Skip to main content

Draft — not legal advice. This document is published in good faith as Seald's working draft. It has not yet been reviewed by counsel and may change before becoming binding. If you are reviewing this on behalf of a customer, please contact legal@seald.nromomentum.com for the countersigned production version.

Version: privacy_v0.1 · Last updated: 2026-04-30

Privacy Policy

This Privacy Policy explains how Seald, Inc. ("Seald", "we", "us") collects, uses, discloses, and protects personal information when you visit seald.nromomentum.com or use the Seald e-signature service (the "Service"). It covers visitors and users in the United States, the European Economic Area ("EEA"), and the United Kingdom ("UK").

1. Who we are

Seald is the controller of personal information collected through the Site and the Service, except where Seald processes personal information on behalf of a customer organization, in which case Seald is a processor and the customer is the controller. The terms of that processor relationship are set out in our Data Processing Agreement.

Privacy contact
privacy@seald.nromomentum.com
EU representative (Art. 27 GDPR)
{{TODO: appoint before publication — {EU_REP_NAME} — appointment pending publication}}
UK representative (Art. 27 UK GDPR)
{{TODO: appoint before publication — {UK_REP_NAME} — appointment pending publication}}
Data Protection Officer
Seald has not appointed a DPO. Our processing does not meet the GDPR Article 37(1) thresholds (no large-scale processing of special categories, no large-scale systematic monitoring of public areas). All privacy enquiries are handled by the address above.

2. Categories of personal information we collect

2.1 From you directly

  • Identifiers — name, email address, optional phone number.
  • Account credentials — authentication tokens and password hashes (Seald does not store plaintext passwords).
  • Customer Content — PDF documents you upload, fields you place, recipients you invite, signatures you draw or type, and templates you save.
  • Commercial information — when paid tiers are introduced, billing details (handled by our payment processor; Seald does not store full card numbers).
  • Communications — emails, support tickets, and feedback you send us.

2.2 Automatically

  • Internet and network activity — IP address, user-agent string, pages requested, timestamps, referrer.
  • Audit-event metadata — for each envelope: viewed / consented / signed / declined / sealed events together with IP, user-agent, UTC timestamp, and SHA-256 document hashes.
  • Cookies and similar technologies — see our Cookie Policy.

2.3 From third parties

  • Trusted timestamp tokens issued by an RFC 3161 Time-Stamp Authority.
  • Email-delivery telemetry from our transactional email provider (open, bounce, complaint signals — not message content).

2.4 Sensitive personal information (CCPA/CPRA § 1798.140(ae))

Seald does not intentionally collect Social Security numbers, driver's-license numbers, financial-account credentials, precise geolocation, racial or ethnic origin, religious beliefs, mail/email contents (other than transactional email metadata), genetic data, biometric identifiers used for unique identification, health, sex life or orientation, citizenship, or immigration status. A user may, however, choose to upload a document that contains such information; that content is treated as Customer Content and is not used for any purpose other than providing the Service. Drawn-signature images are not used for biometric identification; they are stored as visual marks attached to a sealed PDF.

3. Purposes and lawful bases

Under the EU and UK General Data Protection Regulations ("GDPR" and "UK GDPR") we rely on the following lawful bases (Art. 6(1) GDPR):

PurposeLawful basis
Provide the Service (account creation, document handling, signing, sealing, audit trail)Contract — Art. 6(1)(b)
Send transactional emails (signing invitations, completion notices, account notifications)Contract — Art. 6(1)(b)
Maintain security, prevent fraud and abuse, debugLegitimate interests — Art. 6(1)(f)
Comply with legal obligations (e.g. record-retention under ESIGN § 7001(d) and UETA § 12)Legal obligation — Art. 6(1)(c)
Improve the Service through aggregated, non-identifying analyticsLegitimate interests — Art. 6(1)(f)
Send optional product or marketing emailConsent — Art. 6(1)(a)

You can object to processing based on legitimate interests at any time (see Section 8).

4. Recipients and sub-processors

We share personal information with service providers ("processors" / "service providers") who help us operate the Service. The current list, including transfer mechanisms, is available at /legal/sub-processors. We do not sell personal information and we do not share it for cross-context behavioral advertising as those terms are defined under California's CPRA (Cal. Civ. Code § 1798.140(ad), (ah)).

We may disclose personal information to comply with a legally binding request from a public authority, to enforce our Terms, or to protect the rights, safety, or property of Seald or others. In a corporate transaction (merger, acquisition, financing, or sale of assets) personal information may be transferred to the successor entity subject to this Privacy Policy.

5. International transfers

Seald processes personal information primarily in the United States. Our database, object storage, and authentication services run on Supabase in the AWS us-east-2 region; our cryptographic key service runs on AWS KMS in us-east-2; our content delivery and DNS run on Cloudflare's global network.

For personal information originating in the EEA, the UK, or Switzerland and transferred to the United States, we rely on the following transfer mechanisms (in priority order):

  • EU-U.S. Data Privacy Framework ("DPF") and the UK Extension and Swiss-U.S. Framework, where the recipient is certified.
  • Standard Contractual Clauses ("SCCs", Commission Implementing Decision (EU) 2021/914), Module 2 (controller-to-processor) or Module 3 (processor-to-processor), with the UK International Data Transfer Addendum or the UK International Data Transfer Agreement ("IDTA") for UK-origin data.

