Name: DottSign
Address: BR
Rating: 4.9

This Privacy Policy describes how VICENT SOLUCOES TI LTDA ("DottSign", "we", "us", or "our"), a company registered in Brazil (CNPJ 53.183.462/0001-58), collects, uses, stores, and protects your personal data when you use the DottSign platform (website, web application, and mobile application). It applies to all users worldwide and is designed to comply with Brazil's Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018) and, where applicable, the EU General Data Protection Regulation (GDPR — Regulation 2016/679).

1. Controller Identity and Contact

Data Controller: VICENT SOLUCOES TI LTDA CNPJ: 53.183.462/0001-58 Registered office: Brazil Data Protection Officer (Encarregado — LGPD Art. 41): dpo@dottsign.com General privacy enquiries: privacy@dottsign.com Legal notices: legal@dottsign.com We will respond to data-subject requests within 15 business days (LGPD Art. 18) or 30 calendar days (GDPR Art. 12(3)), whichever is stricter for your jurisdiction.

2. Personal Data We Collect

2.1 Account and Identity Data

Full name (optional at registration; required for signing).
E-mail address (required).
Password (stored securely; the plaintext is never stored).
Profile picture — uploaded voluntarily or obtained via Google OAuth.
Google OAuth identifier and Google profile data, when you choose Google sign-in.
Preferred language setting.

2.2 Authentication and Security Data

Two-factor authentication (2FA) secret and backup codes, stored securely.
Session tokens stored server-side with expiry.
Password-reset tokens (short-lived).
Mobile app: a flag indicating whether biometric app-lock is enabled. Biometric authentication is handled entirely on-device by the operating system. No biometric data reaches our servers.

2.3 Contract and Document Data

PDF files you upload, stored encrypted on AWS S3.
Contract title, description, tags, category, status, and expiry dates.
Plain text extracted from PDFs, used solely for AI analysis.
A cryptographic hash of each uploaded document for integrity verification.

2.4 Signature and Audit Data

Typed name used as electronic signature.
IP address and browser information at the time of signing.
Signing timestamp, verified by a timestamp authority.
Cryptographic signature value and associated certificate.
A cryptographic hash of the signed PDF.
E-mail address of external (non-registered) signers.
One-time code verification records for signing sessions.

2.5 AI Analysis Data

Extracted document text is sent to Groq (USA) for AI inference (categorisation, summarisation, clause analysis, Q&A). Groq processes this data in transit; no document content is retained by Groq beyond the inference call.
AI job results (category, summary, clause flags) are stored on our servers linked to the contract.

2.6 Billing and Subscription Data

Stripe customer ID and subscription/price identifiers.
Subscription status and current period end date.
We do not store raw card numbers or full payment credentials — all payment processing is handled by Stripe, Inc.

2.7 Organisation Data

Organisation name, URL slug, and optional logo.
Member roles within organisations you belong to.

2.8 Technical and Usage Data

Audit log entries (action type, resource, IP address, timestamp) for security and legal-evidence purposes.
In-app notification content and read status.
Usage counters (contracts created, AI questions used) for plan-limit enforcement.
Salesforce OAuth tokens (stored encrypted) if you connect the Salesforce integration.

2.9 Google Drive Data (Web Only — Optional)

What we access: When you choose to import a PDF from Google Drive, we request a short-lived OAuth 2.0 access token scoped to drive.readonly. Using this token we retrieve the list of PDF files in your Drive (file name, file ID, size, and last-modified date) and, upon your selection, download the binary content of the chosen PDF file.
Purpose: Solely to allow you to upload that PDF as a contract document in DottSign. No other Drive files or metadata are accessed.
Storage: The OAuth access token is held only in browser memory for the duration of the import and is never transmitted to or stored on our servers. Only the PDF file you select is stored (encrypted, on AWS S3) — no other Drive metadata is retained.
Scope used: https://www.googleapis.com/auth/drive.readonly (read-only; no write, delete, or sharing permissions are requested).
No background access: Drive access occurs exclusively in response to an explicit user action (clicking “Import from Google Drive”). We do not access your Drive at any other time.
Revoking access: You may revoke this access at any time from your Google Account permissions page (myaccount.google.com/permissions) without affecting your DottSign account.

