Pactly
Back to Home

Privacy Policy

Detailed privacy policy outlining how Pactly collects, uses, protects, and manages your personal information.

Privacy Policy

Effective Date: January 15, 2025

Data Controller Information

Pactly Inc.
[Company Address]
Email: [email protected]
Phone: [Phone Number]

For privacy compliance matters, contact our Privacy Officer at [email protected].

Introduction

This Privacy Policy describes how Pactly ("we," "our," or "us") collects, uses, and protects your personal information when you use our electronic signature services.

By using Pactly, you authorize the collection and processing of your personal data in accordance with applicable laws, including:

  • European Union General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • Brazil's Lei Geral de Proteção de Dados (LGPD)
  • Colombia's Law 1581 of 2012 and Decree 1377 of 2013

For Colombian users: Our databases are registered with Colombia's SIC (Superintendencia de Industria y Comercio) where applicable.

Notice at Collection

We collect the following categories of personal information for the stated purposes:

  • Identifiers: Name, email, phone number for account management and communication
  • Commercial Information: Billing data, subscription details for payment processing
  • Internet Activity: Usage data, IP addresses for security and service improvement
  • Professional Information: Job title, company name for account customization
  • Electronic Signatures: Signature data, documents for electronic signing services
  • Geolocation Data: General location for compliance and fraud prevention

Data Controller and Processor Roles

Pactly as Data Controller:

  • Account information and user profiles
  • Billing and subscription data
  • Customer support interactions
  • Platform usage analytics

Pactly as Data Processor:

  • Document signing activities initiated by customers
  • Document content uploaded by users
  • Signature workflows managed by account administrators

Information We Collect

Personal Information

We collect the following types of personal information:

Account Information:

  • Name and email address
  • Phone number (optional)
  • Company name and job title (optional)
  • Password and authentication credentials

Document Information:

  • Documents you upload for signing
  • Electronic signatures and signature data
  • Comments and annotations on documents
  • Signing timestamps and locations

Usage Information:

  • IP addresses and device information
  • Browser type and version
  • Pages visited and features used
  • Time spent on our platform

How We Collect Information

Directly from You:

  • Account registration and profile updates
  • Document uploads and signing activities
  • Customer support interactions
  • Survey responses and feedback

Automatically:

  • Web browser cookies and similar technologies
  • Server logs and analytics data
  • Security monitoring and fraud prevention
  • Performance and error monitoring

How We Use Your Information

Primary Uses

We use your personal information to:

  • Provide Services: Process documents and enable electronic signing
  • Account Management: Maintain and secure your account
  • Communication: Send service updates and support communications
  • Legal Compliance: Meet regulatory and legal requirements

Secondary Uses

We may also use your information for:

  • Service Improvement: Analyze usage patterns and enhance features
  • Security: Detect and prevent fraud and security threats
  • Marketing: Send promotional content (with your consent)
  • Research: Conduct anonymized research and analytics

Legal Bases for Processing

| Purpose | Data Types | Legal Basis | |---------|------------|-------------| | Account creation and management | Identity Data, Contact Information | Contractual necessity | | Document signing services | Document Data, Signature Data | Contractual necessity | | Payment processing | Billing Data, Payment Information | Contractual necessity | | Customer support | Account Data, Communication Records | Contractual necessity | | Security and fraud prevention | Technical Data, Usage Data | Legitimate interests | | Platform improvement | Usage Analytics, Performance Data | Legitimate interests | | Marketing communications | Identity Data, Preferences | Explicit consent | | Legal compliance and audit | Audit Logs, Document Data | Legal obligation | | Regulatory reporting | Aggregated Data | Legal obligation |

Information Sharing

We Share Information When:

Service Providers:

  • Cloud hosting and infrastructure providers
  • Payment processing and billing services
  • Customer support and communication tools
  • Security monitoring and analytics services

Legal Requirements:

  • Court orders and legal processes
  • Law enforcement requests
  • Regulatory compliance obligations
  • Protection of rights and safety

Business Transfers:

  • Mergers, acquisitions, or asset sales
  • Bankruptcy or insolvency proceedings
  • Corporate restructuring activities

We Do Not Share:

  • Personal information for marketing by third parties
  • Document content without your explicit consent
  • Authentication credentials or passwords
  • Information beyond what's necessary for stated purposes

Subprocessors

We engage certain third-party service providers ("Subprocessors") to process personal data on our behalf. A current, detailed list of our Subprocessors, their locations, and processing activities is available at /legal/subprocessors. We will provide at least 30 days' advance notice of any intended additions or replacements via email or updates to the Subprocessor List.

Your California Privacy Rights

For California Residents: We do not sell or share your personal information as defined under California law. However, you can opt out of certain marketing and tracking practices via your Privacy Preferences Center.

