1. Introduction
SignLab ("SignLab," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the SignLab electronic signature platform at signlab.app (the "Service").
This policy applies to all users of the Service, including account holders, document senders, and document signers (even those without a SignLab account). It complies with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL"), the EU General Data Protection Regulation ("GDPR") where applicable, and the UK GDPR.
Data Controller
SignLab
Dubai, United Arab Emirates
Email: privacy@signlab.app
2. Data We Collect
2.1 Account Holders (Senders)
When you create an account, we collect:
- Full name and email address
- Password (stored as a cryptographic hash — never in plain text)
- Company name and billing address (for paid plans)
- Payment information (processed and stored by Stripe; SignLab does not store card details)
- IP address and device information at account creation and login
2.2 Document Signers
When someone signs a document through SignLab (even without an account), we collect:
- Full name (as entered at signing)
- Email address (used to send the signing link)
- Signature image (drawn)
- IP address at each signing event
- Browser user agent
- Timestamp of each action (document viewed, signed, declined)
- Device type and operating system
2.3 Documents and Content
- Documents uploaded by account holders for signing
- Completed signed PDF documents including embedded audit trails
- Template content created by account holders
- Custom field data entered at signing
2.4 Usage and Technical Data
- Log data including pages visited, features used, and errors encountered
- Session data and cookies (see Section 9)
- Customer support communications
3. How We Use Your Data
We process personal data under the following legal bases:
3.1 Contract Performance (Art. 6(1)(b) GDPR / UAE PDPL)
- To provide the Service, process documents, and deliver signed PDFs
- To manage your account and process payments
- To send transactional emails (signing invitations, completion notifications, receipts)
3.2 Legitimate Interests (Art. 6(1)(f) GDPR / UAE PDPL)
- To maintain the security and integrity of the Service
- To detect and prevent fraud, abuse, and unauthorised access
- To improve and develop the Service based on aggregated usage patterns
- To send service-related communications to existing customers
3.3 Legal Obligation (Art. 6(1)(c) GDPR / UAE PDPL)
- To comply with applicable law, court orders, or regulatory requirements
- To maintain audit records as required by applicable legislation
3.4 Consent (Art. 6(1)(a) GDPR / UAE PDPL)
- For marketing communications to non-customers (you may withdraw consent at any time)
- For non-essential cookies and analytics (where applicable)
4. Data Sharing and Third Parties
We do not sell your personal data. We share data only as follows:
4.1 Service Providers (Data Processors)
We engage the following categories of processors who access data only on our instructions:
- Payment processing: Stripe, Inc. (United States) — processes payment card data under PCI-DSS compliance
- Document and file storage: cloud object-storage provider (EU/EEA by default; US storage available on request) — stores encrypted documents
- Hosting infrastructure: EEA-based cloud hosting provider (Finland) — provides server infrastructure
A full list of sub-processors is available upon request at privacy@signlab.app.
4.2 Legal Disclosure
We may disclose personal data to law enforcement, courts, or regulatory authorities if required by applicable law or a valid legal order. Where permitted, we will notify affected users before disclosing their data.
4.3 Business Transfers
If SignLab is acquired, merged, or undergoes a change of control, personal data may be transferred to the successor entity subject to the same or equivalent privacy protections.
5. International Data Transfers
SignLab is based in the UAE. If you are located in the EU, EEA, or UK, your personal data may be transferred to and processed in countries that do not have an equivalent level of data protection. We ensure appropriate safeguards are in place including:
- Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to US-incorporated processors such as Stripe
- Binding data processing agreements with all third-party processors
By default, SignLab stores documents and uploaded files in the European Economic Area (EEA), so documents belonging to EU/EEA customers remain within the EEA. US-based storage is available on request for customers who prefer it. Our storage provider is US-incorporated, so SCCs remain in place with it as a safeguard. If data residency in a specific region is a requirement for your use case, please contact us before using the Service.
6. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this policy:
- Account data: Retained for the life of your account plus 90 days following account closure
- Signed documents and audit trails: Retained for the duration of your subscription plus 30 days after cancellation
- Signer data (non-account holders): Retained as part of the signed document and audit trail for the document's full retention period
- Payment records: Retained for 7 years as required by UAE financial regulations
- Support communications: Retained for 3 years
Important Note on Deletion Requests
Signed documents form part of a legal record. A request from one party to delete a signed document may affect the rights of other parties to that document. In such cases, we may not be able to fully comply with a deletion request. We will explain our position in writing if this applies to your request.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
7.1 Right of Access
You may request a copy of the personal data we hold about you.
7.2 Right to Rectification
You may request correction of inaccurate or incomplete personal data.
7.3 Right to Erasure
You may request deletion of your personal data subject to our legal obligations and the note above regarding signed documents.
7.4 Right to Restriction
You may request that we restrict processing of your personal data in certain circumstances.
7.5 Right to Data Portability
You may request a machine-readable export of personal data you have provided to us.
7.6 Right to Object
You may object to processing of your personal data based on legitimate interests or for direct marketing purposes.
7.7 Right to Withdraw Consent
Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
7.8 Exercising Your Rights
Submit requests to privacy@signlab.app. We will respond within 30 days. We may require identity verification before processing requests.
8. Security
SignLab implements appropriate technical and organisational measures to protect personal data including:
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- Access controls limiting staff access to personal data
- Regular security assessments and monitoring
- Incident response procedures with GDPR-compliant breach notification (72-hour notification to supervisory authorities where required)
In the event of a personal data breach, we will notify affected users and relevant authorities as required by applicable law.
9. Cookies
SignLab uses strictly necessary cookies required for the operation of the Service (session management, security tokens). We do not use third-party advertising or tracking cookies without your explicit consent. A full cookie notice is available at signlab.app/cookies.
10. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data, we will delete it promptly. If you believe a minor has used our Service, contact privacy@signlab.app.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email or in-app notification no less than 30 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
12. Contact and Complaints
For privacy-related queries, requests, or complaints:
Privacy Contact
Email: privacy@signlab.app
SignLab, Dubai, United Arab Emirates
If you are in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.