Privacy Policy

Back to Home

Effective date: 15/5/2026, 2026

1. Introduction

Welcome to SignToSee, operating under the commercial brand of Penserini & Vankan VOF (hereinafter referred to as "SignToSee", "us", "we", or "our").

Our Privacy Policy governs your visit to https://www.signtosee.eu, and explains how we collect, safeguard, and disclose information that results from your use of our Service. SignToSee is a document workflow and digital access terms tracking platform. Because our core function involves generating access audit logs, we handle data with strict adherence to the European General Data Protection Regulation (GDPR).

By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Definitions

SERVICE means the SignToSee platform and website.

CUSTOMER (DATA CONTROLLER): The business, freelancer, or entity that creates an account with us to protect their links. For the files and links protected by the Service, the Customer is the Data Controller.

SIGNER / RECIPIENT (DATA SUBJECT): The third-party individual who clicks a SignToSee link, signs the confidentiality agreement, and accesses the protected content.

SIGNTOSEE (DATA PROCESSOR / CONTROLLER): We act as a Data Processor when facilitating the signature and access gate on behalf of our Customers. We act as a Data Controller for our Customers' account and billing information.

ACCESS LOG: The immutable cryptographic log generated when a Signer accesses a protected link, containing timestamps, IP addresses, and user-agent data.

3. Information Collection and Use

We collect specific, minimized types of information to provide our Service, process billing, and generate a verifiable access and acceptance record for B2B confidentiality workflows.

4. Types of Data Collected

4.1 Customer Account Data (For Users Who Register)

To operate your account, we may ask you to provide personally identifiable information, including:

Email address

Password (cryptographically hashed)

Company name (required)

Business Name and VAT Number (for B2B billing)

Billing Address (Street & Number, City, ZIP Code, Country)

4.2 Access Log Data (For Signers / Recipients)

When a Signer accesses a protected link, we automatically collect data to generate the eIDAS-compliant access and audit log. This includes:

The Signer's submitted Email Address (if email verification is enabled)

IP Address (stored encrypted at rest using envelope encryption)

Browser type, version, and User-Agent metadata

Approximate Geographical Location / Country (derived via GeoIP for region-locked link compliance)

Exact timestamps of link access, email verification, and digital signature execution

Cryptographic SHA-256 Hashed Email representation for security lookup

Cryptographic Envelope Encryption Keys (Per-Signer Data Encryption Keys)

Cryptographic block hashes (previous and current mathematical hashes) verifying the integrity of the audit chain

Hashed representation of the signed agreement (SHA-256 hash of the exact NDA or access terms presented at the moment of execution)

The Signer's IP address (system IP routing data) is logged exclusively for fraud prevention, security, and the generation of eIDAS-compliant access logs. We process user access timestamps and system IP routing data — not invasive tracking data. We do not use signer IP addresses for marketing, profiling, or unrelated analytics. Signer IP records are retained for as long as the underlying access record remains valid, and longer only where required to establish, exercise, or defend legal claims.

4.3 Hosted File Data (Sentinel + & Guardian Tiers Only)

For Customers on the Sentinel + and Guardian tiers utilizing our 5GB dedicated file hosting, we store the uploaded files on our servers. While these files are stored securely and encrypted at rest, they do not benefit from the same zero-knowledge client-side decryption architecture that governs our URL routing gateway (where key material remains strictly client-side). We do not inspect, mine, or access the contents of these files unless required by law or a DMCA/copyright takedown request. Note: For Scout and Sentinel tiers, we operate strictly as a zero-knowledge URL gateway and do not host or see the underlying destination files (e.g., your Figma or Notion workspaces).

4.4 Tracking and Cookies

We utilize minimal, privacy-first session cookies necessary to operate the Service (e.g., keeping you logged in). We do not use third-party advertising tracking cookies (such as Meta Pixel or Google Ads trackers) that sell your data to external brokers.

5. Use of Data

SignToSee uses the collected data for various purposes:

To provide and maintain our Service, including URL routing and decryption.