3. Legal Basis for Processing

Processing purpose	LGPD basis (Art. 7/11)	GDPR basis (Art. 6)
Providing the platform and performing your contract	Contract execution (Art. 7, V)	Contract (Art. 6(1)(b))
Authentication, security, and fraud prevention	Legitimate interest / legal obligation (Art. 7, II/IX)	Legitimate interests (Art. 6(1)(f))
Generating cryptographic signature records	Legal obligation / contract (Art. 7, II/V)	Legal obligation / Contract (Art. 6(1)(b/c))
Sending transactional e-mails (OTP, notifications)	Contract execution (Art. 7, V)	Contract (Art. 6(1)(b))
AI-powered document analysis	Legitimate interest (Art. 7, IX)	Legitimate interests (Art. 6(1)(f))
Google Drive file import (optional, user-initiated)	Consent (Art. 7, I)	Consent (Art. 6(1)(a))
Processing payments via Stripe	Contract execution (Art. 7, V)	Contract (Art. 6(1)(b))
Retaining audit logs for legal evidence	Legal obligation (Art. 7, II)	Legal obligation (Art. 6(1)(c))
Product analytics (anonymised)	Legitimate interest (Art. 7, IX)	Legitimate interests (Art. 6(1)(f))
Marketing communications (optional)	Consent (Art. 7, I)	Consent (Art. 6(1)(a))

4. How We Use Your Personal Data

Creating and managing your account and organisation memberships.
Processing electronic signatures and generating cryptographically sealed PDF documents.
Sending signature-request e-mails, one-time codes, and signed-document copies to signers.
Running AI analysis on your documents (summarisation, categorisation, clause extraction, Q&A).
Importing a PDF you select from Google Drive (web only, on your explicit request) and storing it as a contract document.
Processing subscription payments and managing plan entitlements.
Maintaining audit logs to provide legal evidence of signing events.
Sending in-app notifications and (if opted in) e-mail notifications about contract events.
Enforcing usage limits per subscription plan.
Improving the platform through anonymised, aggregated usage analytics.
Complying with applicable laws, court orders, and regulatory obligations.

5. Sharing and International Transfer of Data

5.1 Sub-processors and Third-Party Services

AWS (Amazon Web Services): encrypted document storage and e-mail delivery. AWS infrastructure may be located in Brazil or the USA depending on configuration.
Stripe, Inc. (USA): payment processing and subscription management.
Google LLC (USA): optional OAuth-based authentication; and, on the web platform, optional Google Drive file import (read-only, user-initiated, access token never stored on our servers).
Groq, Inc. (USA): AI inference for contract analysis. Document text extracts are transmitted; Groq does not retain content beyond inference processing.
Salesforce (optional integration): if you enable the Salesforce integration, your OAuth tokens and selected contract metadata are shared with Salesforce's servers.

5.2 International Data Transfers

We are a Brazilian company (LGPD Art. 33). Transfers of personal data to third countries (e.g., the USA for Stripe, Groq, Google, AWS) are made under adequate safeguards: Standard Contractual Clauses (SCCs) under GDPR; and ANPD-recognised mechanisms under LGPD.
Where transfers rely on the receiving party's own adequacy or certification (e.g., Stripe's PCI-DSS certification, Google's privacy framework), we document this in our sub-processor register.

5.3 Disclosure to Authorities

We may disclose personal data to courts, law enforcement, or regulatory authorities (including the ANPD) when required by applicable law or valid legal process.
We will notify affected users of such disclosures where legally permitted.

