spondeo.
Legal

Privacy Policy

Effective 2026-05-16

Pre-launch. Spondeo is a pre-launch project not yet incorporated as a legal entity. The data-handling commitments below reflect how Spondeo will operate; during pre-launch the site is provided for evaluation only. Working draft pending counsel review.

1. Who this applies to

This policy describes how Spondeo (“Spondeo,” “we,” “us”) handles personal data when you (a) sign up for and use the Spondeo dashboard, API, or SDKs as a customer; or (b) receive an envelope sent through Spondeo as a signer. Customers are accountable to their own signers under their own contracts and disclosures; this policy explains what Spondeo independently does with data we touch.

2. Data we collect

2.1 From customers

  • Account identity: name, email address, workspace name.
  • Authentication: hashed magic-link tokens, hashed API keys.
  • Billing details (if applicable): handled via our payments processor; we store only the customer ID returned by them.
  • Usage: envelope counts, API call metadata, IP addresses, user agent strings, page views, audit events.

2.2 From signers

  • The recipient information the sender provided (name, email).
  • Field values you enter on the signing surface (signature image, typed text, checkbox selections, etc.).
  • Signing-time evidence: timestamps, IP address, user agent, the unique signing-link token, your consent attestation, and the SHA-256 of the document you signed.
  • If you decline: an optional reason text you choose to submit.

2.3 Cookies and similar

We use first-party cookies strictly for authentication (the session cookie for signed-in customers) and CSRF defense. We do not use third-party advertising or analytics cookies on the product surface. Marketing pages may set a single privacy-respecting analytics cookie (no cross-site tracking).

3. How we use it

  • Provide the service. Render signing surfaces, route envelopes, generate audit certificates, deliver email notifications.
  • Authenticate and secure. Verify sessions, rate-limit signer endpoints, detect abuse.
  • Audit and integrity. Maintain an append-only event log for every envelope so a completed document is independently verifiable years later. This data cannot be deleted on request because doing so would defeat the integrity guarantee.
  • Improve the product. Aggregate usage metrics. We do not train AI models on customer documents or signer content.
  • Legal compliance. Tax reporting, responding to lawful process, fraud prevention.

4. Legal bases (GDPR)

Where GDPR applies, we rely on: contract performance to operate the service for customers and to record signatures requested by a sender; legitimate interests for security, fraud-prevention, and product analytics; legal obligationfor tax records and lawful-process responses; and consentwhere a feature requires explicit opt-in.

5. How long we keep it

  • Completed envelopes + audit events: retained for the life of your account plus any contractually agreed period thereafter, because the signed document and its audit trail must remain verifiable.
  • Drafts and unsent envelopes: retained while your account is active; deletable on request.
  • Account metadata and logs: retained for 24 months by default after account closure, except where extended for legal or fraud-prevention reasons.
  • Billing records: retained for the period required by tax law in our jurisdiction (typically 7 years).

6. Who we share it with

We use a small number of subprocessors to operate the service. The current list and what each one handles is published at /legal/subprocessors and is kept current. We share customer or signer data only with these subprocessors, or where required by lawful process.

7. International transfers

Our infrastructure today runs in the United States. If you are in the EEA / UK / Switzerland, your data is transferred to the United States under Standard Contractual Clauses with each subprocessor, supplemented by our own technical and organizational measures.

8. Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to certain processing. To exercise any of these, email [email protected]. We verify identity before acting.

Note that we cannot delete audit events tied to a completed envelope on request — see Section 5. We can delete unsent drafts and account metadata, and we will honor “right to be forgotten” requests for everything except the audit-cert data that must remain verifiable for legal effectiveness of an already-signed document.

9. Security

All data is encrypted in transit (TLS 1.2+) and at rest. Source documents are content-hashed at upload and verified at finalize so tampering between those points is detectable. Production access is scoped, logged, and reviewed. Read more at /security.

10. Children

Spondeo is not designed for and not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, email [email protected] and we will delete it.

11. Changes

We update this policy as our practices evolve. Material changes will be announced to customer admins by email at least 30 days before they take effect. The current version is always linked from the footer of the marketing site.

12. How to reach us

Email (privacy): [email protected]
Email (security): [email protected]

If you are in the EU and we are required to designate a representative under Article 27 GDPR, we will publish their contact details here when appointed.