Privacy Policy

We collect the following categories of information to operate the signing service:

• Identity data — full name and email address provided when a signing request is sent to you or when you register as a sender.
• Phone number — collected optionally for SMS one-time-password (OTP) verification when phone-based authentication is enabled for a request.
• IP address hash — a one-way SHA-256 hash of your IP address, recorded at each authentication and signing event. The original IP is never stored.
• Electronic signatures and initials — PNG images of drawn signatures or initials you create during the signing flow.
• Field capture data — typed text, dates, checkboxes, and other form-field values you complete in a document. Sensitive fields are encrypted at rest using AES-256-GCM.
• Documents — the PDF documents submitted for signing, both the original and the completed, signed versions.
• Audit trail events — timestamped records of every action taken during a signing workflow (OTP verified, field completed, document signed, etc.) forming the legally required audit trail.
• Session data — short-lived HMAC-signed session tokens stored in HttpOnly cookies to authenticate returning users.

We use collected information solely to:

• Execute the signing workflow — authenticate signers, present documents, collect signatures, and generate the completed signed PDF.
• Send transactional notifications — email and SMS messages required by the signing process (OTP codes, completion notices, signed-copy delivery).
• Maintain the audit trail — record a tamper-evident, hash-chained log of all signing events to satisfy legal requirements under the ESIGN Act and UETA.
• Detect and prevent abuse — rate limiting and IP-hash-based anomaly detection to protect the platform and its users.
• Comply with legal obligations — retaining signed documents and audit evidence for the legally required retention period.

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

All data is stored within Cloudflare’s global infrastructure:

• Cloudflare D1 (SQLite) — structured records including signing requests, signer identity, OTP credentials, and the audit chain. PII fields (signer names, email addresses, field capture text) are encrypted at rest using AES-256-GCM when a data encryption key is configured.
• Cloudflare R2 (Object Storage) — binary blobs including original PDFs, signed PDFs, audit-trail PDFs, and signature/initials PNG images. Objects are stored with server-side encryption.
• Cloudflare KV — ephemeral data including rate-limit counters and session state. Values expire automatically and are never persisted beyond their TTL.

All data in transit is protected by TLS 1.3. Session cookies are HttpOnly, Secure, and SameSite=Strict. IP addresses are hashed with SHA-256 before storage and are not recoverable.

We use a minimal set of third-party processors, each bound by data processing agreements:

• Resend — transactional email delivery. Resend receives the recipient’s email address and the email content (OTP codes, signing notifications, completed-document attachments). Resend does not retain message content after delivery. Privacy Policy →
• Twilio Verify — SMS one-time-password delivery. When phone verification is used, your phone number is sent to Twilio solely to deliver the OTP code. Twilio does not retain it for other purposes. Privacy Policy →
• Cloudflare Turnstile — optional bot protection challenge rendered during the signing flow. Turnstile does not set cookies or fingerprint users; it uses a privacy-preserving proof-of-work mechanism. Privacy Policy →

• Signed documents and audit trails — retained for 7 years from the date of signing. This period is required to satisfy ESIGN Act record-keeping obligations and typical contract limitation periods.
• Authentication sessions — signer sessions expire after 7 days of inactivity. Admin sessions expire after 24 hours. Expired session records are deleted opportunistically.
• OTP codes — expire after 10 minutes and are deleted immediately after successful verification.
• Voided or failed requests — retained for 90 days after which metadata is purged (documents are deleted immediately on void).
• Rate-limit counters and KV state — expire automatically per their TTL (typically 60 seconds to 24 hours). Never persisted to durable storage.

Depending on your jurisdiction, you may have rights regarding your personal data. Regardless of jurisdiction, we will honor the following requests upon written request to the contact address below:

• Access — request a copy of the personal data we hold about you, including signing events and audit entries associated with your email address.
• Deletion (Right to Erasure) — request deletion of your personal data. Where the data is part of a legally required audit trail (signed documents), we will anonymize your identifying information rather than delete the audit record itself, to preserve the chain of evidence while removing your PII.
• Portability — request an export of your signing data in machine-readable format (JSON).
• Correction — request correction of inaccurate personal data (e.g., a misspelled name). Note: corrections to a legally-executed signed document are not possible without voiding and re-executing the document.
• Objection — object to processing of your data. We will cease processing except where we have a legal obligation or legitimate interest that overrides your objection.

To submit a data subject request, email privacy@agent-xero.com with the subject line “Data Subject Request” and include the email address associated with your account.

Agent Xero Sign is designed to satisfy the requirements of the Electronic Signatures in Global and National Commerce Act (ESIGN, 15 U.S.C. § 7001 et seq.) and the Uniform Electronic Transactions Act (UETA):

• Consent — each signer provides explicit electronic consent before signing via a dedicated ESIGN disclosure step.
• Intent — signatures are captured through a deliberate drawn, typed, or uploaded act by the signer.
• Attribution — each signature is associated with a verified email address and/or phone number, and tied to an IP-hash-based audit event.
• Record retention — signed documents and audit trails are retained in durable, tamper-evident storage for 7 years.
• Access to records — all parties receive an email copy of the completed, signed PDF immediately upon completion.

Questions, concerns, or data subject requests may be directed to:

We may update this Privacy Policy from time to time. Material changes will be announced via the platform and the effective date at the top of this page will be updated. Continued use of the platform after the effective date constitutes acceptance of the updated policy.