Privacy Policy
Last updated: 2026-04-22
Version: privacy-2026-04-22-v3
This Privacy Policy explains how SekyuSeal collects, uses, stores, and discloses personal data when you use our Services.
1. Roles and Scope
For many signing workflows, your organization acts as the controller and SekyuSeal acts as a processor. For account administration, billing, platform security, and service operations, SekyuSeal may act as an independent controller.
2. Data We Collect
- Account data: name, email, login identifiers, workspace membership.
- Document workflow data: document metadata, recipient details, field assignments, status events.
- Signature evidence: timestamps, IP address, user agent, consent events, signed field payload references, and audit events.
- Integrity evidence: SHA-256 document digests, hash-chain references for audit events, and certificate or attestation signature metadata.
- Security and anti-abuse data: rate-limit events, token/nonce traces, verification outcomes.
- Billing and subscription data: plan, cycle, seat and transaction metadata.
We do not request browser geolocation in the signing flow.
3. Purposes and Legal Bases
- Provide and operate signing workflows and account services (contract).
- Secure the Services, detect abuse, and prevent fraud (legitimate interests and legal obligations).
- Maintain evidentiary records and compliance controls (legal obligations and legitimate interests).
- Manage subscriptions, support, and communications (contract and legitimate interests).
- Use consent where required by law (for example, optional cookies or specific communications).
4. Cookies and Similar Technologies
We use necessary cookies for login and session integrity. Optional analytics or marketing technologies are enabled only where valid consent is collected, when applicable.
5. Sharing and Subprocessors
We share data with service providers that help deliver the Services, including hosting, database/storage, email delivery, and operations tooling. Current providers include Supabase (database/storage), Vercel (hosting/runtime), and Resend (transactional email), plus other vendors needed for secure operations.
6. Signature Evidence and Certificates
For legal evidentiary purposes, audit trails and certificates can include signing timestamps, signer IP address, user agent, consent version markers, signed field references, and integrity metadata such as hash-chain links and SHA-256 document digests.
Where configured, the system may produce cryptographic signatures over completion certificate payloads and verification attestations.
7. International Data Transfers
Where personal data is transferred across borders, we use appropriate transfer safeguards required by applicable law, such as contractual clauses or equivalent mechanisms.
8. Retention
We retain data for as long as needed for service delivery, contractual duties, security, and legal compliance. Certain document and audit records may be retained beyond account closure where required for legal evidence, fraud prevention, tax, regulatory obligations, or legal hold.
9. Security
We use administrative, technical, and organizational safeguards, including encryption in transit, access controls, append-only audit controls, abuse protections, and database-level tenant isolation controls. No system is perfectly secure.
10. Your Rights
- Access and export your account and related signing data.
- Correct inaccurate profile information.
- Request deletion or anonymization, subject to legal, security, fraud-prevention, and signature-evidence retention exceptions.
- Object to or restrict certain processing where applicable law grants that right.
11. Children
The Services are not directed to children and are not intended for users under the age of digital consent in their jurisdiction.
12. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes become effective on posting unless otherwise noted.
13. Contact
For privacy requests, use your authenticated account support channel or the designated privacy contact in your service agreement.