Privacy Policy

1. Who We Are

Autograph is operated by The Autograph App. This policy explains what data we collect, how we use it, and your rights regarding that data. When we say “we” or “us” in this policy, we mean The Autograph App.

2. Data We Collect

Account Information

When you create an account, we collect your email address. You may optionally provide a display name. Authentication is handled via magic link (passwordless) — we never store passwords.

Documents

When you upload a PDF, we store the file and generate a tamper-detection fingerprint. We do not read, analyze, or share the contents of your documents. Completed documents (with embedded signatures and a legal certificate) are stored separately.

Signatures

When a signer signs a document, we collect their drawn or typed signature image, email address, IP address, browser user-agent, and the timestamp of signing. We also record whether the signer gave consent to use electronic signatures.

Audit Trail

Every action on a document is logged, including uploads, views, consent, signing, and sealing. Each log entry includes a timestamp, IP address, and browser user-agent. Audit logs are append-only and cannot be modified or deleted. This data is necessary to establish the legal validity of signed documents.

Payment Information

Payments are processed by Stripe. We never see or store your credit card number. We receive your plan type and Stripe customer ID from Stripe to manage your subscription.

3. How We Use Your Data

We use the data we collect to:

  • Provide the e-signature service (sending, signing, sealing documents)
  • Send signing invitation emails to your signers
  • Deliver completed documents to all parties
  • Maintain legally required audit trails
  • Process payments and manage subscriptions
  • Authenticate your account

We do not sell your data. We do not use your data for advertising. We do not profile you or your signers.

4. Third-Party Services

We use the following third-party services to operate Autograph:

Supabase (Database and Storage)

All data — documents, signatures, audit logs, and accounts — is stored using Supabase infrastructure located in Canada (Montreal). Supabase handles database hosting and file storage.

Stripe (Payments)

Stripe processes all payments. Your payment information is handled entirely by Stripe and is subject to their privacy policy. We only receive your plan type and a customer identifier.

Resend (Email)

Resend delivers signing invitation emails and completed document notifications. We share the recipient's email address, name, and document name with Resend for delivery purposes.

We do not use any analytics, tracking, or advertising services. No third-party scripts are loaded for the purpose of monitoring your behavior.

5. Cookies

Autograph uses only essential cookies required for authentication. These cookies maintain your login session and are set by our authentication provider (Supabase). We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

6. Where Your Data Is Stored

All data is stored on servers located in Canada (Montreal region) for compliance with Canadian privacy law (PIPEDA). Documents, signatures, and audit logs never leave Canadian infrastructure.

Email delivery (via Resend) and payment processing (via Stripe) may involve data routing through servers outside Canada as part of their standard operations. These services have their own privacy and compliance certifications.

7. Data Retention

Documents and their associated data (signatures, audit logs) are retained for as long as your account is active or until you delete them. Audit trail records may be retained after document deletion as required for legal compliance.

If you delete your account, your documents and personal data will be removed. Signature records and audit logs from documents you sent may be retained if the recipients require them for their own legal records.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Request deletion of your personal data (subject to legal retention requirements)
  • Receive a copy of your data in a portable format
  • Withdraw consent for optional data processing

To exercise any of these rights, contact us at contact@theautograph.app.

9. Signer Privacy

If you sign a document through Autograph, the document sender has requested your signature. Your email address, IP address, browser information, and timestamp are recorded as part of the legally required audit trail. This data is shared with the document sender as part of the completed document and its legal certificate.

You do not need to create an account to sign. We do not use your information for any purpose other than facilitating the signing process and maintaining the audit record.

10. Children

Autograph is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the service. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact

If you have questions about this privacy policy or how we handle your data, contact us at contact@theautograph.app.

Last updated: February 2026