Privacy Policy
Last updated: May 12, 2026
Note: This English translation is provided for convenience only. The German version (German original) is the legally binding version.
What are you looking for? This page covers 2 areas:
Data Controller (both areas)
SIGNGUARD APP LTD
Agiou Kourmouta, 28
KISSOS SEAVIEW VILLAS, Flat/Office n2
8574 Kissonerga, Paphos, Cyprus
Email: info@signguard.app
A. Privacy on this Website
This section explains which data is processed when you visit our website signguard.app. For processing related to our iOS app, see Section B.
A.1 Server logs and IP address
When you visit our website, the following data is automatically collected by the web server and stored in log files:
- IP address (anonymized after 7 days)
- Date, time and duration of access
- URL accessed and referrer URL
- Browser type, version, operating system
Purpose: Ensure technical functionality, protect against abuse, troubleshoot errors.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation).
Retention: 7 days, then deleted or fully anonymized.
A.2 Cookies
When visiting our website, cookies are set in 3 categories β you decide via the cookie banner which ones are active:
a) Essential cookies (required β no opt-out)
- Cookie consent status (stores your decision)
- Security cookies (CSRF protection, session management)
Legal basis: Art. 6(1)(f) GDPR (technical necessity).
b) Analytics cookies (opt-in via cookie banner)
- Google Analytics 4 (see A.3 for details)
- Microsoft Clarity (see A.4 for details)
Legal basis: Art. 6(1)(a) GDPR (consent).
c) Functional cookies (opt-in via cookie banner)
- GrowthBook A/B-test assignment (see A.5 for details)
Legal basis: Art. 6(1)(a) GDPR (consent).
You can withdraw your consent to non-essential cookies at any time via the cookie banner (link "Cookie settings" in the footer). Details on each cookie: Cookie Policy.
A.3 Google Analytics 4 (web analytics)
On signguard.app we use Google Analytics 4 (provider: Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland) to collect anonymous audience and funnel statistics.
- Property ID: G-2H6QVG5CNH (in SignGuard GTM container GTM-K683CMW2)
- IP anonymization: active (Google only receives truncated IPs)
- Data transfer: EU data residency + Standard Contractual Clauses for third-country transfer
- Cookie lifetime: max. 14 months
- SameSite attribute: Lax (cross-site cookie protection)
Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner).
Revocation: Disable analytics cookies in the cookie banner or use the browser add-on tools.google.com/dlpage/gaoptout.
A.4 Microsoft Clarity (heatmap and session-replay analysis)
Provider: Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
Clarity creates anonymized heatmaps, recordings of mouse movements, scroll depth and click paths β to improve website UX.
- PII masking: active (form contents are automatically masked)
- Data transfer: EU data residency + Standard Contractual Clauses
- Retention: 90 days, then deleted
Legal basis: Art. 6(1)(a) GDPR (consent).
Revocation: Disable analytics cookies in the cookie banner.
A.5 GrowthBook (A/B tests and feature flags)
Provider: GrowthBook Inc., 100 Bush Street, San Francisco, CA 94104, USA.
GrowthBook enables controlled A/B tests (e.g. CTA wording variants) and feature flags. A random, anonymous ID is stored in browser localStorage (key sg_gb_anon_id) and transmitted β no cookie, no personal data.
- Anonymous ID: randomly generated, no account reference
- Data transfer: US server under Standard Contractual Clauses + Data Privacy Framework
- Retention: 90 days in localStorage, then reset
Legal basis: Art. 6(1)(a) GDPR (consent).
Revocation: Disable functional cookies in the cookie banner.
A.6 Pre-registration form (Brevo)
On signguard.app/en/get-notified.html (German version: /vormerken.html) we offer an email pre-registration form for launch notifications. Form provider and email processor: Brevo (Sendinblue SAS), 7 rue de Madrid, 75008 Paris, France.
Data processed: your email address (required) and, optionally, your first name. We send a one-time confirmation email (double opt-in) and a maximum of 3 launch notifications.
Legal basis: Art. 6(1)(a) GDPR (consent via form submit).
Revocation: Unsubscribe link in every email or email to info@signguard.app.
Retention: Until revocation, max. 24 months after last activity.
B. Privacy in the SignGuard App
This section explains which data is processed when you use the SignGuard iOS app. For processing related to the website, see Section A.
B.1 Account registration
- Email address (authentication and communication)
- Password (hashed with Argon2id, never stored in plain text)
- Language and region preferences
- Subscription status (Pro / Free)
Legal basis: Art. 6(1)(b) GDPR (contract performance).
B.2 Contract analysis
- Uploaded contract documents (PDF or photo)
- OCR-extracted text from documents
Retention: Extracted text is automatically deleted after 30 days. Full scan records are deleted after 365 days. Uploaded files are processed in memory only and never stored permanently on our servers.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
B.3 AI processing and sub-processor
For clause analysis, the extracted text is passed to an AI sub-processor. The sub-processor is OpenAI (see below). Processing runs through our own EU server infrastructure β your contract data is processed on servers within the EU.
