PRIVACY POLICY

Last Updated: March 09, 2025

GOODSIGN LTD

This Privacy Policy ("Policy") describes how GoodSign Ltd, a company incorporated under New Zealand law ("GoodSign," "Company," "we," "us," or "our"), collects, uses, processes, and protects personal information when you use our digital signature and document management platform, including our website at https://goodsign.io and all related services (collectively, the "Service").

We are committed to protecting your privacy and handling your personal information responsibly and in compliance with applicable data protection laws, including the New Zealand Privacy Act 2020, the European Union General Data Protection Regulation (GDPR), and other relevant privacy legislation.

BY USING OUR SERVICE, YOU CONSENT TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR PERSONAL INFORMATION AS DESCRIBED IN THIS POLICY.

TABLE OF CONTENTS

1. INFORMATION WE COLLECT
2. HOW WE USE YOUR INFORMATION
3. LEGAL BASIS FOR PROCESSING
4. INFORMATION SHARING AND DISCLOSURE
5. DATA RETENTION
6. DATA SECURITY AND PROTECTION
7. INTERNATIONAL DATA TRANSFERS
8. COOKIES AND TRACKING TECHNOLOGIES
9. THIRD-PARTY INTEGRATIONS
10. YOUR PRIVACY RIGHTS
11. CHILDREN'S PRIVACY
12. CALIFORNIA PRIVACY RIGHTS
13. EUROPEAN UNION PRIVACY RIGHTS
14. DATA BREACH NOTIFICATION
15. CHANGES TO THIS POLICY
16. CONTACT INFORMATION

1. INFORMATION WE COLLECT

1.1 Information You Provide Directly
We collect personal information that you voluntarily provide when you:
- Create and manage your GoodSign account
- Upload, send, or sign documents through our Service
- Contact our customer support team
- Subscribe to our newsletters or promotional communications
- Participate in surveys, contests, or promotional activities

This information may include:
- Full name and contact details (email address, phone number, postal address)
- Account credentials (username, password)
- Professional information (job title, company name, department)
- Digital signature data and authentication information
- Document content and metadata
- Payment and billing information
- Communication preferences and settings

1.2 Information Collected Automatically
When you use our Service, we automatically collect:
- Technical information (IP address, browser type, operating system, device identifiers)
- Usage data (pages visited, features used, time spent on Service, click patterns)
- Performance metrics (load times, error reports, system diagnostics)
- Location data (approximate geographic location based on IP address)
- Session information (login times, logout times, session duration)

1.3 Information from Third Parties
We may receive information about you from:
- Identity verification services for account authentication
- Payment processors for transaction processing
- Social media platforms (if you choose to connect your accounts)
- Business partners and integrations you authorize
- Public databases and commercially available sources

2. HOW WE USE YOUR INFORMATION

2.1 Service Provision
- Creating and maintaining your user account
- Processing and facilitating document signatures
- Storing and managing your documents securely
- Providing customer support and technical assistance
- Enabling collaboration features between users

2.2 Service Improvement
- Analyzing usage patterns to enhance user experience
- Developing new features and functionality
- Conducting research and development activities
- Optimizing Service performance and reliability
- Customizing content and recommendations

2.3 Communication
- Sending transactional notifications and service updates
- Providing customer support and responding to inquiries
- Delivering marketing communications (with your consent)
- Conducting surveys and collecting feedback
- Notifying you of important changes to our Service or policies

2.4 Legal and Security
- Complying with legal obligations and regulatory requirements
- Protecting against fraud, abuse, and security threats
- Enforcing our Terms of Service and other agreements
- Resolving disputes and investigating complaints
- Maintaining audit trails and compliance records

3. LEGAL BASIS FOR PROCESSING

We process your personal information based on the following legal grounds:

3.1 Contractual Necessity
Processing necessary to perform our contract with you and provide the Service you requested.

3.2 Legitimate Interests
Processing necessary for our legitimate business interests, including:
- Service improvement and innovation
- Security and fraud prevention
- Marketing and business development
- Administrative and operational purposes

