Privacy policy

SIGNBONA LLC (hereinafter, "SignBona" or "we"), owner of the domain signbona.com, is the entity responsible ("business" within the meaning of the CCPA) for processing your data. For any matter related to your data, write to us at privacy@signbona.com.

The data controller is SIGNBONA LLC, a U.S. limited liability company. For legal notices, write to legal@signbona.com.

We only process the data necessary to provide the service. The categories are:

• Account data: email address, encrypted password, first name, last name, company, job title, language, time zone and preferred date format.
• Personalization data: signature image, initials, logo, color and brand email footer.
• Recipient data you add to an envelope: name, email, company, job title and, where applicable, phone. You, as the sender, collect and provide us with this data.
• Documents and signed fields: original PDFs uploaded, completed fields (text, checkboxes, dates, graphical signatures), final signed PDF and audit certificate.
• Signature process data: signer IP address and user-agent at the moment of viewing and signing, timestamps, encrypted OTP code (salted and "peppered" hash) and event log (creation, sending, viewing, signing, decline, delegation, void) chained with HMAC-SHA256 to guarantee its integrity.
• Technical data: session cookies, anonymized error logs and service operating metrics.

We ask that you don't use SignBona to sign documents containing regulated sensitive information (medical data subject to HIPAA, financial data subject to GLBA, children's data subject to COPPA, etc.) except under your own responsibility and with the additional safeguards required.

We process your data for the following business purposes (within the meaning of the CCPA):

• Providing the electronic signature service (creating envelopes, sending invitations, generating the signed PDF and the audit certificate): performance of our contract with you.
• Generating and preserving evidence of the signature (IP recording, user-agent, RFC 3161 timestamp, HMAC chain of event traces): compliance with legal obligations under the ESIGN Act and UETA, which require preserving evidence of the signature.
• Authentication and account security (signup, sign-in, password recovery, signing OTP, abuse prevention and rate-limiting): legitimate interest in service security.
• Operational communications (signature notifications, automatic reminders, bounce or expiration notices): performance of the contract.
• Handling support requests: performance of the contract and legitimate interest in maintaining service quality.
• Compliance with legal obligations (handling consumer rights requests, valid requests from authorities): legal compliance.

SignBona currently does not send commercial communications nor use your data for advertising purposes. If we do so in the future, we will notify you in advance and request your express consent.

We retain data for as long as necessary to fulfill the stated purposes and, afterwards, for the applicable legal periods:

• Account data: as long as the account is active. If you request deletion, the account is marked for purge with a 30-day grace period during which you can cancel the request. After that period your personal data is deleted.
• Envelopes and documents: as long as the account is active. When you delete them a soft delete is applied, removing them from your view; they may remain in backups for a limited time for technical reasons before final deletion.
• Signed envelopes, audit certificates and event logs: signer and sender may need the document as evidence for years. We therefore keep completed envelopes, their signed PDF, the timestamp and the event chain while the account is active. We recommend downloading and archiving the certificate in your own document management system.
• Technical and security logs: for a maximum of 12 months, except where they must be kept longer to investigate incidents or comply with legal obligations.
• Support communications: up to 24 months after the last interaction.

<strong>We do not sell or share your personal data for advertising purposes</strong> (within the meaning of the CCPA). We only disclose it to the providers ("service providers" within the meaning of the CCPA) strictly necessary to operate the service, all of them bound by a data processing agreement (DPA):

• Supabase (database hosting, authentication and file storage). Documents and account data are encrypted at rest and in transit.
• Resend (transactional email delivery: signature invitations, OTPs, reminders, password recovery). Processes only the email address, name and message content. We receive bounce and complaint events to keep the list clean.
• Time-stamping authority (TSA, RFC 3161) — by default freetsa.org — to issue the qualified timestamp on the signed document. Only the cryptographic digest (SHA-256) of the signed PDF is sent, never the content.
• Sentry (optional): if configured, receives technical error information. It does not receive document content.

We may disclose your data to competent public authorities when there's a legal obligation, and to third parties you expressly designate (for example, when delegating a signature).

Your data is stored on cloud infrastructure located in the United States (Supabase / AWS US). We do not transfer personal data outside the U.S. except to the providers listed in section 5, in which case we apply technical safeguards (encryption in transit and at rest, access control) to protect it.

If you are a California resident (CCPA/CPRA) or a resident of another state with similar legislation (Virginia, Colorado, Connecticut, Utah, etc.), you have the right to:

• Know and access what personal data we collect about you and obtain a copy.
• Correct inaccurate data.
• Delete your personal data. If you've signed documents, we may retain the signature evidence to preserve its legal validity vis-à-vis third parties, in line with CCPA §1798.105(d) exceptions.
• Opt out of sale or sharing of your personal data (not applicable: SignBona does not sell or share data for advertising).
• Port your data in a structured, commonly used format.
• Non-discrimination for exercising your privacy rights.

You can exercise these rights from the Settings section of your account or by writing to privacy@signbona.com. We'll respond within 45 days (extendable to 90 in complex cases) under CCPA §1798.130.

If you believe we haven't properly handled your request, you can lodge a complaint with the California Privacy Protection Agency or with the California Attorney General (oag.ca.gov/privacy/ccpa), or with the Attorney General of your state of residence.

We apply reasonable technical and organizational measures, aligned with the NIST 800-53 standard, to protect your data:

• Encryption in transit (TLS) and at rest (AES-256) on Supabase.
• Passwords always stored using secure derivation functions (managed by Supabase Auth); no one at SignBona can recover them.
• OTP codes encrypted via salted hash and a server-side secret "pepper"; short expiration and attempt limit.
• Per-envelope audit log chained with HMAC-SHA256 to detect tampering.
• Per-user data isolation through Row-Level Security policies in the database.
• Rate limiting on authentication and signing to prevent brute-force attacks.
• Access to personal data restricted to strictly necessary personnel and under a duty of confidentiality.

SignBona only uses strictly necessary technical cookies to authenticate your session (managed by Supabase) and to remember interface preferences. We don't use advertising or third-party tracking cookies and don't integrate external analytics platforms by default. If we add analytics in the future, we'll inform you and, where applicable, obtain your prior consent.

SignBona is intended for professionals and companies. It's not designed for children under 13, in line with the Children's Online Privacy Protection Act (COPPA), and we don't knowingly collect data from minors. If you detect an improper signup, let us know and we'll proceed with deletion.

We don't make decisions producing legal effects on you based solely on automated processing, nor do we profile for advertising purposes.

We may update this policy to reflect legal or service changes. If the changes are substantial we'll notify you by email or via a prominent notice in the application with reasonable advance notice. The last-updated date appears at the top of the document.

For any privacy or data protection inquiry, write to us at privacy@signbona.com. For other inquiries, visit the support center.