Draft. This document reflects our current intent but has not been reviewed by counsel. Material changes will be posted here with a revision date. Questions: hello@handshakesignatures.com.

Legal

Privacy Policy

What we collect

Account holders: name, email, hashed password (or magic-link token), the documents you upload, recipient lists you provide. Signers (no account needed): name, email, IP address, user agent, signed-at timestamp. We capture these for the audit trail required by ESIGN / UETA.

What we don't collect

We do not use third-party analytics, tracking pixels, advertising networks, or session replay tools. We do not consume the “email opened” or “email clicked” webhook events from our email provider. We do not sell or share your data.

Where data lives

Documents and database rows are stored in Supabase (US region). Encrypted document blobs are stored in Supabase Storage. Authenticated traffic is served from Cloudflare Workers. Transactional email is sent via Resend.

Encryption

Documents are encrypted at rest with per-document AES-256 keys; the keys themselves are wrapped by a master key stored only in our deployment environment. In transit, all traffic uses TLS.

Your rights

You can export or delete your data at any time. Deletion removes documents and personal data; the audit-event log is retained as required for the integrity of any documents you previously sealed. Email hello@handshakesignatures.com for an export or full erasure.

Cookies

We set HTTP-only session cookies for authentication and a workspace preference cookie. We do not set advertising or analytics cookies.

Data retention

Active documents are retained as long as your account is active. Drafts older than 30 days may be removed automatically. Sealed PDFs you download contain everything needed to verify integrity offline, so we are not the system of record for your contracts.

Contact

Questions or requests: hello@handshakesignatures.com.

TermsPrivacyESIGN consentLast revised May 5, 2026