Last updated: May 7, 2026
Signatura, operated by Austrat Trading Corp. (“Signatura,” “we,” or “us”), provides an electronic signature platform. This Privacy Policy describes how we collect, use, store, and share personal information.
The Service has two kinds of users, and our role differs between them:
A separate notice for signers is at getsignatura.com/signer-privacy.
Austrat Trading Corp., operating as Signatura.
Registered office: 3310 Jackson Crt, Kelowna, BC V1Y 2T6, Canada.
Contact channels:
Privacy Contact: Silas Allan, privacy@getsignatura.com.
Signatura is a Canadian company operating internationally. Our infrastructure runs in the United States. We have not yet appointed an Article 27 representative in the European Union or the United Kingdom — we will appoint one when our user base in those regions justifies a dedicated contact. Until then, users in any region can reach us directly at privacy@getsignatura.com, and Section 12 below explains how to exercise your rights and lodge complaints with the supervisory authority in your jurisdiction.
Within the preceding 12 months, we have collected personal information from these sources:
The table below states, for each of the 12 personal-information categories enumerated by the California Privacy Rights Act (Cal. Civ. Code § 1798.140(v)), whether we have collected information in that category within the preceding 12 months. Categories of recipients, business purposes, and retention periods for any category we do collect are described in Sections 5, 6, and 7.
| Category | Collected (last 12 months) | What, specifically | Sources |
|---|---|---|---|
| 1. Identifiers | Yes | Name, email, IP address, user account ID, signing-token claim, signer email | You, document senders, your device |
| 2. Customer records (Cal. Civ. Code § 1798.80(e)) | Yes | Billing address, phone number, payment metadata (no full card details) | You, Stripe |
| 3. Characteristics protected by California or federal law | No | Not collected. | — |
| 4. Commercial information | Yes | Subscription tier, transaction history, document-send counts, Auto-Sign usage counts | You, Stripe |
| 5. Biometric information | No | Not collected. Signature and initials images are graphical representations of a signature, not biometric identifiers as defined by Cal. Civ. Code § 1798.140(c) and we do not use them to uniquely identify a consumer. | — |
| 6. Internet or network activity | Yes | Access logs, document-interaction events, signing-flow audit events | Your device |
| 7. Geolocation data | Yes (approximate) | City-level geolocation derived from IP address. We do not collect precise geolocation (GPS-grade). | Your device (via IP) |
| 8. Audio, electronic, visual, thermal, olfactory, or similar information | No | Not collected. We do not record audio, video, or other sensory data. Document images you upload are stored as document content for contract performance only. | — |
| 9. Professional or employment-related information | Yes (if you provide) | Company name, job title, branding assets (optional profile fields) | You |
| 10. Education information (FERPA-protected) | No | Not collected. | — |
| 11. Inferences | No | We do not generate inferences from your personal information to create profiles reflecting preferences, characteristics, behavior, attitudes, intelligence, or abilities. | — |
| 12. Sensitive Personal Information (CPRA) | No | Not collected. See Section 4 for the full list of categories treated as Sensitive Personal Information and our position on each. | — |
Sale and sharing: Within the preceding 12 months we have not sold personal information for monetary or other valuable consideration, and we have not shared personal information for cross-context behavioral advertising (CCPA/CPRA terms). We do not have a “Do Not Sell or Share My Personal Information” link because we do not engage in either activity; if that ever changes, we will update this policy and provide the link before doing so.
Disclosure for business purposes: We disclose personal information in every category we collect to our service providers and contractors (Stripe, Supabase, Resend, Cloudflare, and — only when you opt in to Auto-Sign — Anthropic) solely for the business purposes listed in Section 5 and subject to written contractual restrictions in each vendor's commercial terms. See Section 7 and our Sub-Processors page for details.
Signatura does not request or knowingly collect “Sensitive Personal Information” as defined by the CCPA/CPRA, “special categories of personal data” as defined by GDPR Article 9, or equivalent categories under other privacy laws (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data for unique identification, health data, sex life or sexual orientation, government identifiers).
If an account holder uploads a document that contains such information inside the document content, Signatura processes that information only as part of contract performance — we do not extract, analyze, or use it for inferring characteristics about you.
We process personal data only for the purposes listed below, each tied to a specific lawful basis:
We do not use your personal information for behavioral advertising, do not sell personal information, and do not share personal information for cross-context behavioral advertising (CCPA terms). We do not train AI models on your content; see Section 10.
We share personal data only with the limited set of sub-processors needed to operate the Service. We rely on each sub-processor's published commercial data-protection terms (which generally include Standard Contractual Clauses or Data Privacy Framework certification where the vendor offers them) for international transfers, rather than separately negotiated agreements.
Categories of recipients (GDPR terms): infrastructure and database providers; transactional email providers; payment processors; AI-analysis providers (only when Auto-Sign is opted in); optional cloud-storage providers (only when you connect them); and our legal, accounting, and professional advisors when needed.
See the full list at getsignatura.com/sub-processors.
We do not sell personal information and we do not share it for cross-context behavioral advertising. We do not engage in targeted advertising or build advertising profiles.
Personal data is processed primarily in the United States, where our infrastructure is hosted. For transfers from the European Economic Area, the United Kingdom, or anywhere else outside the United States, we rely on the international-transfer safeguards published by each sub-processor — which generally include EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or EU–US Data Privacy Framework certification where the vendor offers them — supplemented by technical measures (TLS 1.3 in transit, AES-256 at rest, server-side encryption of credentials). Signatura has not separately negotiated transfer agreements with these vendors; we rely on their published commercial terms.
