Privacy Policy

• "We," "us," "our": GO FLOWSIGN LLC, a Delaware limited liability company doing business as "FlowSign" ("FlowSign," "we," "us," or "our"), located at 420 Carroll Street, FL 2 Suite 220, Brooklyn, NY 11215.
• Our representative: [email protected].
• "Affiliate": any entity that, directly or indirectly, controls, is controlled by, or is under common control with FlowSign, where control means ownership of more than 50% of the voting equity or the power to direct management and policies.
• Personal information: any information relating to an identified or identifiable individual.
• Special category personal information (GDPR): personal information revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, or trade union memberssubprocessorhip; genetic and biometric data; and data concerning health, sex life or sexual orientation.
• Sensitive Personal Information (CCPA/CPRA): personal information revealing a consumer's social security number, driver's license and passport numbers, account numbers and credentials, precise geolocation, racial or ethnic origin, religious beliefs, or union membership, personal information concerning a consumer's health, sex life, or sexual orientation, contents of consumer mail, email and text messages where we are not the intended recipient, genetic data, biometric information, or citizenship and immigration status.
• Biometric Information: an individual's physiological, biological, or behavioral characteristics, including imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, voice recordings, and keystroke or gait patterns, used or intended to be used to establish identity.
• Signature Data: information generated when you or another person creates, sends, or executes an electronic signature using the Services, including the rendered signature image, signer's typed name, IP address and approximate geolocation, device and browser metadata, timestamps, authentication events, audit-trail entries, and the document(s) signed.

We may collect and use the following personal information, including sensitive personal information.

• Identifiers: real name, email address, postal address, phone number, account name, IP address, device identifiers, and other similar identifiers. Government-issued identifiers such as social security number, driver's license number, or passport number are collected only if you upload them within a document you choose to send for signature.
• California Civil Code § 1798.80(e) categories: name, signature, address, telephone number, signature image, professional title, and similar contact information. Financial, medical, education, and similar sensitive categories are collected only if a customer or signer chooses to upload a document containing such information.
• Account credentials: account log-in credentials and, where applicable, payment-card or financial-account information. Payment-card information is processed by our third-party payment processor (Stripe) and is not stored on FlowSign's own systems beyond tokenization.
• Characteristics of protected classifications: not actively collected by FlowSign. May incidentally appear in customer-uploaded documents but is not analyzed or used by FlowSign.
• Commercial information: records of subscription plans purchased, billing history, and information about your use of the Services.
• Biometric information: not collected. The signature image you create using FlowSign is a graphical or typed representation only and is not a biometric template under CCPA/CPRA, BIPA, or comparable state laws.
• Internet or other electronic network activity information: browsing history within the Services, search history within the Services, and information about your interactions with the Services and our marketing pages.
• Geolocation data: approximate geolocation derived from IP addresses. We do not collect precise geolocation.
• Audio, electronic, visual: visual: signature images and any document images or attachments you upload. Audio: limited to recorded customer-support calls where applicable, with notice and consent where required by law.
• Professional or employment-related information: job title, organization, and similar professional context.
• Education information (FERPA): not actively collected.
• Inferences: inferences derived from the categories above to provide and improve the Services.
• Special category data: not actively collected. May incidentally appear in customer-uploaded documents.
• Health information: not actively collected. If you use the Services to handle Protected Health Information (PHI) under HIPAA, you must enter into a written Business Associate Agreement with FlowSign before doing so.

If you do not provide personal information required to provide products or services to you, it may delay or prevent us from providing products or services to you.

We collect personal information from the following categories of sources:

• You, directly in person, by telephone, text, email, and/or via our website and apps.
• Third parties with your consent, such as your bank, your single-sign-on identity provider, or a counterparty who invites you to sign a document.
• Advertising networks and analytics providers.
• Internet service providers, operating systems, and platforms.
• Social networks.
• Counterparties and other signers in your signing workflows.
• Cookies and similar tracking technologies on our website.
• Third-party integrations and SSO providers that you connect to your FlowSign account.
• Payment processors and other third-party service providers such as Stripe.

We use your personal information to provide products or services, prevent and detect fraud, comply with legal and regulatory obligations, protect commercially sensitive information, operate and improve our business, keep our customers informed about service changes, market our products and services and those of our Affiliates, and for other purposes described in this policy.

Specifically with respect to e-signature workflows, we use Signature Data to:

• Authenticate signers.
• Generate the audit certificate that accompanies executed documents.
• Detect and prevent fraud.
• Comply with recordkeeping and evidentiary requirements of the ESIGN Act, UETA, eIDAS, and applicable trust-service obligations.
• Respond to subpoenas, court orders, and similar legal process.

We may use your personal information to send updates about our products or services and those of our Affiliates, including exclusive offers, promotions, or new products or services. We have a legitimate interest in processing your personal information for promotional purposes. Where consent is needed, we will ask for it separately and clearly.

(a) Post-Termination Marketing: Promotional communications may continue after termination of the Terms or closure of your account, on the same legitimate-interest basis or, for individuals in the EEA/UK, on the consent basis provided through our signup or signing flow, until you opt out or until we delete your contact details in accordance with Section 9.

(b) Affiliates: We may share your contact details with our Affiliates so they may send you marketing communications about their own products and services. Our Affiliates are bound by the same opt-out commitments described in subsection (c), and we maintain a single suppression list that is honored by FlowSign and our Affiliates.

