SignPik
...
Privacy Policy

Last Updated: January 9, 2025

Article 1 (Purpose)

SignPik (hereinafter "Company") values your privacy and complies with applicable data protection laws including the Personal Information Protection Act (Korea), GDPR (EU), and CCPA (California). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our electronic signature services. This Privacy Policy may be updated to reflect changes in law, policy, or our practices. Any changes will be posted on our website.

Article 2 (Purpose of Collection and Use)

We collect and use personal information for the following purposes. Information collected will not be used for purposes other than those stated below. If the purpose of use changes, we will obtain separate consent.

  • Account Management: Identity verification, user identification, prevention of fraudulent use, confirmation of subscription intent, age verification, complaint handling, delivery of notices
  • Service Provision: Electronic signature services, document upload and management, signature request and notification, delivery of completed documents, personalized service provision
  • Payment and Billing: Payment processing for paid services, invoice delivery, subscription management, refund processing
  • Marketing (with consent): Development of new services, delivery of promotional information, demographic analysis, service usage statistics
  • Legal Compliance: Record keeping as required by applicable laws, tax reporting, dispute resolution
  • Service Improvement: Usage pattern analysis, service enhancement, bug fixes, security strengthening

Article 3 (Types of Personal Information Collected)

We collect the following personal information for registration, service use, and customer support.

1. Required Information

  • Email Address: Account identification, login, service notifications
  • Name: User identification, signer information display
  • Profile Photo (when using Google login): User interface display
  • Google Account ID: OAuth authentication and login

2. Automatically Collected Information

  • IP Address: Fraud prevention, security enhancement, audit logging
  • Device Information (browser type, OS, device type): Service optimization
  • Service Usage Records (access time, features used, document activity): Service improvement, statistical analysis
  • Cookies and Similar Technologies: Login maintenance, user preference storage, service convenience
  • Location Information (approximate, IP-based): Service localization, security purposes

3. Information Collected for Paid Services

  • Payment Information: Processed through Stripe; we do not directly store sensitive payment data such as card numbers
  • Billing Address (optional): When requesting invoices
  • Business Registration Number (optional): When requesting tax invoices

4. Information Collected for Electronic Signature Services

  • Signature Image: Electronic signature image to be inserted into documents
  • Signature Timestamp and IP Address: Audit log for proving signature authenticity
  • Recipient Information (name, email): For sending signature requests

Article 4 (Retention and Use Period)

We delete personal information without delay once the purpose of collection and use has been achieved. However, the following information is retained for the specified periods for the reasons stated.

1. Retention Under Company Policy

  • Records to prevent fraudulent re-registration after withdrawal: 30 days after withdrawal
  • Records of service use restrictions for abusive users: Permanent (to prevent re-registration)

2. Retention Under Applicable Laws

  • Records of contracts or subscription withdrawal (Consumer Protection Act): 5 years
  • Records of payment and supply of goods (Consumer Protection Act): 5 years
  • Records of consumer complaints or dispute resolution (Consumer Protection Act): 3 years
  • Records of advertising (Consumer Protection Act): 6 months
  • Service access records (Telecommunications Protection Act): 3 months
  • Electronic signature records (Electronic Signature Act): 10 years
  • Tax-related transaction records (Tax Law): 5 years

Article 5 (Destruction of Personal Information)

In principle, we destroy personal information without delay once the purpose of collection and use has been achieved.

1. Destruction Procedure

  • Information entered by users is transferred to a separate database after the purpose is achieved and destroyed after a certain period according to internal policies and applicable laws.
  • Personal information transferred to a separate database is not used for any purpose other than retention unless required by law.

2. Destruction Methods

  • Electronic files: Deleted using technical methods that make records unrecoverable
  • Paper records: Shredded or incinerated

Article 6 (Provision to Third Parties)

In principle, we do not provide your personal information to third parties. However, exceptions are made in the following cases:

  • When you have given prior consent
  • When required by law or requested by investigative agencies according to legal procedures
  • When sending signature requests: Sender information (name, email) is shared with recipients. This is necessary for the essential function of the service.

Article 7 (Outsourcing of Processing)

We outsource personal information processing to external service providers as follows. When entering into outsourcing contracts, we specify provisions regarding prohibition of processing beyond the outsourced purpose, technical and administrative protection measures, restrictions on re-outsourcing, management and supervision of contractors, and liability for damages in accordance with applicable laws.

Service ProviderOutsourced TasksRetention Period
Amazon Web Services (AWS)Cloud server operation and data storageUntil contract termination
Vercel Inc.Web application hosting and deploymentUntil contract termination
Neon Tech Inc.Database hostingUntil contract termination
Stripe, Inc.Payment processing and settlementAs required by applicable laws
Amazon Simple Email Service (SES)Email deliveryDeleted immediately after sending
Google LLCOAuth authentication, Google Drive integrationUntil service disconnection

Article 8 (International Transfer of Personal Information)

We transfer personal information internationally as follows to provide our services.

RecipientCountryTransfer MethodInformation TransferredPurposeRetention Period
Amazon Web ServicesUSANetwork transmission during service useAll service usage dataCloud server operationUntil contract termination
Vercel Inc.USANetwork transmission during service useIP address, access recordsWeb hostingUntil contract termination
Stripe, Inc.USANetwork transmission during paymentPayment info, emailPayment processingAs required by law

※ We strive to comply with GDPR and international data protection regulations by implementing appropriate safeguards such as Standard Contractual Clauses (SCCs).

