eSigKit

Privacy policy

Last updated 2026-05-03 · Effective 2026-05-03

eSigKit (“eSigKit,” “we,” “us”) provides email-signature management software for businesses. This policy explains what information we collect about your organization and its employees, how we use it, who we share it with, and what rights you have over it. It applies to app.esigkit.com, api.esigkit.com, and any related software we publish (the “Service”).

1. Who is responsible

The data controller is Rich Software, Co. (“RSCO”), trading as eSigKit. You can reach us at privacy@esigkit.com for any privacy-related question, GDPR/CCPA request, or to exercise the rights below.

2. What we collect

We collect three categories of information:

2.1 Account information you give us

  • Organization profile: organization name, optional email domain, primary/secondary brand colors, font, logo, banner, social links.
  • Administrator profile: email address, first name, last name, and (via AWS Cognito) a salted password hash for sign-in.
  • Employee profiles: for each employee whose signature you manage — first name, last name, email address, optional title, department, phone, mobile phone, and optional photo.
  • Billing information: handled entirely by Stripe (see §4). We store a Stripe customer id and the current subscription status; we do not store credit-card numbers.

2.2 Information generated by your use of the Service

  • Rendered signatures: static HTML files we generate from your templates and employee profiles, hosted at cdn.esigkit.com/signatures/{orgId}/{userId}.html.
  • Operational logs: request timestamps, IP address, correlation ids, and stack traces. Used only to operate, secure, and troubleshoot the Service.
  • Audit logs: who in your organization changed what (created a template, invited a user, deployed signatures). Retained per the schedule in §6.

2.3 Information from third-party integrations you authorize

  • Google Workspace (optional): if you use the Gmail bulk-deploy feature, you authorize us via OAuth to call the Google Admin SDK on your behalf. We use the granted scope ( https://www.googleapis.com/auth/gmail.settings.sharing) only to set the “send-as” signature on each employee’s Gmail account. We do not read employee mail, contacts, calendars, or drives. We comply with Google’s Limited Use Requirements for restricted scopes (see §3.1).

3. How we use the information

We use the information above to:

  • Provide the Service. Generate signature HTML from your template + employee data; deploy signatures into Gmail (when you authorize) or via our Chrome extension; show your administrators a dashboard for managing all of the above.
  • Bill you via Stripe and apply plan limits (e.g., user-count caps).
  • Secure the Service against abuse — rate limiting, fraud detection, anomaly alerts.
  • Comply with legal obligations — tax records, lawful requests, breach-notification timelines.

We do not sell your data, employees’ data, or signatures’ data. We do not use your data to train machine-learning models. We do not show ads.

3.1 Google API services — Limited Use disclosure

eSigKit’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy , including the Limited Use requirements. Specifically:

  • We use Google user data only to provide the user-facing signature-management feature you authorized.
  • We do not transfer Google user data to third parties except as needed to provide the feature, comply with applicable law, or as part of a merger, acquisition, or sale of assets (in which case a successor would be bound by this policy).
  • We do not use Google user data for advertising or ad-targeting purposes.
  • We do not allow humans to read Google user data, except (a) with your explicit consent, (b) for security purposes (e.g., investigating abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized.

4. Subprocessors

We use a small number of vetted third parties to run the Service. Each is contractually bound to handle data consistently with this policy. The current list:

Subprocessor Purpose Region
Amazon Web Services Compute, storage (DynamoDB, S3), authentication (Cognito), email (SES), encryption (KMS) US (us-west-2 primary, us-east-1 disaster recovery)
Stripe, Inc. Subscription billing + Stripe Tax US
Cloudflare, Inc. DNS, Pages hosting, WAF, edge caching Global edge
Google LLC Workspace Admin SDK (only when you authorize bulk Gmail deploy) US

We notify customers in advance of subprocessor changes via email and an in-product banner so customers can object before the change takes effect.

5. Where data is stored

Primary storage is in AWS US-West-2 (Oregon). Encrypted backups are replicated to AWS US-East-1 (N. Virginia) for disaster recovery. Backups use a separate KMS key. Audit logs are stored with S3 Object Lock in compliance mode for the retention period required by your plan. We do not currently store data in the EU; we may add EU storage based on customer demand.

6. How long we keep data

  • Active organization data: kept for as long as your subscription is active.
  • Soft-deleted organizations: a 30-day grace window after you delete your organization, during which you can request restoration. After 30 days, the data is permanently purged.
  • Audit logs: 30 days (Free plan), 90 days (Pro), 1 year (Business), 10 years (Agency).
  • Billing records: 7 years (US tax requirement). Billing data is held by Stripe; see their privacy policy for details.
  • Backups: rolling 35-day point-in-time recovery on the primary database, plus a 12-month archive of weekly snapshots.

7. Your rights

We provide self-service controls in the dashboard for the most common rights; anything not self-serviceable is handled by privacy@esigkit.com within 30 days.

  • Access & portability (GDPR Art. 15 / 20): any organization administrator can export the full data set (org profile, brand, all employee records) as a JSON file from Settings > Data export. The download link is valid for 24 hours.
  • Rectification (GDPR Art. 16): administrators can edit any employee record from the Users page in the dashboard.
  • Erasure / right-to-be-forgotten (GDPR Art. 17): deleting an employee from the Users page soft-deletes immediately and purges within 30 days. Deleting the organization from Settings does the same for the whole tenant.
  • Restriction (GDPR Art. 18): contact privacy@esigkit.com; processing on the affected records pauses while we resolve.
  • Objection (GDPR Art. 21): see above.
  • CCPA “Do Not Sell My Personal Information”: we do not sell personal information. If you live in California, the controls above apply.

8. Cookies

The dashboard uses two cookies, both essential and not advertising-related:

  • A short-lived session cookie set by AWS Cognito after you sign in. Without it you cannot stay signed in.
  • A CSRF-protection cookie tied to the session above.

We do not use third-party analytics cookies, advertising cookies, or cross-site tracking pixels. Cloudflare may set short-lived bot-management cookies in front of our edge; these are subject to Cloudflare’s privacy policy .

9. Security

We hold ourselves to the practices described in our public security documentation (encryption at rest with AWS KMS, encryption in transit via TLS 1.2+, principle-of-least-privilege IAM, multi-factor authentication for all production access, automated dependency scanning, signed deployments via GitHub OIDC, isolated backups in a different AWS region). If you believe you have found a vulnerability, please email security@esigkit.com; we follow RFC 9116 .

10. Children

eSigKit is a B2B product and is not directed at children under 13. We do not knowingly collect data from children; if you believe a child has provided information to us, contact privacy@esigkit.com and we will delete it.

11. International transfers

If you access the Service from outside the United States, your information is transferred to and processed in the US. For EU/UK customers, transfers rely on the Standard Contractual Clauses adopted by the European Commission. Email privacy@esigkit.com for a copy of the SCCs we use.

12. Changes to this policy

We will post material changes to this policy on this page and notify administrators by email at least 30 days before they take effect. Minor clarifications may be made without notice; the “Last updated” date at the top of the document always reflects the latest version.

13. Contact

For privacy questions, GDPR/CCPA requests, or anything else covered by this document: privacy@esigkit.com.