Dash Sign

Privacy Policy

Last updated: March 30, 2026

Dash Sign Inc. ("Dash Sign," "we," "us," or "our") is committed to protecting your privacy and handling your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

Our Core Privacy Promise

We store document PDFs, signed files, and verification uploads in private encrypted storage so Dash Sign can deliver the signing service. Access is limited by application permissions, signed URLs, and audit logging.

1. Information We Collect

We collect the following categories of information:

Account Information

  • Name and email address provided during registration
  • Organization or company name (if provided)
  • Account preferences and settings

Signing Activity Metadata

  • Document titles and status (draft, pending, completed)
  • Timestamps for document creation, viewing, signing, and completion
  • Signer names, email addresses, and phone numbers (for SMS OTP)
  • IP addresses and device/browser information at the time of signing
  • SHA-256 checksums for document integrity verification

Device and Technical Information

  • Browser type and version
  • Operating system
  • IP address
  • Pages visited and actions taken within the Service

2. Document and Verification Files

Dash Sign uses private storage, not public file links.

To deliver the service, Dash Sign stores original PDFs, signed PDFs, signer attachments, signature data, and optional photo ID uploads. We protect these files with encryption, time-limited access links, and audit records.

These files may include:

  • Document PDFs — original uploads and completed signed files
  • Signature and field data — the information needed to render a completed document
  • Photo ID images — if identity verification is enabled by the sender
  • Signer attachments — supporting files uploaded during the signing flow

We use these files only to operate the service, deliver completed documents, and maintain the associated audit trail.

3. How We Use Information

We use the information we collect for the following purposes:

  • Service operation: To provide, maintain, and improve the Dash Sign platform
  • Audit trail generation: To create immutable, tamper-proof records of signing activity for legal and regulatory compliance
  • Identity verification: To verify signer identity through SMS OTP and photo ID when enabled
  • Communication: To send signing notifications, reminders, and service-related emails
  • Compliance: To meet regulatory obligations under PIPEDA, FSRA, and UECA
  • Security: To detect, prevent, and respond to fraud, abuse, and security incidents

We do not sell, rent, or trade your personal information to third parties. We do not use your data for advertising or marketing profiling.

4. Data Storage and Security

We take the security of your data seriously:

  • Encryption at rest: All data is encrypted using AES-256 encryption
  • Encryption in transit: All connections are secured with TLS 1.3
  • Canadian-hosted primary storage: Our primary Supabase database and file storage are configured in the `ca-central-1` region
  • Supporting providers: Email, SMS, hosting, and analytics providers may process limited account, messaging, and request data outside Canada
  • Infrastructure: We use Supabase for database, authentication, and private file storage
  • Access control: Row-level security policies ensure users can only access their own data at the database level
  • Backups: Automated daily backups with point-in-time recovery

5. Data Retention

We retain audit trail data for a minimum of 6 years in accordance with Financial Services Regulatory Authority of Ontario (FSRA) requirements. This includes:

  • Signing timestamps and event logs
  • Signer identity verification records
  • IP addresses and device information captured during signing
  • SHA-256 document integrity checksums

Account data is retained for the duration of your account and for a reasonable period afterward. You may request deletion of your account data at any time, subject to our legal retention obligations.

6. Third-Party Services

We use the following third-party services to operate the platform:

Supabase

Database, authentication, and private file storage provider. Hosts application data, including document files and audit records, in the configured project region.

Resend

Email delivery service for signing notifications and reminders. Receives recipient email addresses and the email content needed to deliver signing links, reminders, and completion notices.

Twilio

SMS OTP delivery for signer identity verification. Receives phone numbers and verification data needed to send and validate one-time passcodes.

Vercel

Hosting and analytics provider. Vercel receives request and performance data needed to serve the application, and Vercel Analytics collects page and device metrics according to its platform documentation.

We configure each provider to receive only the data needed for its role in delivering the service.

7. Your Rights Under PIPEDA

Under PIPEDA, you have the following rights regarding your personal information:

  • Right of access: You may request access to the personal information we hold about you
  • Right of correction: You may request that we correct any inaccurate or incomplete personal information
  • Right of deletion: You may request that we delete your personal information, subject to our legal retention obligations (e.g., 6-year FSRA audit trail retention)
  • Right to withdraw consent: You may withdraw your consent for the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions
  • Right to complain: You may file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated

To exercise any of these rights, contact us at support@dashsign.ca. We will respond to your request within 30 days.

8. Cookies and Analytics

We use minimal cookies necessary for the operation of the Service:

  • Authentication cookies: Essential cookies to maintain your login session
  • Security cookies: Used for CSRF protection and rate limiting

We use Vercel Analytics for website analytics and performance monitoring. According to Vercel's documentation, Analytics collects page, device, referrer, and performance information. We do not use third-party advertising cookies, tracking pixels, or marketing analytics tools.

9. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a minor, please contact us at support@dashsign.ca.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting a notice on our website or by emailing the address associated with your account.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

11. Contact for Privacy Inquiries

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

Dash Sign Inc. — Privacy Inquiries

Email: support@dashsign.ca

Website: dashsign.ca

You may also file a complaint with the Office of the Privacy Commissioner of Canada.