Privacy Policy

Last updated: April 11, 2026

1. Introduction

Papyrus Doc ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, store, and share your information when you use our document signing platform and related services.

2. Information We Collect

We collect information in the following ways:

  • Account information: Name, email address, and password when you create an account.
  • Payment information: Billing details processed securely through our payment provider (Stripe). We do not store your full credit card number.
  • Documents: Files you upload for signing. These are encrypted at rest and in transit.
  • Usage data: Information about how you interact with our service, including IP addresses, browser type, and access times.
  • Audit logs: We maintain records of document-related actions (views, signatures, completions) for compliance and security purposes.
  • Signature data: When you sign a document, we collect your electronic signature (drawn or typed), including any saved signature preferences. Signature data is encrypted at rest.
  • Phone numbers: If SMS-based signer authentication is enabled for a document, we collect the recipient's phone number to deliver verification codes.
  • Team and organization data: Team names, member roles, and team-level settings when you use our collaboration features.
  • Security credentials: If you enable two-factor authentication, we store encrypted TOTP secrets and recovery codes. If you use our API, we store hashed access tokens.

3. How We Use Your Information

  • To provide, maintain, and improve our document signing services.
  • To process transactions and send related information, including confirmations and receipts.
  • To send transactional notifications (e.g., signing requests, completion alerts).
  • To respond to your support requests.
  • To detect, prevent, and address security issues and fraud.
  • To comply with legal obligations.

4. Data Storage & Security

All documents are encrypted at rest and in transit using industry-standard encryption. We maintain comprehensive audit trails for all document actions. Access to production systems is restricted and monitored. We implement two-factor authentication for all user accounts that choose to enable it.

We use managed object storage and related infrastructure providers to store document files securely. Copies of a document may be created as part of normal product operation, including finalized copies and completion distribution workflows.

5. Data Sharing

We do not sell your personal data. We share information only in these limited circumstances:

  • With signing recipients: When you send a document for signature, recipients receive relevant document information.
  • Service providers: We use trusted third-party services for payment processing (Stripe), email delivery, SMS delivery (for signer phone verification), document processing, and infrastructure hosting.
  • Your webhook endpoints: If you configure webhooks, document event data (including recipient names, email addresses, and signing status) is transmitted to the endpoint URLs you specify. You control this data flow through your webhook settings.
  • Legal requirements: We may disclose information when required by law, regulation, or legal process.

6. Data Retention

We retain account data, audit records, and active document records for as long as needed to operate the service, protect account security, and support transaction history. We may automatically remove draft documents that remain inactive for an extended period or have been deleted by the account owner.

Team administrators can configure retention periods for draft documents through their team settings. Completed and signed documents may be retained longer than drafts so we can provide access to transaction history, completed files, and related audit information. As our retention controls evolve, we may introduce additional settings for completed document retention.

You may request deletion of your data by contacting our support team. We may retain certain records when needed for fraud prevention, dispute handling, tax and billing records, or other legal obligations.

7. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Export your data in a portable format.
  • Object to or restrict certain processing of your data.

8. Cookies

We use essential cookies to maintain your session and preferences. We do not use third-party advertising or tracking cookies.

We use Fathom Analytics for anonymous, aggregate website analytics. Fathom does not use cookies, does not track personal data, and does not collect IP addresses. Fathom is fully compliant with GDPR, CCPA, and PECR without requiring a cookie consent banner.

9. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or through a notice on our platform. Continued use of our service after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this privacy policy or our data practices, please contact us at privacy@papyrusdoc.com.