Active safeguards
store: falseβ OpenAI does not retain submitted content for training- Data Processing Agreement (DPA) with OpenAI
- All API requests are routed through our EU servers β no direct data transfer to the USA
- Sensitive fields (names, addresses) are pseudonymized before transfer (PII masking)
Third-country transfer: OpenAI is a US company. Despite EU server routing, US authorities could in principle request access under the CLOUD Act. Protection is provided via Standard Contractual Clauses + Data Privacy Framework + technical pseudonymization.
More info: openai.com/policies/privacy-policy Β· SignGuard AI Transparency.
B.4 Usage data
- Number of scans performed
- Features used (AI chat, cancellation letter generator, deadline reminders)
- Deadline calendar and reminders (if created by the user)
Legal basis: Art. 6(1)(b) GDPR + Art. 6(1)(f) (app improvement).
B.5 Payment data
Payments are processed exclusively via RevenueCat (RevenueCat Inc., 575 Market Street, San Francisco, USA) and the Apple/Google stores. We only receive anonymized purchase/subscription information, no full payment details.
Legal basis: Art. 6(1)(b) GDPR. More info: revenuecat.com/privacy.
B.6 Apple / Google platform
The app is distributed via the Apple App Store and Google Play Store. Platform-side data processing during download and use is governed by Apple's and Google's privacy policies.
B.7 Account deletion in the app
You can delete your account and all associated data at any time directly in the app: Settings β Delete Account. After confirmation, account data, contract analyses, reminders and usage statistics are completely deleted within 30 days (except where statutory retention periods apply β e.g. accounting records: 10 years, anonymized).
B.8 Lawyer Check (arranging an initial legal consultation via advocado)
If the AI analysis identifies a high risk in your contract, you can select the "Request review" option in the app. In this case β only with your explicit consent β we transmit a request to our cooperation partner advocado (advocado.de, a brand of LEGAL TECH LAB 22 GmbH, MΓ€rkisches Ufer 38/40, 10179 Berlin, Germany), which refers you to an independent partner lawyer for an initial consultation.
Data transmitted: first and last name and email address (optionally: phone number, salutation, postal address) so the lawyer can contact you; a summary of your legal question generated from the analysis, including the area of law; your contract document as a PDF, as the lawyer needs it for the initial assessment; and a technical partner identifier (without additional personal reference).
Purpose: referral of a free initial legal assessment actively requested by you. Legal basis: your consent (Art. 6(1)(a) GDPR) and pre-contractual measures to initiate the mandate you request (Art. 6(1)(b) GDPR). You may withdraw your consent at any time with effect for the future.
Recipients and responsibility: From the moment of transmission, advocado processes the data for lawyer referral as an independent controller (this includes an AI system used to prepare the case description); the referred partner lawyer processes the data to provide the initial consultation and is bound by attorney-client privilege. advocado's privacy notice applies. Without your consent, no transmission takes place; SignGuard merely keeps an internal technical log of the transmission. More about the process: The Lawyer Check.
C. Common Topics (Website + App)
C.1 Data storage and security
- All personal data is stored on servers within the European Union
- All connections are encrypted using TLS 1.3 / HTTPS
- Passwords are hashed with Argon2id (never stored in plain text)
- Active security headers: HSTS, CSP (Content Security Policy), X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Regular security audits and penetration tests
C.2 Your rights (Art. 15-22 GDPR)
As a data subject, you have the following rights β for both website and app data processing:
- Access (Art. 15 GDPR): Request information about your stored data at any time
- Rectification (Art. 16 GDPR): Have inaccurate data corrected
- Erasure (Art. 17 GDPR): In the app: Settings β Delete Account. Website data: email info@signguard.app or revoke consent via the cookie banner
- Restriction (Art. 18 GDPR): Request restriction of processing
- Data portability (Art. 20 GDPR): Request your data in a machine-readable format β email info@signguard.app
- Objection (Art. 21 GDPR): Object to processing
- Automated decisions (Art. 22 GDPR): The AI clause assessment is not an automated decision within the meaning of Art. 22 GDPR β it is purely informational and has no legal effect on you
To exercise your rights: info@signguard.app.
C.3 Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. The competent authority is the data protection authority of the EU member state of your habitual residence.
For Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI), www.bfdi.bund.de.
For Cyprus (seat of the controller): Office of the Commissioner for Personal Data Protection, www.dataprotection.gov.cy.
C.4 Changes to this policy
We may update this privacy policy when needed β e.g. for new features, new sub-processors, or a changed legal framework. The current version is always available at signguard.app/en/privacy.html (German original: signguard.app/privacy.html). Material changes are communicated via in-app notification or email.
Last updated: May 12, 2026 Β· Controller: SIGNGUARD APP LTD Β· Contact: info@signguard.app