Article 9 (Rights of Data Subjects)

As a data subject, you may exercise the following rights:

  • Right to Access: View your personal information processing status
  • Right to Rectification/Deletion: Request correction or deletion of inaccurate information
  • Right to Restrict Processing: Request suspension of personal information processing
  • Right to Withdraw Consent: Withdraw consent for collection and use of personal information
  • Right to Object to Automated Decision-Making: Refuse decisions based solely on automated processing

How to Exercise Your Rights

  • Online: Directly view, modify, or delete via Settings > Privacy Management
  • Email: Send request to privacy@signpik.com
  • Rights may be exercised through a legal representative or authorized agent.
  • We will notify you of action results within 10 days of receiving your request.

Article 10 (Cookies and Tracking Technologies)

We use cookies to provide personalized services by storing and retrieving usage information.

1. Purpose of Cookie Use

  • Maintaining user login status
  • Storing user service and environment settings
  • Collecting and analyzing service usage statistics
  • Security and fraud prevention

2. Types of Cookies Used

  • Essential Cookies: Required for service use (login session, CSRF tokens, etc.)
  • Functional Cookies: Store user settings (language, theme, etc.)
  • Analytics Cookies: Collect service usage statistics

3. How to Refuse Cookies

  • You can allow all cookies, require confirmation before cookies are saved, or refuse all cookies through your browser settings.
  • However, refusing cookies may cause difficulties in using services that require login.
  • Settings: Chrome: Settings > Privacy and Security > Cookies and other site data

Article 11 (Security Measures)

We take the following measures to ensure the security of personal information.

1. Administrative Measures

  • Establishment and implementation of internal management plans for personal information protection
  • Minimization and training of employees handling personal information
  • Regular internal audits

2. Technical Measures

  • Encryption: Important personal information such as passwords and signature data is encrypted for storage and management
  • SSL/TLS Encryption: 256-bit SSL/TLS encrypted communication applied to all data transmission
  • Technical measures against hacking: Operation of intrusion prevention and detection systems
  • Access Control: Permission management and access control system operation for personal information
  • Access Log Retention: Retention of access logs for at least 1 year

3. Physical Measures

  • Access control to server rooms and data storage areas
  • Verification of cloud service provider physical security certifications (AWS SOC 2, ISO 27001, etc.)

Article 12 (Privacy Officer)

We have designated a Privacy Officer to oversee personal information processing and handle user complaints and damage relief.

Privacy Officer

Contact: SignPik Privacy Team
Email: privacy@signpik.com
Phone: Contact through Customer Center

※ Please contact us at the above for privacy-related inquiries. We will respond promptly and sincerely to your inquiries.

Article 13 (Remedies for Privacy Violations)

You may file complaints or seek consultations with the following organizations for relief from privacy violations:

  • Privacy Infringement Report Center (Korea Internet & Security Agency): privacy.kisa.or.kr / 118
  • Personal Information Dispute Mediation Committee: kopico.go.kr / 1833-6972
  • Supreme Prosecutors' Office Cyber Investigation Division: spo.go.kr / 1301
  • National Police Agency Cyber Bureau: ecrm.police.go.kr / 182

Article 14 (Children's Privacy)

We do not knowingly collect personal information from children under 14 years of age (or 16 in the EU). If a child under this age wishes to register for our service, consent from a legal guardian is required, and we may collect minimal additional information such as the guardian's contact information. If we discover that personal information of a child has been collected without proper guardian consent, we will delete that information immediately.

Article 15 (Changes to Privacy Policy)

This Privacy Policy may be updated due to changes in law, policy, or security technology. Any additions, deletions, or modifications will be announced through service notices at least 7 days before implementation. For significant changes (changes to collection items, purposes of use, third-party provision, etc.), we will provide 30 days advance notice and, if necessary, individual notification to users (via email).

Article 16 (GDPR Compliance)

We comply with the GDPR when processing personal information of EU residents.

Additional Rights for EU Residents

  • Right to Data Portability: Receive your personal information in a structured, machine-readable format or request transfer to another service
  • Right to Restrict Processing: Request restriction of processing in certain circumstances
  • Right to Lodge Complaint: File a complaint with the data protection supervisory authority in your country

Legal Basis for Processing

  • Contract Performance: Processing necessary for service provision
  • Consent: Processing based on explicit user consent for marketing purposes, etc.
  • Legal Obligation: Processing necessary for legal compliance
  • Legitimate Interest: Processing necessary for our legitimate interests (unless overridden by user rights)

Article 17 (CCPA Compliance)

We comply with the CCPA when processing personal information of California residents.

Rights of California Residents

  • Right to Know: Know the categories of personal information collected, sources, purposes, and disclosures to third parties
  • Right to Delete: Request deletion of personal information
  • Right to Non-Discrimination: Not be discriminated against for exercising your rights
  • Right to Opt-Out of Sale: We do not sell personal information

California residents may exercise these rights by contacting privacy@signpik.com.

Article 18 (Data Breach Response)

In the event of a personal information breach, we will take the following actions:

  • Notify affected users within 72 hours of becoming aware of the breach
  • Provide information about the breached data, timing, circumstances, response measures, and damage minimization plans
  • Report to data protection authorities if required by law
  • Implement immediate technical measures to prevent further damage
  • Develop and implement measures to prevent recurrence

This Privacy Policy is effective as of January 9, 2025.