Privacy Policy
Effective Date: November 28, 2024 Last Updated: January 7, 2026
1. Introduction
This Privacy Policy explains how Signkit OU ("we," "us," or "Signkit") collects, uses, discloses, and protects your personal data when you use our email signature management platform at signkit.io (the "Service").
Signkit is committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
Data Controller: Signkit OU Lasnamae linnaosa, Sepapaja tn 6 15551 Harju Maakond, Tallinn Estonia VAT: EE102686568 Email: help@signkit.io
2. Data We Collect
2.1 Account Information
When you create an account, we collect:
- Email address
- Full name
- Profile photo (if provided via authentication provider)
2.2 Organization Information
When you create or join an organization, we collect:
- Organization name
- Organization logo
- Organization slug (URL identifier)
- Team member information (names, email addresses)
2.3 Signature Data
When you create email signatures, we collect:
- Employee names
- Job titles
- Email addresses
- Phone numbers
- Physical addresses
- Social media links
- Custom fields you choose to include
2.4 Brand Data
When you use our brand extraction feature, we collect:
- Website URLs you provide
- Extracted brand colors
- Extracted taglines and messaging
- Logo URLs
2.5 Uploaded Assets
When you upload files to the Service, we collect:
- Images (logos, photos, banners)
- File metadata (name, size, type)
2.6 Email Tracking Data
When email tracking is enabled for your organization, we collect:
- IP addresses of email recipients
- User-Agent (device and browser information)
- Referer headers
- Timestamps of email opens and link clicks
- Geographic location (derived from IP address)
2.7 Usage Data
We automatically collect:
- Pages visited within the Service
- Features used
- Error logs
- Performance metrics
2.8 Analytics Data
We use PostHog for product analytics and Google Analytics 4 (GA4) for marketing attribution. When you consent to analytics, we collect:
- Pages visited and features used
- Click events and user interactions
- Session duration and engagement metrics
- Device type, browser, and operating system
- Approximate location (country/region derived from IP address)
- Traffic sources and referral paths (GA4)
- Marketing campaign attribution (GA4)
PostHog: Processes data in the European Union (eu.i.posthog.com). Google Analytics 4: Uses Consent Mode v2, meaning no data is collected until you explicitly consent. IP addresses are anonymized before storage.
2.9 SEO and Search Data
We use Google Search Console to monitor how our website appears in Google search results. This is a server-side tool that does not place cookies on your device. Data collected includes:
- Search queries that led users to our website
- Page impressions and click-through rates
- Search ranking positions
This data is aggregated and not linked to individual users.
2.10 Support Chat Data
When you use our live chat support (powered by Chatwoot), we collect:
- Your name and email address (from your account)
- Chat conversation history
- Current page when initiating chat
- Timestamp of conversations
2.11 Billing Data
When you subscribe to a paid plan, our payment processor (Polar) collects:
- Organization identifier
- Subscription plan and billing cycle
- Payment method information
- Transaction history
We do not store complete credit card numbers or sensitive payment data directly.
2.12 Marketing Automation Data
With your consent, we may sync certain data to our marketing platform (Mautic) for email communications:
- Email address and name
- Signup date and activity history
- Subscription plan (if applicable)
- Key product events (signature created, campaign launched)
3. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Legal Basis (GDPR Article 6) |
|---|---|
| Providing the Service (account management, signature generation) | Performance of contract |
| Authentication and security | Performance of contract |
| Email tracking and analytics | Legitimate interest |
| Product analytics (PostHog) | Consent |
| Marketing analytics (Google Analytics) | Consent |
| SEO monitoring (Google Search Console) | Legitimate interest (aggregated data) |
| Billing and subscriptions (Polar) | Performance of contract |
| Customer support (Chatwoot) | Performance of contract |
| Service improvement and debugging | Legitimate interest |
| Legal compliance | Legal obligation |
| Marketing communications (Mautic) | Consent |
3.1 Email Tracking Disclosure
Our Service includes optional email tracking features that allow organizations to measure signature engagement:
Impression Tracking: When enabled, a small transparent image (1x1 pixel) is embedded in email signatures. When an email is opened and images are loaded, this records an "open" event.
Click Tracking: When enabled, links in signatures are routed through our tracking service to record clicks before redirecting to the destination URL.
Data Collected: IP address, device type, browser, approximate location, and timestamp.
Control: Organization administrators can enable or disable tracking features. Individual signature recipients cannot opt out directly, as tracking is controlled at the organizational level.
