Privacy Policy

Last Updated: January 2025

1. Introduction

Eezaly Ltd ("we", "us", or "our") operates eezaly.com, providing electronic signature and document management solutions. We are committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights regarding your personal data. By using our services, you agree to the collection and use of information in accordance with this policy.

Data Controller: Eezaly Ltd, a company registered in England and Wales. For data protection queries, please contact us at privacy@eezaly.com.

2. Data We Collect

We collect different types of personal data depending on how you use our services:

2.1 Account Information (Registered Users)

Identity Data: First name, last name, email address
Credentials: Password (stored in hashed format using PBKDF2 with HMAC-SHA256)
Account Details: Registration date, last login date, email confirmation status
Subscription Data: Subscription tier (Freemium/Premium), Stripe Customer ID, subscription status, billing cycle

2.2 Document and Signature Data

Uploaded Documents: PDF files you upload for signature (stored encrypted in Azure Blob Storage)
Signature Information: Electronic signatures (image data), signer names, signer email addresses
Document Metadata: Document titles, creation dates, expiry dates, document status, number of signatories
Signing Activity: Signature timestamps, IP addresses at time of signing, browser user agent strings, completion status

2.3 Anonymous User Data

If you use our service without registering (anonymous mode), we collect:

Sender email address and name
Document upload data and signature requests (limited to 3 lifetime uses per email)
Temporary session data (retained for the duration of the signing process)

2.4 Technical and Usage Data

Session Data: Login sessions, authentication tokens (60-minute timeout)
Log Data: IP addresses, browser type and version, device information, pages visited, time and date of access
Email Interaction Data: Email delivery status, open rates, click-through data (via Mailgun)
Analytics Data: Usage patterns, feature interactions, performance metrics (via Google Analytics)

2.5 Payment Information

For Premium subscriptions, payment processing is handled by Stripe. We store:

Stripe Customer ID (linked to your account)
Subscription status and billing period
Note: We do not store your credit card details. All payment card information is securely processed and stored by Stripe in compliance with PCI-DSS standards.

3. How We Use Your Data

We process your personal data for the following purposes, based on the legal grounds specified under UK GDPR:

3.1 Service Provision (Legal Basis: Contract Performance)

Creating and managing your account
Processing document uploads and electronic signatures
Sending documents to designated signatories via email
Tracking document status and signature completion
Providing document storage and retrieval services
Sending transactional emails (signature requests, completion notifications, reminders)

3.2 Subscription Management (Legal Basis: Contract Performance)

Processing subscription payments via Stripe
Managing subscription tiers (Freemium 5 documents/year, Premium unlimited)
Enforcing usage limits for anonymous users (3 lifetime documents)
Sending subscription-related notifications and renewal reminders

3.3 Legal Compliance and Fraud Prevention (Legal Basis: Legal Obligation & Legitimate Interests)

Maintaining audit trails for electronic signatures (required under eIDAS/ESIGN regulations)
Recording IP addresses and timestamps for signature events
Detecting and preventing fraudulent activity and abuse
Complying with tax, accounting, and regulatory requirements
Responding to law enforcement requests when legally required

3.4 Service Improvement and Analytics (Legal Basis: Legitimate Interests)

Analysing usage patterns to improve platform functionality
Monitoring system performance and error rates
Conducting internal research and development
Understanding user behaviour through analytics (Google Analytics)

3.5 Marketing Communications (Legal Basis: Consent)

With your explicit consent, we may use your email address to send:

Product updates and new feature announcements
Tips for using Eezaly more effectively
Special offers and promotional materials

You can withdraw consent and unsubscribe from marketing emails at any time by clicking the unsubscribe link in any marketing email or contacting us at privacy@eezaly.com.