A Transfer Impact Assessment is available on request at privacy@seald.nromomentum.com.

6. Retention

CategoryRetention period
Completed envelopes (sealed PDF, audit events, original PDF)Seven (7) years from completion, in line with U.S. statute-of-limitations defaults and the UK Limitation Act 1980. Configurable per environment via ENVELOPE_RETENTION_YEARS=7.
Authentication and access logsEighteen (18) months
Account profile and contact dataUntil you request deletion, plus a 30-day grace window during which a closed account can be restored
Encrypted backupsThirty-five (35) days, after which they are overwritten
Support correspondenceThree (3) years from the last interaction

If a record is required by law, court order, or active dispute, we retain it for the longer of the period above and the period legally required.

7. Your rights — EEA and UK

If the GDPR or the UK GDPR applies to our processing of your personal information, you have the following rights:

  • Access — Art. 15
  • Rectification — Art. 16
  • Erasure ("right to be forgotten") — Art. 17
  • Restriction of processing — Art. 18
  • Notification of recipients — Art. 19
  • Data portability — Art. 20
  • Objection — Art. 21, including an absolute right to object to direct marketing
  • No solely-automated decisions with legal or similarly significant effect — Art. 22 (Seald does not currently make such decisions about you)
  • Withdraw consent at any time where consent is the lawful basis
  • Lodge a complaint with a supervisory authority — for example the Irish Data Protection Commission, the UK Information Commissioner's Office (ICO), or your local member-state authority

To exercise any of these rights, use our privacy choices form or email privacy@seald.nromomentum.com. We will acknowledge within ten (10) business days and respond within one month, extendable by up to two further months for complex requests with notice. Service is free of charge unless your request is manifestly unfounded or excessive.

8. Your rights — California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey

Depending on your state of residence, you may have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, the Montana Consumer Data Privacy Act, the Iowa Consumer Data Protection Act, the Delaware Personal Data Privacy Act, New Hampshire SB 255, and the New Jersey Data Privacy Act.

  • Right to know what categories and specific pieces of personal information we have collected, the sources, the purposes, and the recipients (CCPA § 1798.110, § 1798.115).
  • Right to delete personal information we collected from you (CCPA § 1798.105).
  • Right to correct inaccurate personal information (CCPA § 1798.106).
  • Right to portability.
  • Right to opt out of "sale" or "sharing" for cross-context behavioral advertising (CCPA § 1798.120). Seald does not sell personal information and does not share for cross-context behavioral advertising.
  • Right to limit the use of sensitive personal information (CCPA § 1798.121). Seald does not use sensitive personal information for purposes that would require this election.
  • Right to opt out of profiling with legal or similarly significant effects (CO/CT/VA/OR).
  • Right of appeal if we deny a request (CO/CT/VA and others).
  • Right to non-retaliation for exercising any of these rights.

To exercise these rights, use our privacy choices form or email privacy@seald.nromomentum.com. We will acknowledge within ten (10) business days and fulfill within forty-five (45) calendar days, extendable by up to forty-five (45) days with notice for complex requests. We may verify your identity by matching the information in your request against the information in your account. An authorized agent must provide written permission from the consumer.

8.1 Global Privacy Control

Seald honors the Global Privacy Control ("GPC") browser signal as a valid opt-out of "sale" and "sharing" under California's CCPA Regulations § 7025 and the equivalent universal-opt-out mechanisms required by Colorado and Connecticut. When we detect a GPC signal we treat it as an opt-out for the visiting browser; signed-in users can also record the choice on their account.

8.2 12-month look-back

For California right-to-know requests we will report on the prior twelve (12) months of personal-information practices.

9. Security

We protect personal information with technical and organizational measures appropriate to the risk, including encryption at rest with AES-256, encryption in transit with TLS 1.3, hardened access controls to our cryptographic key service (AWS KMS), audit logging, and least-privilege access for personnel. Document seals use the PAdES long-term-validation profile (ETSI EN 319 142) anchored by RFC 3161 trusted timestamps; audit events are chained with SHA-256 to make tampering detectable. No method of transmission or storage is perfectly secure.

Suspected security issues should be reported to security@seald.nromomentum.com.

10. Children

The Service is not intended for children under sixteen (16) and is not directed to children under thirteen (13). Seald does not knowingly collect personal information from a child under thirteen in violation of the U.S. Children's Online Privacy Protection Act ("COPPA", 15 U.S.C. § 6501 et seq.). If you believe a child has provided personal information to Seald, please contact privacy@seald.nromomentum.com and we will delete it.

11. Cookies and similar technologies

For the cookies and scripts we set, their purposes, lifetimes, and how to opt out, see our Cookie Policy.

12. Changes to this Policy

We will update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated by email or in product at least thirty (30) days before they take effect.

13. Contact

Privacy questions and rights requests
privacy@seald.nromomentum.com
Sub-processor change subscription
subscribe-subprocessors@seald.nromomentum.com
Security
security@seald.nromomentum.com