We use only essential cookies and browser storage needed to keep you signed in and operate the Service. We do not use analytics, advertising, social-media, or cross-site tracking technologies. Because we set no non-essential cookies, no consent banner is required. We honor the Global Privacy Control signal.
See our Cookie Notice for the full inventory.
In accordance with GDPR Article 22 and equivalent provisions in other laws, we disclose our use of automated processing for the optional Auto-Sign feature:
Signatura is designed to comply with applicable electronic signature laws:
Depending on where you live, you may have one or more of the following rights: to access the personal data we hold about you; to correct/rectify inaccurate data; to delete/erase your data; to object to or restrict certain processing; to data portability in a machine-readable format; to withdraw consent for processing based on consent; to opt out of certain processing (sale, sharing, targeted advertising, or significant-effects profiling); and to lodge a complaint with your local supervisory authority.
Account holders can exercise most rights through Settings > Security in the app (export, account deletion). Signers can exercise rights at getsignatura.com/signer-privacy. For anything else, email privacy@getsignatura.com — we aim to respond within 30 days.
We provide the rights below to California residents regardless of whether the CCPA's thresholds currently apply to us, both as good practice and to be ready as we scale.
We operate primarily online and have a direct relationship with each consumer whose information we collect, so under California Code of Regulations § 7020(c) we may provide a single submission method. That method is email to privacy@getsignatura.com. Account holders can also exercise the most common rights directly in the app at Settings > Security (data export, account deletion). Signers without a Signatura account can use the OTP-verified self-service form at getsignatura.com/signer-privacy.
In line with the verification standards in §§ 7060–7062 of the CCPA Regulations:
You may designate an authorized agent to submit a request on your behalf under § 7063 of the Regulations. The agent must provide either (i) a power of attorney granted under Cal. Probate Code §§ 4000–4465, or (ii) written permission signed by you authorizing the agent to act on your behalf, together with verification that the agent is who they claim to be. We may also contact you directly to confirm that the agent has authority.
We will confirm receipt of your request within 10 business days and provide a substantive response within 45 calendar days of receipt. If we need more time we will notify you and may take up to an additional 45 days (90 days total), with an explanation of the reason.
The Service is not directed to individuals under 18 (see Section 15). We do not knowingly collect personal information from minors. If we ever sold or shared personal information for cross-context behavioral advertising — which we do not — we would require opt-in consent from minors aged 13–15 and from a parent or guardian for children under 13, as required by Cal. Civ. Code § 1798.120(c).
We do not offer financial incentives or price/service differences in exchange for personal information.
If we deny a rights request, you may appeal by replying to the denial within 60 days; we will respond within 60 days of receiving the appeal. If CCPA thresholds apply to us in a calendar year, we will publish 12-month rights-request metrics on this page.
To the extent state law applies to us (most US state privacy laws have business-size and consumer-volume thresholds), residents of Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Iowa, Indiana, Kentucky, Maryland, Minnesota, Nebraska, Rhode Island, Tennessee, and Utah have rights to access, correct, delete, port, and opt out of targeted advertising, sale, and significant-effects profiling. We do not engage in any of those activities. If we deny a rights request, you may appeal within 60 days by replying to the denial; we will respond within 60 days of receiving the appeal.
Signatura follows GDPR principles. We have not yet appointed an Article 27 representative in the EEA. Until we do, EEA users can exercise their rights — access, rectification, erasure, restriction, objection, portability, and withdrawal of consent — by emailing privacy@getsignatura.com directly. You also have the right to lodge a complaint with your national supervisory authority. The full list is available at edpb.europa.eu; common ones include CNIL (France), BfDI (Germany), AEPD (Spain), Garante (Italy), AP (Netherlands), and DPC (Ireland).
Signatura follows UK GDPR principles. We have not yet appointed a UK Article 27 representative. UK users can exercise their rights by emailing privacy@getsignatura.com and may lodge a complaint with the Information Commissioner's Office (ico.org.uk).
We implement industry-standard security measures including TLS 1.3 in transit, AES-256 at rest, row-level security policies in the database, server-side OAuth-token encryption, document hash sealing (SHA-256), and audit-trail logging. Sensitive credentials are handled exclusively server-side and never exposed to the browser. See our Security page for the full details.
If we become aware of a personal-data breach affecting you, we will notify you and any applicable supervisory authority without undue delay and within the timeframes required by applicable law. Our notice will include the nature of the breach, the categories and approximate number of affected individuals and records, the likely consequences, and the measures we have taken or intend to take.
Signatura is not intended for use by individuals under the age of 18, and we do not knowingly collect personal information from anyone under 18. We do not knowingly process personal information from US children under 13 (per COPPA) or from EEA children under 16 (per GDPR Article 8; the digital-consent age varies by member state, ranging from 13 to 16). If you believe a child has provided us personal information, contact us at privacy@getsignatura.com and we will delete it.
We may update this Privacy Policy from time to time. For material changes, we will notify account holders by email at least 30 days in advance. We will also publish updates to our sub-processor list at getsignatura.com/sub-processors at least 30 days before any change takes effect. Continued use of the Service after a non-material update constitutes acceptance of the updated policy.
For privacy-related inquiries, contact us at privacy@getsignatura.com.
Austrat Trading Corp.
Operating as Signatura
3310 Jackson Crt
Kelowna, BC V1Y 2T6
Canada