4. Data Storage & Retention

4.1 Storage Infrastructure

Your data is stored securely using Microsoft Azure cloud services:

Database: Microsoft SQL Server (Azure SQL Database) in secure Azure data centres
Document Storage: Azure Blob Storage with private access controls and encryption at rest
Geographic Location: Data is primarily stored in Microsoft Azure data centres in the United Kingdom, with the possibility of replication for redundancy
Backups: Automated database backups are maintained for disaster recovery purposes

4.2 Data Retention Periods

We retain your personal data for different periods depending on the type of data and legal requirements:

Data Type	Retention Period	Reason
Account Information	Duration of account + 30 days after deletion	Service provision and legal compliance
Documents & Signatures	Indefinitely for active accounts (or until user deletion)	Legal validity of signatures, audit trails
Transaction Records	7 years	Tax and accounting obligations
Server Logs	30 days	Security monitoring and troubleshooting
Temporary Files	24 hours	Processing purposes only
Marketing Consent	Until withdrawal or account deletion	Compliance with marketing regulations

4.3 Account Deletion

When you delete your account or request erasure of your data:

Your account will be deactivated immediately
Personal data will be permanently deleted within 30 days
Documents and signatures may be retained if required for legal compliance or to fulfil legitimate interests (e.g., if other parties have rights to access signed documents)
Anonymised or aggregated data may be retained for statistical purposes

We do not sell your personal data to third parties. We only share your data with trusted service providers who help us deliver our services, and only to the extent necessary for specific purposes:

5.1 Essential Service Providers

Service Provider	Purpose	Data Shared	Location
Microsoft Azure	Cloud hosting & storage	All platform data	UK/EU
Mailgun (EU)	Email delivery service	Email addresses, names, email content	EU
Stripe	Payment processing	Name, email, payment details	Global (GDPR-compliant)

5.2 Analytics and Marketing Services

Service Provider	Purpose	Data Shared
Google Analytics (ID: G-L8PK48KHH4)	Website usage analytics	IP address, browser info, pages visited, session duration
Google Tag Manager (ID: GTM-WZGS79RQ)	Tag management	Similar to Google Analytics
Facebook Pixel (ID: 1600929147204700)	Advertising and conversion tracking	Browser info, pages visited, events (e.g., document sent)

5.3 Legal and Regulatory Disclosure

We may disclose your personal data if required to do so by law or in response to:

Valid legal requests from law enforcement or government authorities
Court orders or subpoenas
Protection of our legal rights or the safety of users
Investigation of fraud, security issues, or technical problems

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the new owner. We will notify you via email and/or a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

5.5 Data Sharing with Other Users

When you send a document for signature:

Recipients will see your name and email address
All signatories can view the completed document and signature audit trail
This is necessary for the proper functioning of electronic signature services

6. Security Measures

We take the security of your personal data seriously and implement industry-standard technical and organisational measures to protect it:

6.1 Data Encryption

In Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS protocols
At Rest: Documents are stored in Azure Blob Storage with encryption at rest
Passwords: All passwords are hashed using PBKDF2 with HMAC-SHA256, making them unreadable even to our staff
Signature Links: Document signature links are encrypted using AES-256 CBC encryption

6.2 Access Controls

Document storage uses private access controls - documents are not publicly accessible
Role-based access control for administrative functions
60-minute automatic session timeout for inactive users
Multi-factor authentication available for admin accounts

6.3 Security Monitoring

Continuous monitoring of system logs for suspicious activity
Anti-forgery tokens and CSRF protection on all forms
Webhook signature verification for third-party integrations (Stripe)
Regular security audits and vulnerability assessments

6.4 Data Breach Response

In the event of a data breach that poses a risk to your rights and freedoms:

We will notify the UK Information Commissioner's Office (ICO) within 72 hours
We will inform affected users without undue delay
We will take immediate steps to contain and remediate the breach
We will provide guidance on steps you can take to protect yourself

Important: While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using industry best practices.

7. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data:

7.1 Right of Access

You can request a copy of the personal data we hold about you. We will provide this information in a structured, commonly used, and machine-readable format (typically JSON or CSV) within one month of your request.

