Privacy Policy

Dash Sign Inc. ("Dash Sign," "we," "us," or "our") is committed to protecting your privacy and handling your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, as amended. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

In accordance with PIPEDA Principle 1 (Accountability), Dash Sign Inc. has designated a Privacy Contact responsible for our compliance with this policy and applicable privacy law. To reach our Privacy Contact, email privacy@dashsign.ca with the subject line "Privacy Inquiry."

1. Information We Collect

We collect the following categories of information:

Account Information

• Name and email address provided during registration
• Organization or company name (if provided)
• Account preferences and settings

Signing Activity Metadata

• Document titles and status (draft, pending, completed)
• Timestamps for document creation, viewing, signing, and completion
• Signer names, email addresses, and phone numbers (for SMS OTP)
• IP addresses and device/browser information at the time of signing
• SHA-256 checksums for document integrity verification

Device and Technical Information

• Browser type and version
• Operating system
• IP address
• Pages visited and actions taken within the Service

2. Document and Verification Files

These files may include:

• Document PDFs — original uploads and completed signed files
• Signature and field data — the information needed to render a completed document
• Photo ID images — government-issued identification uploaded by signers when the document sender has enabled identity verification. Photo ID is sensitive personal information. It is collected solely for identity verification purposes, stored encrypted alongside the audit trail, and retained for the applicable regulatory period (minimum 6 years). Signers are presented with an explicit consent notice before being asked to upload a photo ID. The decision to require photo ID verification is made by the document sender, not by Dash Sign.
• Signer attachments — supporting files uploaded during the signing flow

We use these files only to operate the Service, deliver completed documents, and maintain the associated audit trail. We do not analyze the substantive content of documents.

3. How We Use Information

We use the information we collect for the following purposes:

• Service operation: To provide, maintain, and improve the Dash Sign platform
• Audit trail generation: To create immutable, tamper-proof records of signing activity for legal and regulatory compliance
• Identity verification: To verify signer identity through SMS OTP and photo ID when enabled
• Communication: To send signing notifications, reminders, and service-related emails
• Compliance: To meet regulatory obligations under PIPEDA, FSRA, and UECA
• Security: To detect, prevent, and respond to fraud, abuse, and security incidents

We do not sell, rent, or trade your personal information to third parties. We do not use your data for advertising or marketing profiling.

4. Data Storage and Security

We take the security of your data seriously:

• Encryption at rest: All data is encrypted using AES-256 encryption
• Encryption in transit: All connections are secured with TLS 1.3
• Canadian-hosted primary storage: Our primary Supabase database and file storage are hosted in the AWS ca-central-1 (Canada) region
• Cross-border data transfers: Our email provider (Resend) and SMS provider (Twilio) are US-based companies that process recipient contact information (email addresses and phone numbers) in the United States to deliver signing notifications and OTP codes. Our hosting provider (Vercel) processes request and performance data in multiple regions. By using the Service, you acknowledge that certain personal information may be transferred to and processed in the United States, where privacy laws may differ from those in Canada and where information may be subject to access by US government authorities under applicable US law. We configure each provider to receive only the minimum data necessary for their role.
• Access control: Row-level security policies ensure users can only access their own data at the database level
• Backups: Automated daily backups with point-in-time recovery

5. Data Retention

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specific retention periods:

• Audit trail data (signing timestamps, event logs, signer identity verification records, IP addresses, device information, SHA-256 document checksums): Retained for a minimum of 6 years to satisfy applicable legal and regulatory obligations, including but not limited to requirements applicable to regulated financial services customers under the Financial Services Regulatory Authority of Ontario (FSRA). Other regulatory, contractual, or legal requirements may mandate longer retention depending on the document type.
• Document files (original PDFs, signed PDFs, photo IDs, attachments): Retained for the duration of your account and for the applicable regulatory period thereafter, consistent with audit trail retention.
• Account data (name, email, organization, preferences): Retained for the duration of your account and for 90 days following account closure, after which it is permanently deleted except where subject to a legal retention obligation.

You may request deletion of your personal information at any time. We will fulfill deletion requests within 30 days, subject to our legal retention obligations. Data subject to a legal retention obligation will be retained for the required period and then deleted.

6. Third-Party Services

We use the following third-party services to operate the platform:

We configure each provider to receive only the minimum data needed for its role in delivering the Service. Resend and Twilio are US-based and process data in the United States, subject to US law (see Section 4). We maintain data processing agreements or equivalent contractual protections with each provider.

7. Your Rights Under PIPEDA

Under PIPEDA, you have the following rights regarding your personal information:

• Right of access: You may request access to the personal information we hold about you
• Right of correction: You may request that we correct any inaccurate or incomplete personal information
• Right of deletion: You may request that we delete your personal information, subject to our legal retention obligations (e.g., 6-year FSRA audit trail retention)
• Right to withdraw consent: You may withdraw your consent for the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions
• Right to complain: You may file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated

To exercise any of these rights, contact us at support@dashsign.ca. We will respond to your request within 30 days.

Rights of Signers

Individuals who sign documents through Dash Sign ("Signers") are not required to create an account, but have the same rights under PIPEDA as account holders with respect to their personal information collected during the signing process (name, email, phone number, IP address, device information, and photo ID where applicable). Signers may exercise any of the rights listed above by contacting our Privacy Contact at privacy@dashsign.ca.

Note: Some signer data forms part of the legally required audit trail and cannot be deleted during the applicable retention period. We will explain which data is subject to retention obligations when responding to a deletion request.

8. Cookies and Analytics

We use minimal cookies necessary for the operation of the Service:

• Authentication cookies: Essential cookies to maintain your login session
• Security cookies: Used for CSRF protection and rate limiting

We use Vercel Analytics, a privacy-focused analytics service, to understand aggregate usage patterns and application performance. Through Vercel Analytics, we collect page view data, device type, browser type, referrer information, and performance metrics. This data is used solely for operating and improving the Service. We do not use third-party advertising cookies, tracking pixels, or marketing analytics tools.

9. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a minor, please contact us at support@dashsign.ca.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We distinguish between:

• Minor or administrative changes (clarifications, contact updates): We will post the updated Policy with a revised date. Your continued use of the Service constitutes acceptance.
• Material changes(changes to what personal information we collect, how we use it, who we share it with, or your rights): We will provide at least 30 days' advance written notice by email and by prominent in-app notice. Under PIPEDA, meaningful consent for material changes to data practices cannot be implied — we will obtain your affirmative consent before applying material changes to your account.

We encourage you to review this Privacy Policy periodically.

11. Security Breach Notification

In the event of a security breach involving personal information under our control, Dash Sign will comply with our mandatory notification obligations under PIPEDA (as amended by the Digital Privacy Act). Specifically:

• Notification to the Privacy Commissioner: We will report any breach of security safeguards that creates a real risk of significant harm to affected individuals to the Office of the Privacy Commissioner of Canada as soon as feasible.
• Notification to affected individuals: We will notify affected individuals directly as soon as feasible when a breach creates a real risk of significant harm (e.g., identity theft, financial loss, physical harm, reputational damage). Notification will be sent to the email address associated with your account or, for Signers, to the email address used in the signing process.
• Breach log: We maintain an internal record of all security breaches, which is available to the Privacy Commissioner upon request.

To report a suspected security vulnerability, please contact security@dashsign.ca.

12. Contact for Privacy Inquiries

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact our Privacy Contact:

You may also file a complaint with the Office of the Privacy Commissioner of Canada.