Privacy Policy

Dash Sign Inc. ("Dash Sign," "we," "us," or "our") is committed to protecting your privacy and handling your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, as amended. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

In accordance with PIPEDA Principle 1 (Accountability), Dash Sign Inc. has designated a Privacy Contact responsible for our compliance with this policy and applicable privacy law. To reach our Privacy Contact, email hello@dashsign.ca with the subject line "Privacy Inquiry."

1. Information We Collect

We collect the following categories of information:

Account Information

• Name and email address provided during registration
• Organization or company name (if provided)
• Account preferences and settings

Signing Activity Metadata

• Document titles and status (draft, pending, completed)
• Timestamps for document creation, viewing, signing, and completion
• Signer names, email addresses, and phone numbers (for SMS OTP)
• IP addresses and device/browser information at the time of signing
• SHA-256 checksums for document integrity verification

Device and Technical Information

• Browser type and version
• Operating system
• IP address
• Pages visited and actions taken within the Service

2. Document and Verification Files

These files may include:

• Document PDFs — original uploads and completed signed files
• Signature and field data — the information needed to render a completed document
• Photo ID images — government-issued identification uploaded by signers when the document sender has enabled identity verification. Photo ID is sensitive personal information. It is collected solely for identity verification purposes, stored encrypted alongside the audit trail, and retained for the applicable regulatory period (minimum 6 years). Signers are presented with an explicit consent notice before being asked to upload a photo ID. The decision to require photo ID verification is made by the document sender, not by Dash Sign.
• Signer attachments — supporting files uploaded during the signing flow

We use these files only to operate the Service, deliver completed documents, and maintain the associated audit trail. We do not analyze the substantive content of documents.

3. How We Use Information

We use the information we collect for the following purposes:

• Service operation: To provide, maintain, and improve the Dash Sign platform
• Audit trail generation: To create immutable, tamper-proof records of signing activity for legal and regulatory compliance
• Identity verification: To verify signer identity through SMS OTP and photo ID when enabled
• Communication: To send signing notifications, reminders, and service-related emails
• Compliance: To meet regulatory obligations under PIPEDA, FSRA, and UECA
• Security: To detect, prevent, and respond to fraud, abuse, and security incidents

We do not sell, rent, or trade your personal information to third parties. We do not use your data for advertising or marketing profiling.

4. Data Storage and Security

We take the security of your data seriously:

• Encryption at rest: Our database and private file storage rely on managed platform encryption at rest, with application-level encryption applied to selected sensitive PII fields where configured.
• Encryption in transit: Connections are secured with HTTPS/TLS.
• Canadian-hosted primary storage: Our primary application database and private file storage are configured for Canadian-hosted infrastructure
• Cross-border data transfers: Limited operational providers may process recipient contact information, signing notifications, OTP delivery data, request logs, analytics, or performance data outside Canada. By using the Service, you acknowledge that certain personal information may be transferred to and processed in other jurisdictions, where privacy laws may differ from those in Canada and where information may be subject to access by foreign government authorities under applicable law. We configure each provider to receive only the minimum data necessary for its role.
• Access control: Row-level security policies ensure users can only access their own data at the database level
• Backups: Automated daily backups with point-in-time recovery

5. Data Retention

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specific retention periods:

• Audit trail data (signing timestamps, event logs, signer identity verification records, IP addresses, device information, SHA-256 document checksums): Retained for a minimum of 6 years to satisfy applicable legal and regulatory obligations, including but not limited to requirements applicable to regulated financial services customers under the Financial Services Regulatory Authority of Ontario (FSRA). Other regulatory, contractual, or legal requirements may mandate longer retention depending on the document type.
• Document files (original PDFs, signed PDFs, photo IDs, attachments): Retained for the duration of your account and for the applicable regulatory period thereafter, consistent with audit trail retention.
• Account data (name, email, organization, preferences): Retained for the duration of your account and for 90 days following account closure, after which it is permanently deleted except where subject to a legal retention obligation.

You may request deletion of your personal information at any time. We will fulfill deletion requests within 30 days, subject to our legal retention obligations. Data subject to a legal retention obligation will be retained for the required period and then deleted.

6. Third-Party Services

We use carefully scoped operational providers to run the platform without disclosing proprietary infrastructure details publicly:

We configure each provider to receive only the minimum data needed for its role in delivering the Service. Some providers may process data outside Canada, subject to local law (see Section 4). We maintain data processing agreements or equivalent contractual protections with each provider.

7. Your Rights Under PIPEDA

Under PIPEDA, you have the following rights regarding your personal information:

• Right of access: You may request access to the personal information we hold about you
• Right of correction: You may request that we correct any inaccurate or incomplete personal information
• Right of deletion: You may request that we delete your personal information, subject to our legal retention obligations (e.g., 6-year FSRA audit trail retention)
• Right to withdraw consent: You may withdraw your consent for the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions
• Right to complain: You may file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated

To exercise any of these rights, contact us at hello@dashsign.ca. We will respond to your request within 30 days.

Rights of Signers

Individuals who sign documents through Dash Sign ("Signers") are not required to create an account, but have the same rights under PIPEDA as account holders with respect to their personal information collected during the signing process (name, email, phone number, IP address, device information, and photo ID where applicable). Signers may exercise any of the rights listed above by contacting our Privacy Contact at hello@dashsign.ca.

Note: Some signer data forms part of the legally required audit trail and cannot be deleted during the applicable retention period. We will explain which data is subject to retention obligations when responding to a deletion request.

8. Cookies and Analytics

We use minimal cookies necessary for the operation of the Service:

• Authentication cookies: Essential cookies to maintain your login session
• Security cookies: Used for CSRF protection and rate limiting

We use privacy-focused analytics to understand aggregate usage patterns and application performance. Analytics may collect page view data, device type, browser type, referrer information, and performance metrics. This data is used solely for operating and improving the Service. We do not use third-party advertising cookies, tracking pixels, or marketing analytics tools.

9. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a minor, please contact us at hello@dashsign.ca.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We distinguish between:

• Minor or administrative changes (clarifications, contact updates): We will post the updated Policy with a revised date. Your continued use of the Service constitutes acceptance.
• Material changes(changes to what personal information we collect, how we use it, who we share it with, or your rights): We will provide at least 30 days' advance written notice by email and by prominent in-app notice. Under PIPEDA, meaningful consent for material changes to data practices cannot be implied — we will obtain your affirmative consent before applying material changes to your account.

We encourage you to review this Privacy Policy periodically.

11. Security Breach Notification

In the event of a security breach involving personal information under our control, Dash Sign will comply with our mandatory notification obligations under PIPEDA (as amended by the Digital Privacy Act). Specifically:

• Notification to the Privacy Commissioner: We will report any breach of security safeguards that creates a real risk of significant harm to affected individuals to the Office of the Privacy Commissioner of Canada as soon as feasible.
• Notification to affected individuals: We will notify affected individuals directly as soon as feasible when a breach creates a real risk of significant harm (e.g., identity theft, financial loss, physical harm, reputational damage). Notification will be sent to the email address associated with your account or, for Signers, to the email address used in the signing process.
• Breach log: We maintain an internal record of all security breaches, which is available to the Privacy Commissioner upon request.

To report a suspected security vulnerability, please contact hello@dashsign.ca.

12. Contact for Privacy Inquiries

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact our Privacy Contact:

You may also file a complaint with the Office of the Privacy Commissioner of Canada.