The short version
- We collect what we need to run the Services for you: your account info, your business data, and basic usage telemetry.
- Your data is stored in US East, N. Virginia (AWS us-east-1).
- We don't sell your data. We don't use it to train AI models. We don't share it with marketers.
- You can export, modify, or delete your data at any time.
- If we ever experience a breach, we will notify you promptly.
1. What we collect
Account data: name, email, organization name, role, and authentication credentials (passwords are hashed; we never store them in plain text).
Business data: jobs, contacts, estimates, invoices, photos, custom fields, and whatever you upload or create in the Services.
Customer data (yours): information about your customers (sign-shop end clients) that you enter, including their names, addresses, phone numbers, and emails. We process this on your behalf as a service provider; you remain its controller.
Usage telemetry: log entries describing which features you use, when, and from what IP. Used for debugging, security, and capacity planning. Not sold.
Payment data: handled entirely by our payment processor (Stripe). We never see your card number; we only receive a tokenized reference.
2. How we use it
- To provide the Services to you and your team.
- To send transactional notifications you've opted into (proof approval emails, daily briefings, payment receipts).
- To respond to your support requests.
- To monitor system health, detect abuse, and improve performance.
- To meet legal obligations (tax, accounting, lawful requests).
We do not use your business data or customer data for advertising, marketing to third parties, or AI model training.
3. Where it lives
All structured data and uploaded files are stored with a third-party cloud infrastructure provider (database, file storage, authentication), hosted in US East, N. Virginia (AWS us-east-1). Web traffic and edge caching are served via Vercel (web app + edge cache). Email is delivered through Resend (USA-based).
Row-level security policies in our database ensure each organization sees only its own data. We use the same security model that powers the application; no separate "internal admin" bypass for everyday work.
4. AI features and your data
With the AI Intelligence add-on, the Services use third-party language models (currently OpenAI) to process your inputs and generate suggestions.
- Your inputs (prompts and the data they reference) are sent to the AI provider for processing.
- OpenAI's API does not retain or use API inputs to train its models per their published policy.
- AI outputs are stored in your account's
ai_suggestionstable for audit and analytics; you can delete these at any time. - You can disable the AI add-on at any time from your account settings; once disabled, no further AI calls are made.
5. How long we keep it
Active accounts retain data indefinitely while the subscription is active.
Soft-deleted records (entities you delete from the Services UI) are retained for thirty (30) days, during which you can restore them from the /trash page. After thirty days, they are permanently and automatically purged via a daily cron.
Cancelled accounts retain data for thirty (30) days after cancellation, then are permanently deleted unless you request earlier deletion via privacy@signcore.io(live when domain finalizes).
Audit logs and security telemetry are retained for one (1) year for security investigation purposes, then aggregated or deleted.
6. Sharing
We share your data only:
- With service providers who help us operate the Services (a third-party cloud infrastructure provider (database, file storage, authentication), Vercel (web app + edge cache), OpenAI, Stripe, Resend), each bound by data-protection terms.
- When you explicitly authorize a share, for example, generating a public proof link to send to one of your customers.
- If required by law, in response to a valid subpoena or court order. We will notify you unless legally prohibited.
- In a business transfer (acquisition, merger). The acquirer would be bound by this Privacy Policy or a successor with comparable terms.
We do not sell your data. We do not rent your contact lists. We do not share for cross-context behavioral advertising.
7. Your rights
You can:
- Access: view all your data via the dashboard or public REST API.
- Export: download your data as CSV or via the API at any time.
- Correct: update inaccurate data directly in the application.
- Delete: remove data via the application's soft-delete UI; full account deletion via privacy@signcore.io(live when domain finalizes).
- Opt out: disable optional features (AI add-on, daily briefings) from settings.
If you are in California, the EEA, the UK, or another jurisdiction with applicable privacy laws, you have additional rights described under those laws. Email privacy@signcore.io(live when domain finalizes) with questions.
8. Cookies and tracking
We use cookies for authentication and session management. We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking.
