Privacy Policy

Introduction

HelloWeSign, as the data controller, places great importance on the protection of your personal data. This privacy policy informs you about how we collect, use and protect your data in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Data controller

Company name: [TO BE COMPLETED]

Address: [TO BE COMPLETED]

Email: contact@hellowesign.com

Data Protection Officer (DPO): [TO BE COMPLETED]

2. Data collected

When using the HelloWeSign platform, we collect the following categories of data:

2.1 Identification data

  • First and last name
  • Email address
  • Phone number (for signers using SMS OTP)

2.2 Usage data

  • Connection logs
  • IP address
  • Browsing data (User Agent)
  • Geolocation (optional)
  • User preferences
  • Signature history

2.3 Documents and signatures

  • PDF files uploaded for signing
  • Signature images (drawings or text signatures)
  • Signed documents
  • Proof documents

2.4 Traceability data

  • Timestamps of all actions
  • Signature events
  • OTP codes (hashed)

3. Processing purposes

Your data is collected and processed for the following purposes:

  • Creation and management of your user account
  • Provision of electronic signature services
  • Identity verification via OTP
  • Generation of proof documents
  • Ensuring traceability and legal compliance of signatures
  • Credit and billing management
  • Improvement of our services
  • Security and fraud prevention
  • Compliance with our legal obligations
  • Communication of service-related information

4. Legal basis for processing

The processing of your data is based on the following legal grounds:

  • Performance of a contract: For the provision of electronic signature services
  • Legal obligation: For regulatory compliance, traceability and evidence retention
  • Legitimate interest: For the improvement of our services and security
  • Consent: For certain marketing communications (optional)

5. Data recipients

Your data may be shared with the following recipients:

  • Authorized HelloWeSign personnel
  • Service providers (Railway hosting, Stripe payments, Resend emails, Twilio SMS)
  • Legal authorities upon justified request

We ensure that all our subprocessors comply with the GDPR and guarantee an adequate level of data protection.

6. Data retention

Your data is retained for the following periods:

  • Account data: Duration of the contract + 3 years
  • Billing data: 10 years (legal accounting obligation)
  • Connection logs: 12 months maximum
  • Documents and signatures: According to the retention period required by law or chosen by the user
  • Proof documents: In accordance with legal evidence retention obligations

7. Data security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, destruction or disclosure:

  • Data encryption in transit (HTTPS/TLS)
  • Secure document storage (Railway Object Storage, S3-compatible)
  • SHA-256 hashing of OTP codes and API keys
  • One-time password (OTP) authentication
  • Pre-signed URLs with expiration for document access
  • Secure hosting (Vercel, Railway)
  • Regular backups
  • Strict access control
  • Timing-safe comparison to prevent attacks

8. Your rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access: Obtain a copy of your data
  • Right to rectification: Correct inaccurate data
  • Right to erasure: Delete your data (subject to conditions, including legal retention obligations)
  • Right to restriction: Restrict the processing of your data
  • Right to portability: Receive your data in a structured format
  • Right to object: Object to the processing of your data
  • Right to withdraw consent: At any time

To exercise these rights, contact us at: contact@hellowesign.com

You also have the right to lodge a complaint with the CNIL (French data protection authority): www.cnil.fr

9. Cookies

Our platform uses cookies strictly necessary for the operation of the service:

  • Session cookies: To maintain your session (NextAuth)
  • Security cookies: To protect against CSRF attacks
  • Preference cookies: To remember your choices (theme, etc.)

You can configure your browser to refuse cookies, but this may affect the operation of the platform.

10. Data transfers outside the EU

Some of our service providers (Vercel hosting, Railway, Resend emails) may be located outside the European Union. In such cases, we ensure that they guarantee an adequate level of protection through standard contractual clauses or other approved mechanisms.

11. Modifications

We reserve the right to modify this privacy policy at any time. Any changes will be brought to your attention and the updated version will be published on this page.

12. Contact

For any questions regarding this privacy policy or the processing of your data, you can contact us:

Email: contact@hellowesign.com

Address: [ADDRESS TO BE COMPLETED]

Last updated: May 2025