Privacy Policy

Last updated: April 20, 2026

ZDottedLine Inc., a Florida corporation ("Zdottedline," "we," "us," or "our"), operates the zdottedline.com website and e-signature platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using the Service, you consent to the practices described in this Privacy Policy.

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, company name, and password (stored as a bcrypt hash with cost factor 12 — never in plaintext).

Document Data

We store documents you upload for the purpose of obtaining signatures. Documents are encrypted at rest using AES-256 server-side encryption and accessible only through time-limited signed URLs (5-minute expiry).

Signature and Signing Evidence

When signers sign a document, we collect their signature image or text, IP address, user agent, browser fingerprint, and timestamp. This information is required for legal validity under the ESIGN Act, UETA, and eIDAS.

Payment and Billing Data

Subscription and payment information is processed by Stripe Inc. (our PCI DSS Level 1 compliant payment processor). We do not store credit card numbers, CVVs, or full payment card details on our servers. We receive and store only: subscription plan, billing cycle, payment status, and the last four digits of your payment method for display purposes.

Device and Technical Data

We automatically collect information about your device and connection, including IP address, browser type and version, operating system, screen resolution, referring URL, and pages visited within the Service.

Communication Data

We store records of signing notification emails, reminders, and service-related communications sent through the platform. We do not store the content of documents within emails — notifications contain only links to the signing interface.

Blockchain Integrity Data

When a document is completed, we generate cryptographic hashes (SHA-256) of signing events and anchor a Merkle root to the Polygon blockchain. Only cryptographic hashes are recorded on-chain — no document content, personal information, or signature images are stored on the blockchain. These hashes cannot be used to reconstruct or identify the original document content. Blockchain records are permanent and immutable by design and cannot be deleted, even upon account termination. See Section 8 for details.

2. How We Use Your Information

  • To provide, operate, and maintain the e-signature Service
  • To create and verify legally binding electronic signatures
  • To maintain audit trails as required by law (ESIGN Act, UETA, eIDAS)
  • To anchor document integrity proofs to the Polygon blockchain
  • To send signing notifications, reminders, and service-related communications
  • To process payments and manage subscriptions via Stripe
  • To detect, prevent, and address security threats and fraudulent activity
  • To comply with legal obligations, including responding to lawful requests from public authorities
  • To enforce our Terms of Service and protect our legal rights

3. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

  • Contract performance — To provide the Service you subscribed to (account data, document processing, signature collection)
  • Legitimate interests — To maintain security, prevent fraud, improve the Service, and operate our business (usage data, device data, audit logs)
  • Legal obligation — To maintain audit trails required by eIDAS and other regulations, and to respond to lawful government requests
  • Consent — For optional features such as marketing communications (which you may withdraw at any time)

4. Data Storage and Security

All data is stored on Amazon Web Services (AWS) infrastructure in the United States (us-east-1 region). We employ the following security measures:

  • AES-256 server-side encryption at rest for all documents (AWS S3)
  • TLS 1.2+ encryption for all data in transit with HSTS preload
  • Bcrypt password hashing (cost factor 12)
  • Short-lived JWT access tokens (15-minute expiry) with secure HttpOnly refresh cookies
  • Blockchain anchoring for immutable document integrity verification
  • AWS WAF, GuardDuty, and Security Hub for threat detection
  • Rate limiting on all API endpoints
  • Comprehensive audit logging of all data access

5. Data Sharing and Third-Party Services

We share personal data with the following categories of third-party service providers, solely for the purposes described:

ProviderPurposeData Shared
Amazon Web ServicesCloud infrastructure, storage, email deliveryAll Service data (encrypted at rest and in transit)
StripePayment processingBilling details, subscription data (card data tokenized by Stripe — never touches our servers)
Polygon NetworkDocument integrity verificationCryptographic hashes only — no personal data or document content

We do not sell, rent, or trade your personal data to third parties. We do not share your data with advertisers or data brokers.

We may disclose your information if required to do so by law or in response to valid legal process (subpoena, court order, or government request). We will notify you of such requests where legally permitted.

6. Data Retention

We retain your data according to the following schedule:

  • Account data: Retained for as long as your account is active, plus thirty (30) days after termination to allow data export
  • Document data: Retained according to your subscription plan and applicable legal requirements
  • Audit logs: Retained for seven (7) years to meet eIDAS and legal compliance requirements, then securely deleted
  • Blockchain records: Cryptographic hashes anchored to the Polygon blockchain are permanent and immutable — they cannot be deleted (see Section 8)
  • Payment records: Retained for seven (7) years as required by tax and financial regulations

You may request deletion of your account and associated data at any time, subject to the retention requirements above. For full details, see our Data Retention and GDPR Compliance page.

7. International Data Transfers

Data is stored and processed in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States.

For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the lawful transfer mechanism. A copy of the applicable SCCs is available upon request. Enterprise customers may execute a Data Processing Agreement (DPA) that incorporates these clauses — contact privacy@zdottedline.com.

8. Blockchain Data and Right to Erasure

When a document is completed, a cryptographic Merkle root (a SHA-256 hash) is permanently recorded on the Polygon blockchain. This hash is a one-way mathematical function — it cannot be reversed to reveal any personal data, document content, or signature information.

If you exercise your right to erasure (GDPR Article 17 or CCPA), we will delete your personal data from all systems under our control (databases, file storage, backups). However, the cryptographic hashes recorded on the Polygon blockchain cannot be deleted or modified by any party, including Zdottedline. Because these hashes contain no personal data and cannot be linked to an individual without access to our (deleted) internal records, we consider this compatible with data protection requirements.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (subject to legal retention requirements and blockchain limitations described in Section 8)
  • Object to or restrict processing of your data
  • Request data portability in a structured, machine-readable format
  • Withdraw consent at any time for consent-based processing
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at privacy@zdottedline.com. We will respond within thirty (30) days.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you in the past twelve (12) months
  • Right to Delete: You may request deletion of your personal information, subject to legal exceptions
  • Right to Correct: You may request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined by the CCPA/CPRA
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

Categories of information collected in the last 12 months: Identifiers (name, email, IP address), commercial information (subscription and payment data), internet activity (usage data, device information), and professional information (company name, title).

To submit a CCPA request, contact us at privacy@zdottedline.com. We will verify your identity before processing your request.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

  • Notify affected individuals without undue delay and no later than seventy-two (72) hours after becoming aware of the breach
  • Notify relevant supervisory authorities as required by GDPR Article 33 and applicable state breach notification laws
  • Provide details of the breach, the data affected, and the measures taken to address it

Our incident response procedures are documented in our internal Incident Response Plan, which defines severity classification, escalation procedures, containment steps, and post-incident review processes.

12. Cookies

We use essential cookies for authentication (session tokens) and security (CSRF protection). We do not use third-party advertising or tracking cookies. See our Cookie Policy for details.

13. Children's Privacy

Our Service is not directed to individuals under 18 years of age (or the age of majority in their jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on the Service at least thirty (30) days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

ZDottedLine Inc.
Data Protection Contact
390 NE 191st St, STE 36983
Miami, FL 33179
Phone: (786) 693-4578
Email: privacy@zdottedline.com