Privacy Policy

Effective date: [DATE]
Last updated: [DATE]

Summary (plain English)

This is the long version. The short version:

• We collect what we need to run the product — your account info, the documents you upload, the way you use the product
• We use it to provide the service, improve it, and keep it secure
• We don't sell your data
• We don't train AI models on your documents
• You can export, delete, or correct your data anytime
• We hand your data to law enforcement only when legally compelled
• We use a short list of subprocessors (listed at /security/subprocessors)

If anything below contradicts the summary, the legal version below is the controlling text — but tell us, because the contradiction is probably a bug.

1. Who we are

FusionDocs is operated by [LEGAL ENTITY NAME], registered in [JURISDICTION] at [REGISTERED ADDRESS].

For privacy questions, contact privacy@fusiondocs.com.

Our EU Representative under GDPR Article 27 is [NAME, ADDRESS — required if you offer services to EU users from outside the EU].

Our UK Representative under UK GDPR Article 27 is [NAME, ADDRESS — required if you offer services to UK users from outside the UK].

For California, Virginia, Colorado, Connecticut, and other U.S. state privacy laws, see Section 12.

2. What we collect

Account information

• Your name and email when you sign up
• Your password (stored as a salted hash; we never see the plaintext)
• Your billing information (handled by Stripe; we store only the last 4 digits and brand)
• Your workspace, team, role, and user preferences

Documents and content

• Documents you upload for signing
• Metadata about those documents (file name, page count, who you sent them to, when they were signed)
• The content of fields signers fill in
• IP addresses, timestamps, and approximate location of senders and signers (required for the audit certificate)

Usage data

• Pages you visit and actions you take in the product
• Device info (browser, OS, screen size — collected for compatibility, not tracking)
• Errors and performance metrics

Information from third parties

• If you connect an integration (e.g., Salesforce, HubSpot), we receive data from that integration on your behalf
• If you sign in with SSO, we receive the attributes your IdP releases

3. How we use it

To provide the service

• Send documents, route signers, generate audit certificates, deliver signed PDFs
• Authenticate users and authorize actions
• Process payments

To improve the service

• Aggregate, anonymized analytics (no individual document contents)
• Diagnose bugs and performance issues (with documents redacted from logs)
• Inform product roadmap

To keep things secure

• Detect and prevent fraud, abuse, and security incidents
• Investigate violations of our Terms of Service

To communicate with you

• Service messages (e.g., your document was signed)
• Account notifications (security, billing)
• Product updates (you can unsubscribe; service messages aren't unsubscribable while you have an account)

4. What we don't do

• We don't sell your personal information.
• We don't train AI models on your documents or your customers' personal data.
• We don't share your data with advertisers.
• We don't read the contents of your documents beyond what's needed to render them, detect fields, generate audit certificates, and provide search if you ask for it.

5. Who we share with

Subprocessors

We share data with vendors who help us run the service. They're contractually bound to use data only for our purposes and to apply the same protections we do. Current list at /security/subprocessors.

Other users in your workspace

If you're part of a team, other team members may see documents you've sent, depending on the workspace's role and permission settings.

Signers

When you send a document, the signers see the document, your name, your email, and any message you include.

Legal compliance

We may share data when we believe in good faith it's required by law, court order, or legal process. We push back on overbroad requests and notify customers unless legally prohibited.

Business transfers

If FusionDocs is acquired or merged, your data may be transferred. We'd notify you in advance and you'd have the option to export and delete.

6. Where we store data

By default, your data is stored in the region you selected at signup:

• U.S. — AWS us-east-1
• EU — AWS eu-central-1

Some metadata (account creation, billing, support tickets) is stored in the region of our headquarters, [REGION]. Where we transfer data across borders, we rely on:

• For EU/UK transfers: Standard Contractual Clauses (SCCs)
• For other jurisdictions: equivalent transfer mechanisms

7. How long we keep your data

8. Your rights

Depending on where you live, you have some or all of these rights:

• Access — get a copy of the data we have on you
• Correction — fix anything that's wrong
• Deletion — request that we delete your data
• Portability — get your data in a machine-readable format
• Restriction — limit how we use your data
• Objection — object to certain processing
• Withdrawal of consent — where processing is based on consent

To exercise these rights, email privacy@fusiondocs.com or use the data export / deletion tools in your account settings.

We'll respond within 30 days (or 45 days for complex requests, with notice).

If you're not satisfied with our response, you can complain to your local data protection authority. EU residents: list of DPAs.

9. Cookies and tracking

On our website (fusiondocs.com)

• Essential cookies — session, login, CSRF protection. Always on.
• Analytics cookies — first-party analytics, no third-party tracking by default. We use [tool] to understand which pages people read, in aggregate.
• Marketing cookies — only if you opt in via the cookie banner.

On the signing page (sign.fusiondocs.com)

Essential cookies only. No analytics, no marketing pixels, no third-party scripts. Signing pages are kept clean.

Manage cookies via the banner or your browser settings.

10. Children

FusionDocs is not directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe we have, contact privacy@fusiondocs.com and we'll delete it.

11. Security

See our Security page for details. In short: AES-256 at rest, TLS 1.3 in transit, SOC 2 Type II audited, hardware-key access controls for engineers, no production access by default.

In the event of a security incident affecting your data, we'll notify you within 72 hours of confirmation. We comply with breach-notification requirements under GDPR Article 33, U.S. state breach laws, and other applicable rules.

12. U.S. state privacy disclosures

California (CCPA / CPRA)

• Categories of personal information we collect: identifiers, commercial info, internet activity, geolocation, professional info. See Section 2 for specifics.
• Sources: directly from you, from your integrations, from your IdP.
• Purposes: see Section 3.
• Sharing: see Section 5.
• Sale of personal information: we don't sell personal information.
• Sharing for cross-context behavioral advertising: we don't share for this purpose.
• Sensitive personal information: we don't use sensitive PI for purposes beyond what's listed in Section 3.
• Retention: see Section 7.
• Your rights: access, deletion, correction, opt-out of sale/sharing (N/A), limit use of sensitive PI.

To exercise: privacy@fusiondocs.com or in-product settings. We won't discriminate against you for exercising these rights.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, and other states

Similar rights apply. Exercise via privacy@fusiondocs.com. We respond within statutory windows (typically 45 days, extendable once with notice).

Authorized agents

If you'd like an authorized agent to make requests on your behalf, they must provide written authorization. We may verify your identity before acting on the request.

13. Changes to this policy

We update this policy when our practices or the law changes. Material changes get:

• An email notice 30 days before the change takes effect
• A banner in the product
• A version history at /privacy/changelog

The current effective date is at the top of this page.

14. Contact