3.3 Legal Compliance
Processing required to comply with applicable laws, regulations, and legal obligations.

3.4 Consent
Processing based on your explicit consent, which you may withdraw at any time.

4. INFORMATION SHARING AND DISCLOSURE

4.1 Service Providers
We share information with trusted third-party service providers who assist us in:
- Cloud hosting and data storage
- Payment processing and billing
- Customer support and communication
- Analytics and performance monitoring
- Security and fraud prevention

4.2 Business Partners
We may share information with authorized business partners for:
- Integration services and functionality
- Joint marketing activities (with your consent)
- Referral and affiliate programs
- Industry collaboration and standards development

4.3 Legal Requirements
We may disclose information when required by law or to:
- Comply with legal process, court orders, or government requests
- Protect our rights, property, and safety
- Investigate potential violations of our Terms of Service
- Prevent fraud, abuse, or illegal activities

4.4 Business Transactions
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to appropriate privacy protections.

5. DATA RETENTION

5.1 Retention Periods
We retain personal information for as long as necessary to:
- Provide the Service and maintain your account
- Comply with legal obligations and regulatory requirements
- Resolve disputes and enforce our agreements
- Protect against fraud and security threats

5.2 Account Deletion
When you close your account, we will:
- Deactivate your access to the Service
- Delete or anonymize your personal information within a reasonable timeframe
- Retain certain information as required by law or legitimate business interests

5.3 Document Retention
Documents processed through our Service are retained according to:
- Your account settings and preferences
- Legal requirements for record keeping
- Industry standards for document management
- Our data retention schedule and policies

6. DATA SECURITY AND PROTECTION

6.1 Security Measures
We implement comprehensive security measures including:
- Encryption of data in transit and at rest
- Multi-factor authentication and access controls
- Regular security assessments and penetration testing
- Employee training and background checks
- Incident response and recovery procedures

6.2 Infrastructure Security
Our technical infrastructure includes:
- Secure cloud hosting with enterprise-grade protection
- Network firewalls and intrusion detection systems
- Regular security updates and patch management
- Backup and disaster recovery capabilities
- Continuous monitoring and threat detection

6.3 Security Limitations
While we implement robust security measures, no system is completely secure. You acknowledge that:
- Internet transmission carries inherent risks
- Unauthorized access or disclosure may occur despite our efforts
- You should take appropriate precautions to protect your account
- You should report any suspected security incidents immediately

7. INTERNATIONAL DATA TRANSFERS

7.1 Global Operations
As a global service, we may transfer your information to countries outside your residence, including:
- Countries with adequate data protection laws
- Countries covered by adequacy decisions
- Countries where we have implemented appropriate safeguards

7.2 Transfer Safeguards
For transfers to countries without adequate protection, we implement:
- Standard contractual clauses approved by data protection authorities
- Binding corporate rules and privacy frameworks
- Certification schemes and codes of conduct
- Additional technical and organizational measures

8. COOKIES AND TRACKING TECHNOLOGIES

8.1 Cookie Usage
We use cookies and similar technologies to:
- Remember your preferences and settings
- Authenticate your identity and maintain sessions
- Analyze usage patterns and improve functionality
- Provide personalized content and recommendations
- Measure the effectiveness of our marketing campaigns

8.2 Cookie Categories
- Essential cookies: Required for basic Service functionality
- Performance cookies: Help us understand how you use our Service
- Functional cookies: Remember your preferences and choices
- Marketing cookies: Used for advertising and promotional purposes

8.3 Cookie Management
You can control cookies through:
- Your browser settings and preferences
- Our cookie consent management platform
- Opt-out mechanisms for specific tracking technologies
- Industry-wide preference management tools

9. THIRD-PARTY INTEGRATIONS

9.1 Connected Services
Our Service may integrate with third-party platforms including:
- Cloud storage providers (Google Drive, Dropbox, OneDrive)
- Customer relationship management systems
- Enterprise software and business applications
- Identity providers and single sign-on services

9.2 GooleDrive Privacy Policy

When you connect your Google Drive account to GoodSign:

