Login
Start for Free
Login
Start

Privacy Policy

Privacy Notice – Covosign

1. Controller and Processor Roles

SMITH & FRIDAY PTE. LTD 
160 Robinson Road, #14-04, Singapore Business Federation Center, Singapore 068914 

SMITH & FRIDAY PTE. LTD is established in Singapore and maintains an operational establishment in Berlin, Germany. Personal data processed in connection with the Service is processed in the context of the activities of this EU establishment within the meaning of Art. 3(1) GDPR. 

 

We act in two capacities 

a) As Controller  

For personal data relating, for example, to: 

            • Account registration and administration  
            • Billing and contract management  
            • Website usage  
            • Security and operational monitoring  
            • Compliance and corporate governance  

 

b) As Processor  

Where customers upload documents and initiate signature workflows involving personal data of third parties (e.g. signatories), we process such data strictly on behalf of and under the instructions of the respective customer acting as Controller. In such cases, processing is governed by a separate data processing agreement pursuant to Art. 28 GDPR. 

 
E-Mail for any data-protection related questions: privacy@covosign.com 

 

 

2. Scope of this Privacy Notice

This Privacy Notice applies to the use of the electronic signature software-as-a-service platform (the “Service”), including: 

      • creation, upload, management and signing of documents; 
      • invitation and authentication of signatories; 
      • audit trails, logs and evidentiary records; 
      • customer support and account administration; 
      • billing and contract management; 
      • technical operation, security and compliance of the Service. 


Where customers use the Service to process personal data of third parties (e.g. signatories, employees, clients), the customer acts as “Controller” and we act as “Processor” within the meaning of Art. 28 GDPR, based on a separate data processing agreement. 

 

 

3. Categories of Personal Data

Depending on usage, we may process in particular: 

Account and contact data 

        • Name, company, role 
        • Email address, telephone number 
        • Login credentials (hashed passwords, authentication tokens) 


Document and transaction data 

        • Uploaded documents and their contents 
        • Signature data (timestamp, IP address, device metadata) 
        • Audit trails, verification logs, hash values 
        • Communication metadata related to invitations and reminders 


Verification data 

        • Email verification data 
        • Mobile phone number and SMS verification metadata (delivery status, timestamp) 


Usage and technical data 

        • IP address 
        • Date and time of access 
        • Browser, device, operating system 
        • Log files, error logs, security events 


Billing and contract data 

        • Invoices, payment status 
        • Contractual correspondence 

 

 

4. Purposes and Legal Basis

We process personal data for the following purposes: 

1. Provision of the Service 
Operation of the platform, document processing, signature workflows, authentication, audit trails and evidentiary records. 
Legal basis: Art. 6(1)(b) GDPR (performance of contract). 


2. Account administration and customer support 
User management, support requests, incident handling and service communications. 
Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR (legitimate interest in stable operation and support). 


3. Verification and security 
Email and SMS verification, abuse prevention, fraud prevention, system integrity and traceability. 
Legal basis: Art. 6(1)(f) GDPR; where required Art. 6(1)(b) GDPR. 


4. IT security, system stability and monitoring 
Logging, monitoring, troubleshooting and protection against attacks or misuse. 
Legal basis: Art. 6(1)(f) GDPR. 


5. Legal compliance and evidentiary retention 
Compliance with statutory retention duties, defense of legal claims, auditability of signature processes. 
Legal basis: Art. 6(1)(c) GDPR; Art. 6(1)(f) GDPR. 


6. Billing and accounting 
Invoicing, payment processing and bookkeeping. 
Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(c) GDPR. 

 

 

5. GoogleAnalytics 

Google Analytics is used exclusively on our public website and is not active within document processing areas or signature workflows of the Service. 

Processing is based solely on prior consent (Art. 6(1)(a) GDPR). 

Users may withdraw consent at any time via consent settings. 

 

 

6. Recipients andService Providers 

Personal data may be shared with the following processors and service providers: 

      • Hetzner Online GmbH – Germany 
        Data hosting and application infrastructure (EU hosting). 
      • Amazon Web Services EMEA SARL – EU 
      • S3: document storage 
      • SES: transactional email delivery 
      • DING SAS (Prelude) – France 
        Mobile messaging and SMS delivery. 
      • Stripe – United States / EU operations 
        Payment processing and billing. Stripe provides services in the EU; no data transfer to Singapore is performed. Stripe acts as an independent controller for payment processing under its own privacy policy. 

 

Where we process personal data on behalf of customers, the relevant service providers listed above may act as sub-processors within the meaning of Art. 28(4) GDPR. 
 

All processors are contractually bound under Art. 28 GDPR and process data solely on our instructions. 

 

 

7. International Data Transfers

Where personal data is transferred outside the EU/EEA, transfers are safeguarded by: 

      • adequacy decisions of the European Commission (where applicable), and/or 
      • Standard Contractual Clauses (SCCs), and 
      • supplementary technical and organizational safeguards where required. 


Infrastructure hosting for the Service is configured in EU regions. Administrative access is restricted in accordance with internal access control policies and limited to authorized personnel. 

Further details may be requested via privacy@covosign.com 

 

 

8. Storage and Retention

Personal data is stored only as long as necessary for the respective purposes and contractual relationship. 

User accounts and documents 

      • Accounts and uploaded documents are retained for the duration of the contractual relationship and thereafter for a limited grace period or until deletion is requested by the customer, subject to statutory retention obligations. 
      • Customers may continue to access their data in a non-paying status, subject to the applicable terms. 
      • Deletion of documents and account data occurs upon termination of the contractual relationship and/or upon explicit request by the customer by email to: privacy@covosign.com. 


Billing and accounting data 

      • Retained in accordance with statutory retention obligations (typically 6–10 years). 


Technical logs and security data 

      • Log data is retained for defined retention periods based on operational and security requirements. 
      • Retention periods are regularly reviewed and do not exceed what is necessary for security monitoring, fraud prevention and incident investigation. 


After expiry of applicable retention periods or upon valid deletion request, data is deleted or anonymized unless further storage is legally required. 

 

 

9. Data Subject Rights

You have the right to: 

      • access (Art. 15 GDPR), 
      • rectification (Art. 16 GDPR), 
      • erasure (Art. 17 GDPR), 
      • restriction of processing (Art. 18 GDPR), 
      • data portability (Art. 20 GDPR), 
      • objection to processing based on legitimate interests (Art. 21 GDPR), 
      • withdrawal of consent at any time (Art. 7(3) GDPR), 
      • lodge a complaint with a supervisory authority (Art. 77 GDPR). 


Requests can be submitted using the contact details stated above. 

Where we act as Processor, requests should primarily be addressed to the respective Controller. 

 

 

10. Security Measures

We apply appropriate technical and organizational measures, including in particular: 

      • TLS for data in transit, 
      • access controls and role-based permissions (JWT / API key + rate limiting / IP allowlist) 
      • logging and monitoring, 
      • backup and recovery mechanisms, 
      • regular security updates and vulnerability management. 

 

 

11. Processor Role – Customer Data

Where customers upload documents containing personal data of third parties and invite signatories, the customer remains the controller and is responsible for providing appropriate privacy information to the affected data subjects. 

Processing by us is governed by a data processing agreement in accordance with Art. 28 GDPR. 

 

 

12. Updates

This Privacy Notice may be updated from time to time to reflect legal, technical or operational changes. The current version is made available within the Service or on our website.