Privacy Policy
Effective Date: November 28, 2024 Last Updated: November 30, 2024
1. Introduction
This Privacy Policy explains how Signkit OU ("we," "us," or "Signkit") collects, uses, discloses, and protects your personal data when you use our email signature management platform at signkit.io (the "Service").
Signkit is committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
Data Controller: Signkit OU Lasnamae linnaosa, Sepapaja tn 6 15551 Harju Maakond, Tallinn Estonia VAT: EE102686568 Email: [email protected]
2. Data We Collect
2.1 Account Information
When you create an account, we collect:
- Email address
- Full name
- Profile photo (if provided via authentication provider)
2.2 Organization Information
When you create or join an organization, we collect:
- Organization name
- Organization logo
- Organization slug (URL identifier)
- Team member information (names, email addresses)
2.3 Signature Data
When you create email signatures, we collect:
- Employee names
- Job titles
- Email addresses
- Phone numbers
- Physical addresses
- Social media links
- Custom fields you choose to include
2.4 Brand Data
When you use our brand extraction feature, we collect:
- Website URLs you provide
- Extracted brand colors
- Extracted taglines and messaging
- Logo URLs
2.5 Uploaded Assets
When you upload files to the Service, we collect:
- Images (logos, photos, banners)
- File metadata (name, size, type)
2.6 Email Tracking Data
When email tracking is enabled for your organization, we collect:
- IP addresses of email recipients
- User-Agent (device and browser information)
- Referer headers
- Timestamps of email opens and link clicks
- Geographic location (derived from IP address)
2.7 Usage Data
We automatically collect:
- Pages visited within the Service
- Features used
- Error logs
- Performance metrics
2.8 Analytics Data
We use PostHog for product analytics. When you use the Service, we collect:
- Pages visited and features used
- Click events and user interactions
- Session duration and engagement metrics
- Device type, browser, and operating system
- Approximate location (country/region derived from IP address)
This data is processed in the European Union (eu.i.posthog.com).
2.9 Support Chat Data
When you use our live chat support (powered by Chatwoot), we collect:
- Your name and email address (from your account)
- Chat conversation history
- Current page when initiating chat
- Timestamp of conversations
2.10 Billing Data
When you subscribe to a paid plan, our payment processor (Polar) collects:
- Organization identifier
- Subscription plan and billing cycle
- Payment method information
- Transaction history
We do not store complete credit card numbers or sensitive payment data directly.
2.11 Marketing Automation Data
With your consent, we may sync certain data to our marketing platform (Mautic) for email communications:
- Email address and name
- Signup date and activity history
- Subscription plan (if applicable)
- Key product events (signature created, campaign launched)
3. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Legal Basis (GDPR Article 6) |
|---|---|
| Providing the Service (account management, signature generation) | Performance of contract |
| Authentication and security | Performance of contract |
| Email tracking and analytics | Legitimate interest |
| Product analytics (PostHog) | Legitimate interest |
| Billing and subscriptions (Polar) | Performance of contract |
| Customer support (Chatwoot) | Performance of contract |
| Service improvement and debugging | Legitimate interest |
| Legal compliance | Legal obligation |
| Marketing communications (Mautic) | Consent |
3.1 Email Tracking Disclosure
Our Service includes optional email tracking features that allow organizations to measure signature engagement:
Impression Tracking: When enabled, a small transparent image (1x1 pixel) is embedded in email signatures. When an email is opened and images are loaded, this records an "open" event.
Click Tracking: When enabled, links in signatures are routed through our tracking service to record clicks before redirecting to the destination URL.
Data Collected: IP address, device type, browser, approximate location, and timestamp.
Control: Organization administrators can enable or disable tracking features. Individual signature recipients cannot opt out directly, as tracking is controlled at the organizational level.
