1. Introduction
Sign Zone (“Sign Zone”, “we”, “us”, “our”) is a document signing platform operated by Kredo Analytics, based in Bengaluru, Karnataka, India.
This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use Sign Zone. It is governed by the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000, and applicable rules made thereunder.
By using Sign Zone, you consent to the practices described in this policy.
2. Information We Collect
2.1 Account Information
When you create an account on Sign Zone, we collect:
- Full name
- Email address
- Phone number (optional)
- Password (stored as a hashed value — we never see or store your plaintext password)
- Profile photo / avatar (optional)
- Wallet balance
2.2 Document Content
When you upload documents for signing, we process:
- The PDF file you upload (stored on our servers in your account)
- Signature zone placements (coordinates on each page)
- Document metadata (title, signing order, status, timestamps)
- The final signed PDF (with auto-appended audit trail certificate)
You retain full ownership of your documents.
2.3 Signer Information
When you send a document for signing, we process the following data about each signer (on your behalf, as the Data Fiduciary):
- Signer name and email
- IP address and user agent (browser / device) at the time of signing
- One-Time Password (OTP) — generated, sent via email, and automatically deleted upon use or expiry
- Signature data — hand-drawn strokes (vector data) or uploaded signature image; included in the final signed PDF
- Timestamps for every action (viewed, signed, rejected, downloaded)
- Signing method used (OTP / draw / upload)
2.4 Payment Information
Payments are processed by Razorpay. We do not store your card details, UPI handles, or bank account information on our servers. We retain only transaction metadata (amount, date, status, Razorpay transaction ID) for accounting, GST compliance, and audit purposes.
2.5 Technical & Activity Data
- IP address, browser, device, operating system
- Pages visited, referring URL, time spent
- Every document action logged with timestamps and IP (forms the audit trail)
2.6 Communications
If you contact us via our contact form, email, or WhatsApp, we retain your communications and the personal data you share with us.
3. How We Use Your Information
We use your personal data for the following purposes only:
- Service delivery: operating the document signing platform
- Authentication & security: verifying identity, securing your account, preventing fraud and abuse
- Document processing: handling uploads, signature workflows, audit trail generation
- Payments: processing wallet top-ups, per-document charges, GST invoicing
- Transactional communications: signer notifications, payment receipts, account-related emails (sent via Gmail SMTP)
- Support: responding to your enquiries and resolving issues
- Service improvement: aggregate, anonymised usage analysis — only if you have consented to analytics cookies (see §9)
- Legal compliance: meeting our obligations under Indian law
4. AI / Machine-Learning Practices
Specifically:
- We do not feed your documents into AI training pipelines
- We do not share your documents or signatures with any AI/ML vendor
- We do not use your signature data to train signature-recognition models
- We do not allow our subprocessors to use your data for AI training
One narrow exception: if you have opted-in to analytics cookies (see §9), we may use aggregate, anonymised, non-identifying usage statistics (e.g. “X% of users use sequential signing”) to improve features. This applies only to feature-usage patterns — never to document content, signature images, or any data that could identify you or your counterparties.
5. Legal Basis for Processing
Under the DPDP Act 2023, we process your personal data on the following legal bases:
- Consent: you actively agree to this policy on account creation, and to optional cookies via our cookie banner
- Performance of contract: processing necessary to provide the Service you signed up for
- Legal obligation: compliance with Indian law (e.g. tax records, audit retention)
- Legitimate interests: security, fraud prevention, service operation — balanced against your rights
6. Sharing With Third Parties
We do not sell, rent, or trade your personal data. We share data only with the following subprocessors, and only for the specific purposes listed:
| Subprocessor | Operator | Purpose | Data shared | Location |
|---|---|---|---|---|
| Web hosting | cPanel managed hosting provider | Application servers, database, document storage | All platform data | India (Mumbai region) |
| Email (SMTP) | Google LLC (Gmail SMTP) | Transactional emails — signer notifications, account emails, password resets | Recipient email, name, document subject, link tokens | United States |
| Payment gateway | Razorpay Software Pvt. Ltd. | Wallet top-ups, per-document billing, GST invoices | Billing email, amount, transaction metadata | India |
6.1 Future Subprocessors
We may engage additional subprocessors in future (for example, web analytics, e-stamp paper integration). When we do, this list will be updated and, where the change is material, we will notify you via in-app banner or email.
6.2 Legal Disclosures
We may disclose your data when required by:
- Indian law, court orders, or lawful government requests
- Enforcement of our Terms & Conditions
- Protection of rights, property, or safety of Sign Zone, our users, or others
6.3 Business Transfers
If Kredo Analytics is involved in a merger, acquisition, restructuring, or sale of assets, your data may be transferred to the acquiring entity. We will notify you, and the receiving entity will be bound by this policy or a substantially similar one.
