmit it to another service.

8.6 Right to Object

You may object to processing based on legitimate interests or for direct marketing purposes.

8.7 Right Not to be Subject to Automated Decision-Making

You may request not to be subject to decisions based solely on automated processing, including profiling, that have a legal or similarly significant effect on you.

Exercising Your Rights

To exercise any of the rights above, please contact us by email at: support@signflow.co.il. We will respond to your request within 30 days at most. We may ask you to verify your identity before fulfilling the request.

9. Cookies

We use cookies and similar tracking technologies. For full details about the types of cookies, their purposes, and how to manage them, please refer to our Cookie Policy.

10. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be published on the website and a notification will be sent to the email address registered in the account. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

The date of the last update is indicated at the top of this Policy.

11. Data Protection Officer (DPO)

SignFlow has appointed a Data Protection Officer responsible for overseeing the company's compliance with privacy protection requirements. For data protection and privacy inquiries, please contact:

12. Contact Us

For questions, inquiries, complaints, or requests related to privacy and your personal data:

You may also file a complaint with the Privacy Protection Authority (Registrar of Databases) at: 12 Beit Hadfus St., Jerusalem, Israel, or through the Authority's website.

Users in the European Union may file a complaint with the data protection supervisory authority in their country.