Privacy policy

We process personal data to deliver Signoo. Which data we process depends on how you use the service.

If you have an account, we process your email address and optionally your name. These are used for sign-in and to send you confirmations and receipts.

When you sign a document, the document and the signature are read locally in your browser only. In the current version of Signoo, these data do not leave your device, and we do not receive them on our servers.

For paid use, your payment provider (Stripe or Vipps) processes your card details directly. We receive only receipt and invoice data from the provider.

Technical data such as IP address, browser type, and error reports are processed by our error-monitoring provider (Sentry) when something goes wrong. These data are pseudonymous and cannot be tied back to you without additional information that only we hold.

We process personal data on the following grounds.

Account and document data are processed to fulfil the agreement on using Signoo. Without these data we cannot deliver the service.

Your drawn or typed signature is personal data tied to you in the act of signing. We process the signature image on the basis of your express consent at the moment you draw or type the signature. You give that consent by completing the signing yourself.

Payment data are processed to complete the purchase and to meet our bookkeeping and tax obligations.

Technical data and error reports are processed on the basis of our legitimate interest in keeping the service running. We have weighed this processing and conclude it does not unreasonably affect your rights, since the data are pseudonymous and used only for error correction.

We do not keep data longer than needed.

Account data is kept for as long as you have an active account, and is deleted within 30 days after you close the account. You can request deletion at any time (see "Your rights").

Documents and signature images are not stored on our servers in the current version of Signoo. They exist only in your browser while you are working on them.

Payment data is kept for as long as required by the Norwegian Bookkeeping Act, at least five years from the end of the accounting year the transaction belongs to. Some categories of accounting records have longer retention requirements and are kept accordingly.

Technical data and error reports are kept by our error-monitoring provider for 30 days before they are deleted.

We use a few third parties to deliver Signoo. Each is a processor under GDPR Article 28 and is bound by data processing agreements with us.

The website and application are hosted by Vercel Inc., with servers in the EU region. Vercel is US-owned; we use the EU region to reduce the risk of third-country transfer.

The domain name and DNS services are provided by Cloudflare Inc. (also US-owned).

Error monitoring is provided by Sentry, where we use the EU-region project. Sentry receives pseudonymous error reports, not documents or signature data.

Even though we use the EU region for each of these, the parent companies are US-incorporated. After the Schrems II ruling we acknowledge that this does not remove all risk of access by US authorities. We follow developments in the framework for third-country transfers and update this statement when things change.

For an up-to-date list of processors, please contact us by email.

You have the following rights when we process personal data about you.

Access: You can request a copy of the personal data we hold about you.

Rectification: You can ask us to correct inaccurate data.

Erasure: You can ask us to delete your personal data, unless we have a lawful basis to retain it (such as the Norwegian Bookkeeping Act).

Restriction: You can ask us to restrict processing in certain situations.

Portability: You can ask to receive your data in a structured, commonly used, machine-readable format.

Objection: You can object to processing based on legitimate interest.

We do not make automated decisions about you, and we do not use profiling with legal effect.

You can exercise any of these rights by contacting us. We respond within one month under normal circumstances.

If you believe we are processing your personal data in breach of data-protection rules, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).

Privacy inquiries and requests to exercise the rights described above can be sent to support@dronoo.no.

We will name the formal data controller in a forthcoming update to this statement.

We do not have a designated Data Protection Officer (DPO) at this time, because our processing falls below the threshold at which Datatilsynet requires one.