7. Data Retention
| Data type | Retention period |
|---|---|
| Account data (name, email, phone) | For the life of your account + up to 5 years thereafter |
| Documents uploaded by you | For as long as you keep them in your account |
| Signed documents & audit trails | For as long as you keep them (these have evidentiary value) |
| Payment transaction records | 8 years (Indian tax / accounting law) |
| Server logs & technical data | Up to 12 months |
| OTP codes for signer authentication | Automatically deleted on use or after expiry (typically minutes) |
| Marketing & analytics cookie data | Until you withdraw consent or its retention period expires (max 24 months) |
When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g. tax records).
8. Your Rights
Under the DPDP Act 2023, you have the following rights:
- Right to access: request a copy of the personal data we hold about you
- Right to correction: ask us to correct inaccurate or incomplete data
- Right to erasure: ask us to delete your data (subject to legal retention obligations)
- Right to data portability: request an export of your data in a structured, commonly-used format (we will provide your documents and account data via email or download link within 30 days)
- Right to grievance redressal: file a complaint with our Grievance Officer (see §15)
- Right to nominate: nominate another person to exercise your rights on your behalf in case of death or incapacity
- Right to withdraw consent: withdraw consent at any time (note: withdrawing essential consent may end your ability to use the Service)
To exercise any right, email info@kredo.in with your registered account email. We respond within 30 days.
9. Cookies & Tracking
Sign Zone uses cookies in three categories. Your consent for each is managed via the cookie banner you saw on first visit — you can reopen this anytime via “Cookie Settings” in our footer.
9.1 Essential Cookies (always on)
Strictly necessary for the Service to function. These cannot be disabled because the platform will not work without them.
- Session identifier (keeps you logged in)
- CSRF token (security)
- User preference for cookie consent itself
9.2 Analytics Cookies (optional — consent required)
Currently inactive. The platform’s cookie framework supports analytics, but we have not yet activated any analytics service. We are evaluating Google Analytics or a similar tool for future use, to understand aggregate feature usage and improve the platform.
If and when we activate analytics, this section will be updated and you will be re-prompted via the cookie banner to re-confirm or update your consent. We will not activate analytics retroactively against a prior consent that was granted before analytics existed.
9.3 Marketing Cookies (optional — consent required)
Currently inactive. Sign Zone does not currently run advertising, retargeting, or third-party marketing campaigns. The cookie framework supports them in case we add such features in future, but you will be re-prompted before any marketing cookies are deployed.
9.4 Changing Your Preferences
Click “Cookie Settings” in the footer of any page to reopen the preferences modal and change your choices at any time.
10. WhatsApp & Other Communication Channels
Our website includes a floating WhatsApp button for support enquiries. When you click it, you are taken to the WhatsApp service (operated by Meta Platforms Inc.) to begin a chat with us. Please note:
- WhatsApp’s data practices are governed by WhatsApp’s own Privacy Policy, not this one
- Your WhatsApp number, profile name, and message content are shared with Meta when you initiate a chat
- WhatsApp is a convenience channel for quick enquiries, not a formal communication channel for legal notices
- For binding communications and DPDP-related rights requests, please use info@kredo.in
11. Security
We take reasonable technical and organisational measures to protect your personal data:
- Encryption in transit: all communications use HTTPS / TLS
- Password storage: passwords are stored as one-way hashes, never in plain text
- Document storage: stored on managed hosting infrastructure with server-level access controls
- SHA-256 hashing: document integrity is verified using SHA-256 cryptographic hashes
- Role-based access control: internal access is granted on a need-to-know basis
- Audit logging: every action on a document is recorded in an immutable audit trail
- Session management: automatic session timeout after inactivity
No system is 100% secure. If we become aware of a personal data breach, we will notify the Data Protection Board of India and affected users within 72 hours of becoming aware, as required by the DPDP Act.
12. Children’s Privacy
Sign Zone is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at info@kredo.in and we will take steps to delete it.
13. Cross-border Transfers
Sign Zone’s primary infrastructure is located in India. However, we use Gmail SMTP (operated by Google LLC) for transactional emails, which means transactional email content briefly transits Google’s servers in the United States.
We ensure these transfers comply with the DPDP Act 2023’s cross-border data transfer rules. We do not transfer personal data to any country restricted by the Government of India.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified via:
- An in-app banner
- An email to your registered address
- An updated “Last updated” date at the top of this page
Continued use of Sign Zone after a change indicates acceptance of the updated policy.
15. Grievance Officer / Data Protection Officer
Email: info@kredo.in
Address: Bengaluru, Karnataka, India
Response time: within 30 days of receipt
If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India.
16. Contact Us
For any questions about this Privacy Policy or our data practices:
- Email: info@kredo.in
- Address: Kredo Analytics, Bengaluru, Karnataka, India
See also our Terms & Conditions and Compliance & Security page.