Legal

GDPR & Data Protection

Strong privacy rights shouldn't be a premium feature. Here's how sign.pink supports the GDPR — for our EU users and, frankly, for everyone.

Last updated: 2026

Template notice: This page is a clear-language template describing our intended GDPR posture, not legal advice. Please have qualified counsel review and tailor it to your operations and data flows before relying on it.

Our commitments

The EU's General Data Protection Regulation (GDPR) sets a high bar for how personal data is handled, and we're happy to meet it. We collect the minimum we need, secure it, are clear about what we do with it, and we extend the spirit of these protections to all users — not only those in the EU. We don't sell personal data and we don't mine your documents.

Lawful basis for processing

We only process personal data when we have a lawful basis to do so:

  • Performance of a contract — running the Service you signed up for and processing the documents you ask us to.
  • Legitimate interests — keeping the Service secure, preventing abuse, and improving how it works, balanced against your rights.
  • Legal obligation — retaining records where the law requires it.
  • Consent — for anything optional, such as non-essential analytics cookies, which you can withdraw at any time.

Your data-subject rights

Under the GDPR you have the right to:

  • Access — get a copy of the personal data we hold about you.
  • Rectification— correct data that's inaccurate or incomplete.
  • Erasure— ask us to delete your data (the "right to be forgotten"), subject to legal retention duties.
  • Restriction & objection — limit or object to certain processing.
  • Portability — receive your data in a portable format you can take elsewhere.
  • Withdraw consent — at any time, without affecting processing already carried out.
  • Complain — to your local data-protection authority.

To exercise any of these, email hello@sign.pink. We'll respond within the timeframes the GDPR requires, free of charge in normal cases.

How we handle EU data

We secure personal data with encryption in transit and at rest, limit access to those who need it, and keep tamper-evident audit trails for signed documents. Where data is transferred outside the EEA, we rely on appropriate safeguards such as the European Commission's standard contractual clauses, and we keep our use of sub-processors to a short, vetted list — available on request.

Controller and processor roles

For your account data, we generally act as a data controller. For the documents and signer details you upload and route through the Service, we generally act as a data processor on your behalf, processing them only on your instructions.

How this pairs with eIDAS

The GDPR governs how personal data is protected; the EU's eIDAS regulation governs whether your electronic signatures are legally recognized across the EU. They work hand in hand: eIDAS makes the signature valid, the GDPR keeps the signer's data safe. For more on signature validity in Europe, see our eIDAS explainer.

Data Processing Agreement (DPA)

If you process personal data of others through sign.pink and need a Data Processing Agreement to meet your own GDPR obligations, we're happy to provide one. Request a DPA by emailing hello@sign.pink.

Contact

For any privacy or data-protection question — including DPA requests and data-subject requests — reach us at hello@sign.pink. You can also read our full Privacy Policy and Cookie Policy.

Serious about privacy. Refreshingly cheap about everything else.

$3/month, unlimited signing, no caps — with rights you don't have to upgrade to get.

Start freeSee pricing