Currently, we do not engage in cross-context behavioral advertising. If this changes, we will provide clear notice and opt-out mechanisms.

California residents may submit access, correction, and deletion requests via [email protected] or through your account settings.

Data Security

Technical Safeguards

  • Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
  • Access Controls: Multi-factor authentication and role-based access
  • Monitoring: 24/7 security monitoring and threat detection
  • Backup: Encrypted backups with secure recovery procedures
  • Audit Integrity: Audit trails maintained with cryptographic integrity using immutable hash chains

Organizational Safeguards

  • Training: Regular security awareness training for employees
  • Policies: Comprehensive information security policies
  • Audits: Regular security audits and compliance reviews
  • Incident Response: Documented procedures for security incidents

Data Retention

Retention Periods

  • Active Accounts: Information retained while account is active
  • Closed Accounts: Personal data deleted within 30 days (subject to legal holds)
  • Signed Documents: Retained for 7+ years for legal compliance
  • Audit Logs: Retained for security and compliance purposes, may be retained beyond account deletion for regulatory defense

Legal Holds

Retention periods may be extended when:

  • Legal proceedings are pending or threatened
  • Regulatory investigations are ongoing
  • Contractual obligations require longer retention
  • Law enforcement requests preservation

Your Privacy Rights

Access Rights

  • Data Access: Request copies of your personal information
  • Account Access: View and manage your account information
  • Document Access: Download your signed documents
  • Audit Access: Request audit trail information

Control Rights

  • Data Correction: Update or correct your personal information
  • Data Deletion: Request deletion of your personal data
  • Data Portability: Export your data in standard formats
  • Processing Objection: Object to certain data processing activities

Communication Rights

  • Marketing Opt-Out: Unsubscribe from promotional communications
  • Notification Preferences: Control service-related notifications
  • Cookie Preferences: Manage cookie and tracking preferences

Response Time

We respond to data subject rights requests within 30 days of receipt, in accordance with GDPR requirements. Complex requests may require additional time, and we will notify you of any extensions.

Brazilian Users

We comply with Brazil's LGPD (Lei Geral de Proteção de Dados). You have rights including access, correction, deletion, and opposition. If you believe your data rights have been violated, you may contact Brazil's National Data Protection Authority (ANPD) at https://www.gov.br/anpd/.

International Data Transfers

Transfer Mechanisms

When transferring personal data internationally, we use:

  • Adequacy Decisions: Transfers to countries with adequate protection as determined by relevant authorities
  • Standard Contractual Clauses: EU-approved transfer mechanisms providing appropriate safeguards
  • Binding Corporate Rules: Internal data transfer frameworks ensuring consistent protection
  • Explicit Consent: User consent for specific transfers where other mechanisms are unavailable

Data Localization

We offer data localization options for:

  • Regional Storage: Store data within specific geographic regions upon request
  • Local Processing: Process data within local jurisdictions for compliance needs
  • Compliance Requirements: Meet local data residency requirements as mandated by law

Cookies and Tracking

Types of Cookies

  • Essential Cookies: Required for basic platform functionality
  • Analytics Cookies: Help us understand platform usage
  • Security Cookies: Protect against fraud and security threats
  • Preference Cookies: Remember your settings and preferences

Cookie Management

You can control cookies through:

  • Browser Settings: Configure cookie preferences in your browser
  • Platform Settings: Manage cookies within our platform
  • Opt-Out Tools: Use industry opt-out mechanisms
  • Cookie Consent: Manage consent through our cookie banner

Children's Privacy

We do not knowingly collect personal information from children under 13 years of age (or the applicable age in your jurisdiction). This policy complies with the Children's Online Privacy Protection Act (COPPA) and equivalent provisions under LGPD and other applicable laws. If we discover that we have collected information from a child below the applicable age threshold, we will delete it immediately.

Changes to This Policy

We may update this Privacy Policy periodically. When we make changes:

  • Notification: We'll notify you of material changes via email
  • Posting: Updated policy will be posted on our website
  • Effective Date: Changes take effect on the date specified
  • Consent: If you disagree with material changes, you may close your account before they take effect. Continued use after the effective date constitutes acceptance of changes

Contact Information

Privacy Inquiries

For privacy-related questions or requests:

Data Subject Requests

To exercise your privacy rights:

Complaint Process

If you have concerns about our privacy practices:

  • Internal Complaint: Contact our Privacy Officer
  • Regulatory Complaint: Contact your local data protection authority
  • Legal Counsel: Consult with qualified legal counsel

Governing Law

This Privacy Policy is governed by and interpreted in accordance with the laws of [Insert Jurisdiction], without regard to conflict of law principles. Users in other jurisdictions may have additional rights under applicable laws.

This Privacy Policy is governed by the laws of [Jurisdiction]. For questions about legal compliance, contact [email protected].

Last updated: January 15, 2025