We will always treat your personal information with the utmost respect and never sell it to other organizations for marketing purposes.

You have the right to opt out of receiving promotional communications at any time by contacting us at [email protected] or using the "unsubscribe" link in emails or the "STOP" command in texts.

(c) Transactional and Service Communications: Communications that are transactional or service-related are not subject to opt-out and will continue regardless of your marketing preferences.

We routinely share personal information with:

• Our Affiliates and corporate group members, including for marketing purposes.
• Counterparties and recipients in the document workflows you initiate.
• Service providers such as cloud-hosting providers, payment processors (e.g., Stripe), email-delivery providers, identity-verification providers, customer-support tooling, analytics providers, and AI service providers (e.g., OpenAI).
• Other third parties that help us run our business, such as marketing agencies or website hosts.
• Third parties approved by you, including social-media sites you choose to link or third-party payment providers.
• Credit-reporting agencies where reasonably necessary.
• Our insurers, brokers, and banks.

We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect it. We may also disclose information to law enforcement and regulatory bodies to comply with our legal obligations.

FlowSign does not "sell" personal information for monetary consideration. Certain advertising and analytics services we use may constitute "sharing" for cross-context behavioral advertising or "selling" under the broad definitions in CCPA/CPRA and other state privacy laws.

To opt out of these activities, please use the "Cookie Preferences" link in our website footer or email [email protected].

The categories of personal information that have been the subject of such sharing in the preceding 12 months are limited to identifiers; internet or other electronic network activity information; and inferences derived from the foregoing for advertising attribution.

We do not knowingly sell or share the personal information of consumers under 16 years of age. We do not sell or share the contents of documents you upload, your account-level personal information, or Signature Data.

We will keep your personal information while you have an account with us or while we are providing products or services to you. After that, we will keep it as necessary to respond to questions, complaints, or claims, to demonstrate fair treatment, or to satisfy legal requirements.

Executed documents and associated audit certificates are retained for the duration of your account and for the period required by you, your subscription plan, or applicable law, whichever is longer. After account termination, we retain executed documents and audit certificates as described in our Terms of Service. Audit-trail data necessary to support legal validity under the ESIGN Act, UETA, and eIDAS may be retained for up to ten years from execution.

Marketing contact details may be retained after account closure until you opt out of marketing communications under Section 5.

You have the right to know, request disclosure, opt out of sale or sharing, limit use of sensitive personal information, request deletion, request correction, and not be retaliated against for exercising your rights.

To exercise these rights, email [email protected]. To opt out of sale or sharing, use the "Cookie Preferences" link in our footer or email us.

Authorized agents may submit requests on your behalf with proof of authorization. We will not discriminate against you for exercising your privacy rights.

You have the right to be informed, access, rectify, erase, restrict processing, port your data, object, and not be subject to solely automated decision-making that produces legal or similarly significant effects.

To exercise any of your rights, contact [email protected]. You also have the right to lodge a complaint with your local data-protection supervisory authority.

To deliver services to you, it is sometimes necessary for us to share personal information outside the EEA, the UK, or Switzerland. These transfers are subject to special rules.

Where we transfer information to a country without an adequacy decision, we use approved transfer mechanisms such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent Swiss safeguards. Most of our cloud-hosting and data-storage infrastructure is located in the United States.

If you would like a copy of the relevant safeguards, please contact [email protected].

We have appropriate technical and organizational security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorized way. These measures include encryption of personal information in transit (TLS 1.2 or higher) and at rest, role-based access controls, logging and monitoring, regular penetration testing, and incident-response procedures.

We limit access to your personal information to those who have a genuine business need. We will notify you and any applicable regulator of a suspected breach where legally required. While we work hard to protect your information, no method of transmission over the Internet or electronic storage is 100% secure.

GO FLOWSIGN LLC, Attn: Privacy, 420 Carroll Street, FL 2 Suite 220, Brooklyn, NY 11215.

Email: [email protected].

We and our service providers use cookies, web beacons, pixels, software development kits, and similar technologies to operate the Services, remember your preferences, measure how the Services are used, and provide and measure relevant advertising.

You can control non-strictly-necessary cookies through the "Cookie Preferences" link in our website footer or, in the EEA/UK, through the consent banner. You can also use your browser settings to block or delete cookies. A more detailed Cookie Notice is available at Cookie Preferences.

FlowSign is not a covered entity under HIPAA. To use the Services to handle Protected Health Information (PHI), you must enter into a written Business Associate Agreement (BAA) with FlowSign before processing any PHI through the Services.

The presence of references to "healthcare" or "HIPAA-compliant forms" on our marketing pages does not by itself constitute a BAA or evidence that you have one in place. To request a BAA, contact [email protected].

When you use the Services as the originator of a document or signature workflow (a "Sender"), the personal information of your signers and recipients is processed on your behalf. With respect to that information, you are the controller or business and FlowSign is the processor or service provider.

FlowSign offers a Data Processing Addendum (DPA) for customers who require one — please contact [email protected] to request a copy.

Certain features of the Services, including AI contract generation and AI-assisted document review, use third-party large-language-model providers such as OpenAI. Inputs and outputs of these AI features may be processed in the United States and other locations.

We do not use the contents of customer documents to train third-party generative-AI models, and we contractually require our AI subprocessors to provide equivalent protections where available. AI features do not produce decisions that have legal or similarly significant effects on you without human review.