4. Data Sharing and Third Parties
We share your data with the following categories of third parties:
4.1 Service Providers (Sub-processors)
For a complete list of our sub-processors including data transfer mechanisms, see our Sub-processors page.
| Provider | Purpose | Location | Data Processed |
|---|---|---|---|
| Clerk | Authentication | United States | Email, name, profile photo |
| Hetzner | Cloud hosting (Kamal) | Germany (EU) | All Service data |
| Cloudflare R2 | File and asset storage | EU (auto) | Uploaded images, logos, signatures |
| Neon | Database hosting | EU (Frankfurt) | All Service data |
| PostHog | Product analytics | EU (Frankfurt) | User ID, events, pageviews, IP address |
| Google Analytics (GA4) | Marketing analytics | United States | Page views, user journey, conversions, IP address (anonymized); only with consent |
| Google Search Console | SEO monitoring | United States | Search queries, page rankings, impressions (aggregated, server-side) |
| Sentry | Error tracking and monitoring | Germany (EU) | Error logs, stack traces, user context |
| Polar | Billing and subscriptions | EU | Organization ID, subscription data |
| Chatwoot | Live chat support | Self-hosted (EU) | User ID, name, email, chat history |
| Mautic | Marketing automation | Self-hosted (EU) | Email, name, activity data |
| Resend | Transactional email | United States | Email addresses, email content (welcome emails, notifications) |
| Firecrawl | Website scraping for brand data | United States | Website URLs you provide for brand extraction; scraped content is used only for color/logo/messaging extraction and not stored long-term |
| OpenAI | AI-generated campaign copy | United States | Company name, industry, website content snippets for generating campaign suggestions; data is not used to train models |
| Logo.dev, Clearbit | Logo resolution | United States | Domain names for logo lookup; no personal data is shared |
4.2 Legal Requirements
We may disclose your data when required by law, legal process, or government request.
4.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.
5. International Data Transfers
Your data may be transferred to and processed in the United States and other countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our US-based sub-processors.
- Adequacy Decisions: Where applicable, we rely on EU adequacy decisions.
6. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period | Justification |
|---|---|---|
| Account data | Until account deletion + 30 days | Account recovery |
| Organization data | Until organization deletion + 30 days | Backup recovery |
| Signature data | Until signature deletion | Active use |
| Tracking data (impressions/clicks) | 24 months | Analytics reporting |
| Analytics data (PostHog) | 13 months | Product improvement |
| Analytics data (Google GA4) | 14 months | Marketing attribution |
| Chat transcripts (Chatwoot) | 24 months | Support continuity |
| Marketing data (Mautic) | Until unsubscribe + 30 days | Email compliance |
| Uploaded assets | Until deletion by user | Active use |
| Support communications | 36 months | Support history |
| localStorage (landing page) | 7 days | Signup flow |
| Billing records | 7 years | Estonian tax law |
| Admin audit logs | 24 months | Security and compliance |
| Campaign ideas (AI-generated) | Until dismissed | User control |
After the retention period, data is permanently deleted or anonymized.
7. Your Rights (GDPR Articles 15-22)
As a data subject in the EU/EEA, you have the following rights:
7.1 Right to Access (Article 15)
You can request a copy of all personal data we hold about you.
7.2 Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete data.
7.3 Right to Erasure (Article 17)
You can request deletion of your personal data ("right to be forgotten").
7.4 Right to Restrict Processing (Article 18)
You can request that we limit how we use your data.
7.5 Right to Data Portability (Article 20)
You can request your data in a structured, machine-readable format.
How to request a data export: Email help@signkit.io with "Data Export Request" in the subject line. We will provide your data in JSON format within 30 days. Exports include your account information, organization data, signatures, templates, and campaign data.
7.6 Right to Object (Article 21)
You can object to processing based on legitimate interests, including email tracking.
7.7 Right to Withdraw Consent (Article 7)
Where processing is based on consent, you can withdraw it at any time.
To exercise your rights: Email us at help@signkit.io with your request. We will respond within 30 days.
8. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit (TLS 1.2+)
- Encryption at rest
- Access controls and authentication
- Regular security assessments
- Secure development practices
- Employee training
9. Cookies and Local Storage
9.1 Essential Cookies
We use essential cookies for authentication and session management:
- Clerk authentication cookies (session persistence)
- CSRF protection tokens
9.2 Analytics Cookies
We use PostHog for product analytics and Google Analytics 4 for marketing attribution. Analytics cookies require your explicit consent before activation:
- PostHog session and user identification cookies
- Google Analytics cookies (_ga, ga<ID>, _gid)
- These help us understand how you use the Service and measure marketing effectiveness
- Analytics are disabled by default until you consent via our Cookie Settings banner
9.3 Local Storage
We use browser localStorage to:
- Save your signature builder progress on the landing page (7-day retention)
- Store recent search history within the app
- Maintain user interface preferences
For full details, see our Cookie Policy.
10. Children's Privacy
The Service is not intended for children under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website
- Sending an email notification to account holders
12. Contact Us
For privacy-related inquiries or to exercise your rights:
Signkit OU Lasnamae linnaosa, Sepapaja tn 6 15551 Harju Maakond, Tallinn Estonia
Email: help@signkit.io
13. Supervisory Authority
If you are in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.
For Estonia: Andmekaitse Inspektsioon (Data Protection Inspectorate) Tatari 39, 10134 Tallinn Website: www.aki.ee