6. Data Retention

Data category	Retention period	Justification
Account profile data	Duration of account + 6 months after deletion	Service delivery; LGPD legitimate interest
Contract documents and signature records	Duration of account, then deleted on request; audit trail minimum 5 years	Legal evidence obligation (MP 2.200-2/2001, Lei 9.492/1997)
Audit logs	5 years from event date	Legal and regulatory compliance
Billing records	5 years from transaction	Brazilian tax law (Lei 9.430/1996)
AI job results	Deleted with associated contract	Derived data; no independent retention needed
Session and refresh tokens	Short-lived; revoked on logout or expiry	Authentication security
Password-reset tokens	Short-lived from generation	Security
One-time signing codes	Short-lived from generation	Security

7. Security Measures

We implement the following technical and organisational security controls (LGPD Art. 46; GDPR Art. 32):

Encryption at rest for all documents stored in cloud storage; encryption keys are managed separately.
Secure hashing for passwords and tokens.
Encryption in transit for all API and web traffic.
Cryptographic signatures and timestamp verification for legally verifiable signing records.
Role-based access controls (administrator, manager, signer, viewer).
Two-factor authentication (2FA) available for all accounts.
Biometric app-lock on mobile (on-device only; no biometric data transmitted).
Short-lived session tokens with server-side rotation.
Comprehensive audit logging of all sensitive actions.
Secure token storage on mobile devices using platform-provided secure storage.

8. Cookies and Local Storage

Web application — strictly necessary cookies: We set one secure, server-side cookie containing the session token. This cookie is required to maintain your authenticated session and cannot be disabled without preventing login.
Web application — no third-party analytics or advertising cookies: We do not use Google Analytics, Meta Pixel, or any advertising cookies.
Mobile application — secure storage: Access tokens and session tokens are stored in the device's secure storage provided by the operating system.
Mobile application — local storage: Offline contract metadata cache and locale preference are stored in local device storage.

9. Your Rights

Under LGPD (Art. 18) and GDPR (Arts. 15–22), you have the following rights. To exercise any of them, e-mail privacy@dottsign.com with your account e-mail address. We will respond within 15 business days.

Rights applicable under LGPD (all users) and GDPR (EU/EEA users)

Right of Access (Art. 18, I / GDPR Art. 15): obtain confirmation whether we process your data and receive a copy.
Right to Rectification (Art. 18, III / GDPR Art. 16): correct inaccurate or incomplete data.
Right to Deletion/Erasure (Art. 18, VI / GDPR Art. 17): request deletion of your data, subject to legal retention obligations (e.g., signed contract audit trails).
Right to Data Portability (Art. 18, V / GDPR Art. 20): receive your personal data in a structured, commonly used, machine-readable format.
Right to Information about Sharing (Art. 18, VII): know which entities we have shared your data with.
Right to Object / Opt-out (Art. 18, II / GDPR Art. 21): object to processing based on legitimate interest; opt out of marketing communications at any time.
Right to Withdraw Consent (Art. 8, §5 / GDPR Art. 7(3)): withdraw consent for consent-based processing without affecting the lawfulness of prior processing.
Right to Review Automated Decisions (Art. 20 / GDPR Art. 22): request human review of decisions taken solely by automated means that significantly affect you.
Right to Petition the ANPD (Art. 18, VIII): lodge a complaint with Brazil's Autoridade Nacional de Proteção de Dados (www.gov.br/anpd).
GDPR only — Right to Restriction of Processing (Art. 18 GDPR): request that we restrict processing in certain circumstances.
GDPR only — Lodge a complaint with a supervisory authority: EU/EEA residents may lodge a complaint with their local data protection authority.

10. Children's Privacy

DottSign is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. If we learn we have collected data from a minor without verified parental consent, we will delete it promptly. Contact privacy@dottsign.com if you believe a minor's data has been collected.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ANPD within 72 hours of becoming aware of the breach (LGPD Art. 48; GDPR Art. 33). We will also notify affected data subjects without undue delay where required. Notifications will include the nature of the breach, data categories affected, likely consequences, and remediation measures taken.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by e-mail and/or prominent in-app notice at least 15 days before material changes take effect. The updated policy will display a new effective date. Continued use of the platform after the effective date constitutes acknowledgment of the updated policy. For material changes affecting consent-based processing, we will request fresh consent.

13. Contact and Complaints

Data Protection Officer (Encarregado): dpo@dottsign.com Privacy enquiries: privacy@dottsign.com Legal notices: legal@dottsign.com ANPD (Autoridade Nacional de Proteção de Dados): www.gov.br/anpd EU/EEA supervisory authorities: edpb.europa.eu/about-edpb/board/members_en