4. Data Sharing and Third Parties
We share your data with the following categories of third parties:
4.1 Service Providers (Sub-processors)
| Provider | Purpose | Location | Data Processed |
|---|---|---|---|
| Clerk | Authentication | United States | Email, name, profile photo |
| DigitalOcean | Cloud hosting, file storage | EU (Amsterdam) / US | All Service data |
| Neon | Database hosting | EU (Frankfurt) | All Service data |
| PostHog | Product analytics | EU (Frankfurt) | User ID, events, pageviews, IP address |
| Polar | Billing and subscriptions | EU | Organization ID, subscription data |
| Chatwoot | Live chat support | Self-hosted (EU) | User ID, name, email, chat history |
| Mautic | Marketing automation | Self-hosted (EU) | Email, name, activity data |
| Resend | Transactional email | United States | Email addresses, email content |
| Firecrawl | Website scraping for brand data | United States | Website URLs |
| OpenAI | AI-generated campaign copy | United States | Company name, industry |
| Logo.dev, Clearbit | Logo resolution | United States | Domain names |
4.2 Legal Requirements
We may disclose your data when required by law, legal process, or government request.
4.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.
5. International Data Transfers
Your data may be transferred to and processed in the United States and other countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our US-based sub-processors.
- Adequacy Decisions: Where applicable, we rely on EU adequacy decisions.
6. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period | Justification |
|---|---|---|
| Account data | Until account deletion + 30 days | Account recovery |
| Organization data | Until organization deletion + 30 days | Backup recovery |
| Signature data | Until signature deletion | Active use |
| Tracking data (impressions/clicks) | 24 months | Analytics reporting |
| Analytics data (PostHog) | 13 months | Product improvement |
| Chat transcripts (Chatwoot) | 24 months | Support continuity |
| Marketing data (Mautic) | Until unsubscribe + 30 days | Email compliance |
| Uploaded assets | Until deletion by user | Active use |
| Support communications | 36 months | Support history |
| localStorage (landing page) | 7 days | Signup flow |
| Billing records | 7 years | Estonian tax law |
After the retention period, data is permanently deleted or anonymized.
7. Your Rights (GDPR Articles 15-22)
As a data subject in the EU/EEA, you have the following rights:
7.1 Right to Access (Article 15)
You can request a copy of all personal data we hold about you.
7.2 Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete data.
7.3 Right to Erasure (Article 17)
You can request deletion of your personal data ("right to be forgotten").
7.4 Right to Restrict Processing (Article 18)
You can request that we limit how we use your data.
7.5 Right to Data Portability (Article 20)
You can request your data in a structured, machine-readable format.
7.6 Right to Object (Article 21)
You can object to processing based on legitimate interests, including email tracking.
7.7 Right to Withdraw Consent (Article 7)
Where processing is based on consent, you can withdraw it at any time.
To exercise your rights: Email us at [email protected] with your request. We will respond within 30 days.
8. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit (TLS 1.2+)
- Encryption at rest
- Access controls and authentication
- Regular security assessments
- Secure development practices
- Employee training
9. Cookies and Local Storage
9.1 Essential Cookies
We use essential cookies for authentication and session management:
- Clerk authentication cookies (session persistence)
- CSRF protection tokens
9.2 Analytics Cookies
We use PostHog for product analytics (based on legitimate interest for B2B services):
- PostHog session and user identification cookies
- These help us understand how you use the Service
- You can opt out via the Cookie Settings link in our footer
9.3 Local Storage
We use browser localStorage to:
- Save your signature builder progress on the landing page (7-day retention)
- Store recent search history within the app
- Maintain user interface preferences
For full details, see our Cookie Policy.
10. Children's Privacy
The Service is not intended for children under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website
- Sending an email notification to account holders
12. Contact Us
For privacy-related inquiries or to exercise your rights:
Signkit OU Lasnamae linnaosa, Sepapaja tn 6 15551 Harju Maakond, Tallinn Estonia
Email: [email protected]
13. Supervisory Authority
If you are in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.
For Estonia: Andmekaitse Inspektsioon (Data Protection Inspectorate) Tatari 39, 10134 Tallinn Website: www.aki.ee