Privacy Policy

Last updated: May 24, 2026

This Privacy Policy describes how JustSignNow ("we", "us", or "the Service") collects, uses, and discloses your personal information when you use our electronic signature platform. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and authentication credentials. If you sign in via Google OAuth, we receive your basic profile information from Google.

1.2 Document Data

We store documents you upload, sign, or are invited to sign. All documents are encrypted with AES-256-GCM at rest. Metadata such as file name, size, signers, and signature status is stored in our database.

1.3 Signature Audit Data

For each signature, we collect and retain the following information for legal compliance (ESIGN Act, UETA, eIDAS):

  • Signer name and email address
  • IP address and user agent at time of signing
  • Timestamp of the signature event
  • Cryptographic hashes (SHA-256) of the document and signature
  • Consent acknowledgement

1.4 Usage Data

We log document access events (view, download, edit, signature requests) with IP address and user agent for security and compliance auditing.

2. How We Use Your Information

  • To provide and maintain the Service
  • To process electronic signatures with legal validity
  • To send transactional emails (signature requests, completion notifications, deletion warnings)
  • To detect, prevent, and address fraud or security issues
  • To comply with legal obligations and respond to lawful requests
  • To improve the Service based on aggregate usage patterns

3. Data Retention

We retain different types of data for different periods:

  • Account data: retained until you delete your account
  • Documents (Free plan): automatically deleted after 7 days unless you upgrade to the Permanent Storage add-on
  • Documents (Pro + Storage add-on): retained indefinitely
  • Signature records: retained for 7 years for legal compliance, even if the underlying document is deleted
  • Audit logs: retained for 7 years for legal compliance

Audit and signature records are immutable and cannot be deleted before the retention period expires, even by you.

4. Sharing and Disclosure

We do not sell your personal data. We share data only with:

  • Service providers: Cloudflare R2 (encrypted storage), Resend (email delivery), Stripe (billing)
  • Signature recipients: When you send a document for signature, the recipient receives the document and your identity
  • Legal authorities: When required by law, court order, or to enforce our terms

4.bis Data residency

Your document files are stored in one of two regions:

  • European Union — Cloudflare R2 bucket with location hint eeur (Eastern Europe).
  • United States — Cloudflare R2 bucket with location hint enam (Eastern North America).

Your default region is auto-detected at signup based on your IP address (US, Canada, Mexico default to US; everywhere else defaults to EU). You can change it anytime from Settings → Data Residency. Pro plan users may also migrate their existing documents between regions.

Account metadata — your email, name, signature records, audit logs, subscription — is always stored in the European Union (Postgres database in Frankfurt), regardless of your document region. This is the stricter default and protects all users under the GDPR framework.

5. Security

We protect your data using industry-standard security measures:

  • AES-256-GCM encryption at rest for all documents
  • TLS encryption in transit
  • SHA-256 cryptographic hashes for signature integrity
  • Access controls and audit logging
  • Regular security reviews

6. Your Rights (GDPR / CCPA)

You have the following rights regarding your personal data:

  • Access & Portability (Articles 15 & 20): Download a complete JSON export of your data directly from Settings → Your Data → Download my data. No request needed — the export is generated on-demand and includes your profile, subscription, documents (metadata), signatures, and access logs.
  • Rectification (Article 16): Update your email or name directly from Settings → Profile.
  • Erasure / Right to be forgotten (Article 17): Delete your account from Settings → Danger Zone → Delete Account. Your account is anonymized in place: email is rewritten, name is erased, sessions are destroyed, and your uploaded documents are removed from storage. Signature records and audit logs are preserved for 7 years per legal retention requirements (ESIGN Act, UETA, eIDAS), but they are no longer linked to your identity in any searchable way.
  • Objection (Article 21): Object to certain processing activities — contact us at the email below.
  • Restriction (Article 18): Request restriction of processing — contact us at the email below.
  • Withdraw consent to electronic signing (ESIGN Act 15 USC 7001(c)(1)(B)):You may refuse to receive any new electronic signature requests at your email address at any time from Settings → Electronic Signature Consent. Once opted out, senders attempting to address a signature request to your email will be refused. This does not invalidate any signature you have already provided — past signatures and the associated audit trail are preserved for the 7-year legal retention period.
  • Lodge a complaint: with your local data protection authority (e.g. CNIL in France).

For rights that aren't self-service (objection, restriction, or any specific request), contact us at the address at the bottom of this page. We respond within 30 days as required by GDPR.

7. International Data Transfers

Your data may be processed in countries other than your country of residence. We use Standard Contractual Clauses and other safeguards to ensure your data receives an adequate level of protection.

8. Cookies and similar technologies

We use two kinds of cookies: essential cookies that the Service needs to work, and optional analytics cookies that help us understand how the Service is used. You decide whether to allow the optional ones.

8.1 Essential cookies

These are required for core functionality — there's no version of the Service that works without them, so we don't ask for consent.

  • Authentication session (authjs.session-token, HTTP-only, set by NextAuth) — keeps you signed in. Expires after 30 days of inactivity.
  • CSRF token (authjs.csrf-token) — protects sign-in forms from cross-site request forgery. Cleared on sign-out.
  • Cookie consent (cookie_consent_v1, stored in your browser's localStorage) — remembers your analytics choice so we don't ask again. Cleared when you click Cookie settings in the footer.

8.2 Optional analytics cookies

If you accept analytics in the cookie banner, we load Google Analytics 4 to measure aggregate, anonymous traffic patterns — which pages are visited, where visitors come from, how long they stay. We use this to prioritize what to build and to spot bugs that cause people to bail. We do not use it for advertising and we don't sell or share this data.

  • Provider: Google LLC (Google Analytics 4). IPs are anonymized before storage.
  • Cookies set: _ga, _ga_* — random visitor and session identifiers. Expire after 2 years (visitor) and 24 hours (session).
  • Stored: Google Analytics servers (US). We use Google's Standard Contractual Clauses to safeguard transfers.

8.3 Changing your mind

You can change your analytics choice at any time by clicking Cookie settingsin the footer. Rejecting analytics doesn't affect anything else about the Service.

9. Children

The Service is not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or notice within the Service. Continued use of the Service after changes constitutes acceptance.

11. Contact

For privacy-related questions or to exercise your rights, contact us at:
contact@justsignnow.com

Data controller:
Nexis Dev, LLC
131 Continental Dr, Suite 305
Newark, DE 19713, USA