To generate and preserve immutable access logs for our Customers.

To notify you about changes to our Service or infrastructure.

To provide customer support and technical maintenance.

To process payments via Mollie.

To detect, prevent, and address technical fraud or bot abuse.

6. Retention of Data & The Article 17(3)(e) Legal Exception

6.1 Customer Account Data: We retain Customer Personal Data only for as long as is necessary for the purposes set out in this policy, or to comply with European tax and accounting laws (typically 7 years for billing records).

6.2 Access Log Retention (Crucial): The fundamental purpose of SignToSee is to provide our Customers with a verifiable record that a specific individual accessed protected content and accepted the access terms. Therefore, Access Log Data (user access timestamps, system IP routing data, access records) is retained for as long as operationally necessary to protect the Customer.

If a Signer requests the deletion of their personal data under the GDPR Right to Erasure (Article 17), SignToSee reserves the right to deny the deletion of the Access Log under the explicit exception provided in GDPR Article 17(3)(e): "for the establishment, exercise or defence of legal claims."

7. EU Data Sovereignty and Transfer of Data

SignToSee is built on the principle of European Data Sovereignty.

Your information, including Personal Data and Hosted Files, is processed and maintained on servers located entirely within the European Union (e.g., via Scaleway in France). We actively avoid hyperscalers subject to the US CLOUD Act (AWS, Google Cloud) for our core hosting to protect your intellectual property from foreign extraterritorial jurisdiction.

If we utilize third-party sub-processors located outside the EU, we ensure strict compliance with the GDPR via Standard Contractual Clauses (SCCs).

8. Disclosure of Data

We may disclose personal information under the following circumstances:

To the Customer: Access Log data belonging to a Signer is fully visible and exportable by the Customer who generated the protected link.

Law Enforcement: Under certain circumstances, we may be required to disclose data if required by Belgian or EU law, or in response to valid requests by public authorities.

Business Transaction: If SignToSee is involved in a merger or acquisition.

9. Security of Data

We utilize advanced cryptographic measures, SSL/TLS transit encryption, and secure database architecture to protect your data. However, remember that no method of transmission over the Internet or method of electronic storage is 100% secure.

10. Your Data Protection Rights Under GDPR

If you are a resident of the European Economic Area (EEA), you have certain data protection rights. We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.

If you wish to be informed what Personal Data we hold about you, email us at support@signtosee.eu.

You have the right to:

Access, update, or delete the information we have on you (Subject to the Article 17(3)(e) exception outlined in Section 6.2).

Rectification of inaccurate information.

Object to or Restrict processing.

Data Portability.

Please note that we will ask you to verify your identity before responding to such requests. If you are a Signer/Recipient requesting deletion of an Access Log, we will direct your request to the Customer (the Data Controller), but we will advise them of their right to retain the log for their compliance records.

11. Data Processors and Service Providers

We employ specialized third-party EU-compliant companies to facilitate our Service:

Hosting & Infrastructure: Scaleway (France)

Email Automation: Brevo (France)

Payment Processing: Mollie (Netherlands)

Invoicing & Accounting: Moneybird (Netherlands)

Analytics: Privacy-first analytics (e.g., Plausible or Ghost CMS logs) that do not use invasive tracking cookies.

12. Payments and B2B Invoicing

We use third-party services for payment processing and B2B VAT invoicing. We do not store or collect your payment card details on our servers. That information is provided directly to our payment processing provider, Mollie, and our invoicing platform, Moneybird, whose use of your personal information is governed by their respective Privacy Policies and strict security standards.

13. Children's Privacy

Our Services are strictly for B2B professional use and are not intended for anyone under the age of 18. We do not knowingly collect personally identifiable information from children.

14. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective date."

15. Contact Us / Company Information

If you have any questions about this Privacy Policy or your GDPR rights, please contact us:

Commercial Brand: SignToSee

Legal Entity: Penserini & Vankan VOF

Enterprise Number (KBO): BE 1036.515.175

Email: support@signtosee.eu