Privacy Policy

Last updated: September 4, 2025

This Privacy Policy explains how XSIGI (the “Service”, “we”, “us”) collects, uses, retains, and protects your information. It reflects our privacy‑by‑design approach: we seek to minimize data, process only what’s necessary, and retain only what’s required to provide cryptographic verification and comply with law.

1) What We Collect

  • Account data: Basic identifiers (e.g., name, email), authentication artifacts (e.g., WebAuthn public keys, passkey handles), and preferences.
  • Operational data: Audit entries (timestamps, user ID, event type, IP where applicable), rate‑limiting identifiers, and device/browser metadata necessary for security.
  • Cryptographic evidence: Document hashes, signature hashes, public key IDs, and related metadata to enable later verification. We do not permanently store your documents.
  • Payment/billing data (if applicable): Processed by our payment provider; we store minimal references needed for accounting and fraud prevention.

2) How We Use Information

  • Provide, secure, and improve the Service.
  • Facilitate cryptographic signing, verification, and auditability.
  • Prevent fraud and abuse, enforce Terms, and comply with legal obligations.
  • Communicate with you about the Service, features, and updates (where permitted).

3) Data Minimization and Storage

  • No permanent document storage: Files you upload for processing are handled transiently and discarded after the task completes.
  • Immutable evidence: We retain minimal non‑content records (hashes, key IDs, timestamps, audit entries) required for future verification and compliance.
  • Backups and logs: Limited operational logs and backups may persist up to ~90 days for reliability and security, then are pruned.

4) Retention

  • Evidence records are typically retained for 5–7 years, or longer where required by law, regulation, or legal hold.
  • Account data is retained while your account is active. Upon deletion, we remove personal data subject to a 30‑day cooling‑off period. Evidence records necessary for verification may be retained to the extent permitted by law.
  • If a legal hold applies, relevant records may be preserved until the hold is lifted.

5) Security

  • Transport‑layer encryption (HTTPS) and secure headers (HSTS) to protect data in transit.
  • WebAuthn/passkey support and rate limiting to reduce account takeover and abuse.
  • Least‑privilege access, monitoring, and audit logs to detect and investigate anomalies.
  • Separation of content vs. non‑content data; we avoid storing documents beyond transient processing.

6) Your Rights

  • Access, correct, or delete your personal data subject to legal exceptions.
  • Object to or restrict certain processing where applicable.
  • Portability: request a copy of your data in a portable format where feasible.
  • Withdraw consent where processing is based on consent.

To exercise rights, use the tools in your account or contact us using the methods on our website.

7) International Transfers

Where data is transferred across borders, we use appropriate safeguards (e.g., standard contractual clauses) as required by applicable law.

8) Children

The Service is not intended for children under the age of 16 (or the age required by your jurisdiction). We do not knowingly collect personal data from children without appropriate consent.

9) Third‑Party Services

We may use third‑party providers for infrastructure, analytics, payments, email, or fraud prevention. Those providers process data on our behalf under appropriate agreements and safeguards.

10) Changes

We may update this Privacy Policy periodically. If we make material changes, we will provide notice as required by law. Your continued use of the Service signifies acceptance of the updated policy.

11) Contact

If you have questions or requests regarding this Privacy Policy or our data practices, please contact us via the contact details on our website.

See also our Terms & Conditions for contractual terms governing use of the Service.