LEGAL

Privacy Policy

Last updated: April 20, 2026 · Effective: April 20, 2026

This Privacy Policy explains how SahlSigncollects, uses, shares, and protects personal data in connection with our electronic signature platform (the “Service”). This policy is written to satisfy our obligations under the Qatar Personal Data Privacy Protection Law (Law No. 13 of 2016, “PDPPL”), the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (“UAE PDPL”), the KSA Personal Data Protection Law (Royal Decree M/19 of 2021, “KSA PDPL”), and the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

1. Who We Are

Data Controller: SahlSign, with registered address at Doha Tower, Al Corniche Street, West Bay, Doha, Qatar. For documents you send to third-party signers, SahlSign generally acts as a data processor on your behalf; for information about your own SahlSign account, we act as a data controller.

Data Protection Officer: You can reach our DPO at privacy@sahlsign.com.

2. Data We Collect

2.1 Data you provide

  • Account data: name, work email, phone number, company name, country, password (hashed).
  • Billing data: VAT/tax registration number, billing address, payment method reference (we do not store full card numbers — these are tokenised by our payment provider).
  • Document content: the files you upload, fields you place, and messages you send to signers. We treat document content as confidential.
  • Signer data: when you send a document, you provide the recipient’s name, email, and (optionally) phone number.

2.2 Data collected automatically

  • Authentication events: login timestamps, session identifiers, one-time-password (OTP) delivery and verification events.
  • Signature events: the time and IP address at which a signer opened a document, viewed each page, and applied their signature. This is what forms the tamper-evident audit trail on the Certificate of Completion.
  • Device and network data: browser type and version, operating system, user agent string, IP address, approximate location derived from IP, referring URL.
  • Cookies and similar technologies: we use strictly-necessary session cookies for login state and CSRF protection; we do not use advertising cookies.

2.3 Sensitive data

We do not intentionally collect special categories of personal data (health, religion, biometrics, political opinions). If you upload a document containing such data, you are responsible for ensuring you have a valid legal basis to do so.

3. How We Use Your Data

PurposeLawful basis (GDPR / regional equivalents)
Provide the Service (authenticate users, send documents, capture signatures, produce the Certificate of Completion)Performance of a contract with you
Maintain a tamper-evident audit trail and retain signature evidenceLegal obligation; legitimate interest in the integrity of electronic transactions
Send transactional emails (invitations, reminders, completion notifications)Performance of a contract
Detect and prevent fraud, abuse, and security incidentsLegitimate interest; legal obligation
Process billing and collect feesPerformance of a contract; legal obligation (tax, accounting)
Send product updates and marketing communicationsConsent (you can withdraw at any time); soft opt-in where permitted by local law
Respond to legal requests and enforce our TermsLegal obligation; legitimate interest

4. Who We Share Data With

We share personal data only with the following categories of recipients, under written agreements requiring them to protect it:

  • Cloud hosting provider (Amazon Web Services) — infrastructure and storage.
  • Email delivery provider (Resend) — transactional emails.
  • Qualified timestamping authority (RFC 3161 TSA) — cryptographic timestamps on completed documents.
  • Payment processor — billing and subscription management.
  • Analytics provider — aggregated, privacy-preserving product analytics.
  • Professional advisers — auditors, lawyers, and accountants, under duties of confidentiality.
  • Law enforcement / regulators — only where compelled by valid legal process or where necessary to protect the rights, property, or safety of SahlSign, our users, or the public.

We do not sell your personal data. A current list of our sub-processors is available at privacy@sahlsign.com on request.

5. Hosting, Sub-processors, and Cross-Border Transfers

SahlSign uses the following infrastructure and sub-processors to deliver the Service. Because our managed database and certain sub-processors operate outside the GCC, the personal data listed below may be processed outside the country of residence of the data subject:

  • Managed Postgres database — currently Neon, hosted in a region outside the GCC (AWS us-east-1 / eu-central-1, confirmed at account provisioning). Stores account data, document metadata, audit trail entries, and (for documents cached after signing) document binary content.
  • Object storage — AWS S3, region as disclosed to the Customer at sign-up.
  • Email delivery — Resend (US). Processes recipient email addresses and message bodies for transactional invitation and notification emails.
  • Qualified timestamping authority — RFC 3161 TSA operated by a third-party trust service provider. Receives a cryptographic hash of your document — no document content or personal data.
  • Payment processor — as identified at checkout. Receives billing contact details and tokenised payment instrument references.