7.2 Right to Rectification

You can update your personal information at any time through your account settings. If you find any inaccurate data, you can request corrections by contacting us at privacy@eezaly.com.

7.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data by:

Deleting your account through the dashboard settings
Contacting us at privacy@eezaly.com

Note: We may retain certain data if required by law or for legitimate legal purposes (e.g., maintaining signature audit trails for documents involving other parties).

7.4 Right to Data Portability

You can request a machine-readable copy of your data to transfer to another service provider. This includes your account information, documents, and signature records.

7.5 Right to Object

You can object to processing of your data for:

Direct marketing purposes (opt-out of marketing emails anytime)
Processing based on legitimate interests
Automated decision-making or profiling (though we do not currently perform profiling)

7.6 Right to Restrict Processing

You can request that we temporarily limit how we use your data while we investigate your concerns about accuracy or processing legality.

7.7 Right to Withdraw Consent

Where we rely on your consent (e.g., marketing communications), you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

7.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: privacy@eezaly.com
Response Time: We will respond to your request within one month
Verification: We may ask you to verify your identity before processing requests

7.9 Right to Lodge a Complaint

If you're unhappy with how we've handled your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Website: https://ico.org.uk
Phone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

8. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, analyse usage, and deliver relevant content. Cookies are small text files stored on your device.

8.1 Types of Cookies We Use

Cookie Name	Type	Purpose	Duration
`EezalySession`	Essential	Maintains your login session and authentication	60 minutes
`.AspNetCore.Antiforgery.*`	Essential	Security protection against CSRF attacks	Session
`cookie_notice_accepted`	Essential	Remembers your cookie consent preference	1 year
`_ga`	Analytics	Google Analytics - distinguishes users	2 years
`_gid`	Analytics	Google Analytics - distinguishes users	24 hours
`_gat`	Analytics	Google Analytics - throttles request rate	1 minute
`fr`	Marketing	Facebook Pixel - ad targeting and conversion tracking	3 months
`tr`	Marketing	Facebook Pixel - tracking pixel	Session

8.2 Cookie Categories

Essential Cookies: Required for the website to function. Cannot be disabled.
Analytics Cookies: Help us understand how you use our site to improve performance.
Marketing Cookies: Track your activity to deliver relevant advertisements.

8.3 Managing Cookies

You can control cookies through:

Browser Settings: Most browsers allow you to refuse or delete cookies. Consult your browser's help menu for instructions.
Opt-out Links:
- Google Analytics: Google Analytics Opt-out Browser Add-on
- Facebook: Facebook Ad Preferences

Note: Disabling essential cookies may affect the functionality of our website, including your ability to log in and use core features.

9. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

9.1 How We Notify You of Changes

Material Changes: If we make significant changes that affect your rights, we will notify you via email (to the address associated with your account) at least 30 days before the changes take effect.
Minor Changes: For non-material changes (e.g., clarifications, formatting), we will update the "Last Updated" date at the top of this page.
Notification Banner: We may display a prominent notice on our website when significant changes are made.

9.2 Your Acceptance

By continuing to use Eezaly after changes become effective, you accept the updated Privacy Policy. If you disagree with the changes, you may delete your account before they take effect.

9.3 Version History

We maintain a record of major policy updates. You can request previous versions by contacting privacy@eezaly.com.

10. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Eezaly Ltd - Data Protection Contact

Email: privacy@eezaly.com

General Enquiries: info@eezaly.com

Website: www.eezaly.com

Response Time: We aim to respond to all data protection enquiries within 5 business days, with full resolution within one month as required by UK GDPR.

Governing Law: This Privacy Policy is governed by the laws of England and Wales.
Company Registration: Eezaly Ltd is registered in England and Wales.
Compliance: We are committed to compliance with UK GDPR, Data Protection Act 2018, and all applicable data protection laws.