- We create a "GoodSign" folder in your Google Drive root directory
- We only save signed PDF documents to this folder
- Our access is strictly limited to files and folders we create
- We cannot access, modify, or delete any other files in your Google Drive
- Documents are synced automatically unless marked as "private"
- Team documents may sync if you have access permissions
- We do not delete any files from your Google Drive

You maintain full control over the Google Drive integration:
- You can disconnect Google Drive access at any time through Settings
- Disconnecting will stop future document syncing
- Previously synced files will remain in your Google Drive
- You can manually delete synced files from Google Drive

Google Drive data access and usage:
- We only request minimum required permissions
- We follow Google's API usage guidelines
- Your Google Drive data is protected under Google's Privacy Policy
- We do not share or sell any Google Drive data
- We maintain logs of sync activities for security purposes

For more details about Google's data practices, please review Google's Privacy Policy at https://policies.google.com/privacy


9.2 Third-Party Responsibilities
When you connect third-party services:
- Those services have their own privacy policies
- We are not responsible for their data practices
- You should review their privacy policies carefully
- You control the integration and data sharing

10. YOUR PRIVACY RIGHTS

Depending on your jurisdiction, you may have the following rights:

10.1 Access Rights
- Request access to your personal information
- Obtain a copy of your data in a structured format
- Receive information about our processing activities

10.2 Correction Rights
- Request correction of inaccurate or incomplete information
- Update your account information and preferences
- Notify us of changes to your personal details

10.3 Deletion Rights
- Request deletion of your personal information
- Exercise your "right to be forgotten" where applicable
- Close your account and remove your data

10.4 Restriction Rights
- Request limitation of processing activities
- Object to certain types of processing
- Withdraw consent for consent-based processing

10.5 Portability Rights
- Request transfer of your data to another service
- Receive your data in a machine-readable format
- Facilitate migration to alternative platforms

11. CHILDREN'S PRIVACY

11.1 Age Restrictions
Our Service is not intended for children under 18 years of age. We do not knowingly:
- Collect personal information from children
- Market our Service to minors
- Allow account creation by underage users

11.2 Parental Notification
If we become aware that we have collected information from a child:
- We will delete the information promptly
- We will notify parents or guardians when appropriate
- We will implement additional safeguards if required

12. CALIFORNIA PRIVACY RIGHTS

12.1 CCPA Rights
California residents have additional rights under the California Consumer Privacy Act:
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of the sale of personal information
- Right to non-discrimination for exercising privacy rights

12.2 Shine the Light
California residents may request information about third-party disclosure for direct marketing purposes once annually.

13. EUROPEAN UNION PRIVACY RIGHTS

13.1 GDPR Compliance
For EU residents, we comply with the General Data Protection Regulation, including:
- Lawful basis for all processing activities
- Data protection by design and default
- Privacy impact assessments where required
- Appointment of Data Protection Officer when necessary

13.2 Supervisory Authority
EU residents may lodge complaints with their local data protection supervisory authority.

14. DATA BREACH NOTIFICATION

14.1 Incident Response
In the event of a data breach that poses a risk to your rights and freedoms:
- We will investigate and contain the incident
- We will notify relevant authorities within 72 hours
- We will inform affected individuals without undue delay
- We will provide guidance on protective measures

15. CHANGES TO THIS POLICY

15.1 Policy Updates
We may update this Policy periodically to reflect:
- Changes in our data processing practices
- New legal requirements or regulatory guidance
- Technological developments and industry standards
- Feedback from users and stakeholders

15.2 Notification Process
We will notify you of material changes through:
- Email notification to your registered address
- Prominent notice on our website
- In-app notifications when you use our Service
- Updates to the "Last Updated" date above

16. CONTACT INFORMATION

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

GoodSign Ltd
Privacy Officer
2 Stuart Street, Ponsonby
Auckland 1011, New Zealand

Email: privacy@goodsign.io
Phone: +64 21 438 564
Website: https://goodsign.io/privacy

For EU-specific inquiries, you may also contact our EU representative at the same address.

Data Protection Officer: John Ballinger
Email: dpo@goodsign.io

---

This Privacy Policy is effective as of the date listed above and governs our collection, use, and disclosure of your personal information. By using our Service, you acknowledge that you have read and understood this Policy.