For product analytics we use first-party telemetry (the same activity_log + events tables that power your dashboard). This data does not leave our infrastructure.
9. Security
For our security practices (encryption, access controls, vulnerability disclosure), see our Security page.
If you believe you have found a security issue, contact security@signcore.io(live when domain finalizes) directly.
10. Children's privacy
The Services are not directed at children under 13, and we do not knowingly collect data from them.
11. California privacy rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), gives you specific rights regarding your personal information.
Categories of personal information we collect: identifiers (name, email, IP address), commercial information (subscription history, transaction data via Stripe), internet activity (usage telemetry within the Services), and inferences drawn from the foregoing for operational analytics. We do not collect biometric information, geolocation precise enough to identify a household, or sensitive personal information (as defined by the CCPA) beyond what you voluntarily upload as part of your business records.
Sources: directly from you and your team members; automatically through your use of the Services; and from our service providers (e.g., Stripe for payment confirmations).
Business purposes: providing the Services, security and fraud prevention, debugging, internal research and analytics for service improvement, and compliance with legal obligations. See Section 2.
Your rights as a California resident:
- Right to know: request the categories and specific pieces of personal information we have collected about you in the past twelve (12) months.
- Right to delete: request deletion of personal information we collected from you, subject to legal exceptions (e.g., we must retain billing records for tax purposes).
- Right to correct: request correction of inaccurate personal information.
- Right to opt out of sale or sharing: see "Do Not Sell or Share My Personal Information" below.
- Right to limit use of sensitive personal information: we do not use sensitive personal information for purposes that trigger this right.
- Right to non-discrimination: we will not deny Services, charge different prices, or provide a different level of quality because you exercised any of these rights.
To exercise any California right, email privacy@signcore.io(live when domain finalizes) from the email address associated with your account, or have an authorized agent contact us with written authorization. We will verify your identity using the account credentials on file and respond within forty-five (45) days (extendable once for an additional forty-five (45) days where allowed by law).
12. "Do Not Sell or Share My Personal Information"
We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA. We have not sold or shared personal information in the preceding twelve (12) months and have no plans to do so.
Because we do not engage in "sales" or "sharing" as defined by the CCPA, you do not need to take any action to opt out. If you have questions or wish to confirm this status in writing for vendor-review purposes, email privacy@signcore.io(live when domain finalizes).
13. Data Processing Addendum (DPA)
For customers acting as data controllers under the GDPR, UK GDPR, or analogous laws, we are happy to enter into a Data Processing Addendum (DPA) reflecting standard contractual processor obligations, sub-processor disclosures, and (where applicable) Standard Contractual Clauses for international transfers. To request our DPA, email privacy@signcore.io(live when domain finalizes) with your company name and the data-protection contact who will sign on your behalf.
14. DMCA notice and takedown
We respect intellectual property rights and respond to clear notices of alleged copyright infringement under the Digital Millennium Copyright Act (17 U.S.C. § 512). If you believe content hosted on the Services infringes your copyright, send a written notice to our designated DMCA agent at legal@signcore.io(live when domain finalizes) with the following:
- An electronic or physical signature of the copyright owner or authorized agent.
- Identification of the copyrighted work claimed to be infringed.
- Identification of the material claimed to be infringing, with enough detail (URL, account, file path) for us to locate it.
- Your contact information (address, phone, email).
- A statement, under penalty of perjury, that you have a good-faith belief that the use is not authorized by the copyright owner, its agent, or the law.
- A statement that the information in the notice is accurate and that you are authorized to act on behalf of the owner of the right allegedly infringed.
We will investigate valid notices and remove or disable access to material as appropriate. We may terminate accounts of users who are repeat infringers. Counter-notifications may be sent to the same address and will be handled in accordance with 17 U.S.C. § 512(g).
15. Changes to this policy
We will notify the account owner via email at least thirty (30) days before any material change to this policy. Non-material clarifications take effect on posting.
16. Contact us
Privacy questions or data requests: privacy@signcore.io(live when domain finalizes)
SignCore Inc. · operating SignCore