An up-to-date sub-processor list and the region of each is available on request at privacy@sahlsign.com. We commit to giving Customers at least 30 days’ notice before adding a new sub-processor so Customers can raise objections.

Where personal data is transferred outside a country whose data protection law applies to you, we rely on one or more of the following transfer mechanisms:

  • An adequacy decision recognised by the receiving country (e.g. EU Commission adequacy decisions under GDPR Art. 45; KSA PDPL adequacy decisions issued by SDAIA);
  • Standard Contractual Clauses as published by the European Commission (for EU/UK transfers), or equivalent clauses for UAE PDPL and KSA PDPL transfers;
  • Binding corporate rules;
  • Your explicit consent, where appropriate and permissible under the applicable law.

Data-residency options: Customers with a regulatory requirement to keep personal data inside a specific jurisdiction (for example, inside the GCC, the EU, or the UK) should contact us before subscribing. We will confirm in writing whether your requirement can be met on the standard plan or requires an enterprise data-residency arrangement.

6. Retention

  • Account data: retained while your account is active, then up to 180 days after closure (or longer if required by law) to allow reactivation and to complete outstanding tax/audit obligations.
  • Document content: retained for the duration of your subscription; after cancellation, you have 30 days to export before deletion.
  • Signature audit trail: retained for a minimum of seven (7) years after document completion to preserve the evidentiary value of the signature, as permitted by Qatar PDPPL Art. 15, UAE PDPL Art. 6, KSA PDPL Art. 18, and GDPR Art. 5(1)(e).
  • Billing records: retained for the period required by applicable tax law (typically 5–10 years).
  • Marketing preferences: retained until you opt out, plus a short period to ensure we continue to honour your choice.

7. Your Rights

Subject to applicable law, you have the right to:

  • Access — request a copy of the personal data we hold about you;
  • Rectification — correct inaccurate or incomplete data;
  • Erasure — request deletion of your data, subject to our legal retention obligations (e.g. we cannot delete signature audit trails that preserve the integrity of a document another party relies on);
  • Restriction — ask us to limit our processing in specific circumstances;
  • Portability — receive your data in a structured, machine-readable format;
  • Object — object to processing based on legitimate interests, including direct marketing;
  • Withdraw consent — where processing is based on consent, withdraw it at any time (this does not affect prior lawful processing);
  • Lodge a complaint — with your national data protection authority (e.g. the Compliance and Data Protection Department of the Ministry of Communications and Information Technology in Qatar; the UAE Data Office; the Saudi Data and AI Authority (SDAIA); or an EU supervisory authority).

To exercise these rights, email privacy@sahlsign.com. We will respond within 30 days; for complex requests, we may extend the period by up to two further months, and will tell you if so. We may ask for proof of identity to protect your data.

8. Security

We protect personal data using a defence-in-depth programme that includes:

  • TLS 1.2+ for all data in transit;
  • AES-256 encryption at rest;
  • Role-based access controls; principle of least privilege for personnel;
  • Audit logging of administrative access;
  • Cryptographic hash chains protecting the audit trail of every document;
  • PAdES-B-T sealing and qualified timestamping to detect post-signature tampering;
  • Regular vulnerability scanning; penetration testing before major releases;
  • Vendor due diligence and written data-processing agreements with every sub-processor.

We are working toward ISO/IEC 27001 and SOC 2 Type II certifications; our current status is available on request.

9. Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant regulator within 72 hours of becoming aware, as required by GDPR Art. 33, UAE PDPL Art. 9, KSA PDPL Art. 20, and Qatar PDPPL Art. 13. Where the breach is likely to result in a high risk to you, we will notify you directly without undue delay.

10. Children

The Service is not directed at and not intended for children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Automated Decision-Making

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects on you.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be notified to the account administrator by email and posted to this page at least 30 days before they take effect.

13. Contact Us

Questions, complaints, or rights requests can be directed to:

SahlSign Data Protection Officer
privacy@sahlsign.com
Doha Tower, Al Corniche Street, West Bay, Doha, Qatar