civicsign Back to home
Legal · UK GDPR & DPA 2018

Privacy Policy

How CivicSign collects, uses and protects your personal data in line with UK data protection law.

Last updated 24 May 2026Governed by English law

CivicSign Limited is the controller of personal data collected through our website and services. This Privacy Policy explains how we collect, use and protect your information in line with the UK General Data Protection Regulation and the Data Protection Act 2018.

What We Collect

  • Account data — name, email, country, hashed password and (optionally) company.
  • Document data — files you upload and the signature events you initiate.
  • Usage data — IP address, browser type, pages visited and timestamps.
  • Billing data — processed by our payment provider; we do not store full card numbers.

Lawful Bases

We process personal data under the following lawful bases set out in Article 6 of the UK GDPR:

  • Contract — to deliver the service you have asked for.
  • Legitimate interests — to keep our platform secure and to improve it.
  • Consent — for non-essential cookies and marketing communications.
  • Legal obligation — to comply with tax, accounting and law-enforcement requests.

How We Use Your Data

  • Provide, maintain and improve the service.
  • Authenticate you and protect against fraud.
  • Send transactional emails such as verification and signature notifications.
  • Send marketing emails where you have opted in — you may opt out at any time.

Sharing

We share personal data with carefully selected sub-processors (such as cloud hosting and email delivery providers) who act only on our instructions and under appropriate data protection terms. We do not sell your personal data.

International Transfers

Where data is transferred outside the United Kingdom, we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with supplementary safeguards as required by the Information Commissioner’s Office.

Retention

We retain account data for as long as your account is active. Completed signed documents are retained for up to seven years after account closure to satisfy evidential requirements, unless you ask us to delete them sooner and we are not legally required to keep them.

Your Rights

Under the UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Request erasure (the “right to be forgotten”).
  • Restrict or object to processing.
  • Data portability.
  • Withdraw consent at any time.

Security

We use industry-standard administrative, technical and physical safeguards including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls and regular security testing. See our Security & Trust page for more detail.

Children

CivicSign is not intended for children under sixteen. We do not knowingly process personal data of children.

Contact & Data Protection Officer

Our Data Protection Officer can be reached at dpo@civicsign.com or by post at CivicSign Limited, 1 Civic Way, London, United Kingdom.

More legal
Terms of Service
Read
Privacy Policy
Currently viewing
Cookie Policy
Read
Security & Trust
Read

© 2026 CivicSign Limited. Registered in England and Wales.