Privacy Policy
Effective date: April 17, 2026
Last updated: April 17, 2026
This Privacy Policy explains how ZPresso LLC (“OneSign”, “we”, “us”) collects, uses, and shares personal data when you visit onesign.click, create an account, sign or send documents, or otherwise interact with the OneSignservice (the “Service”).
We designed this policy to meet the transparency requirements of the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”), Canada’s PIPEDA, Brazil’s LGPD, and the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”). Where any of those laws gives you stronger rights, those rights apply.
1. Controller and contact
The controller of your personal data is:
ZPresso LLC
Sharjah Media City (SHAMS), P.O. Box 839, Sharjah, United Arab Emirates
Trade licence: 2115421.01
Email: privacy@onesign.click
For questions about this policy or to exercise your privacy rights, contact us at privacy@onesign.click.
2. Our role
We act as a controller of personal data that concerns our account holders (for example, the name and email address you use to register) and visitors to our website.
When our customers upload documents to the Service and invite people to sign them, the information contained in those documents and the signers’ contact details are processed by us as a processoron behalf of our customer, who is the controller. In that case, the customer’s own privacy notice governs how that data is used, and we only process the data in accordance with the customer’s instructions and our Data Processing Agreement.
3. What we collect
a. Account data
When you register for the Service we collect your name, email address, password (stored as a salted hash), company name (optional), and any profile information you choose to provide. For paid plans, we also collect billing details; card numbers are handled by our payment processor and are not stored on our servers.
b. Document and signature data
When you upload a document, create a template, or send a document for signature, we store the document, the fields you configure, the recipients’ names and email addresses, the signatures applied (drawn, typed, or uploaded images), any data the signer enters into form fields, and an audit trail describing the signing event.
c. Audit and integrity data
To make e-signed documents defensible, we record events such as the time a document was viewed or signed, the IP address from which each event occurred, the user-agent string of the signer’s browser, and the unique token used to access the signing link. This data forms the audit trail embedded in or attached to the signed document.
d. Usage and device data
We collect standard web-server logs (IP address, date, time, request path, response status, referrer) and limited product-usage telemetry (pages viewed, features used) to operate, secure, and improve the Service. See our Cookie Policy for details about cookies and similar technologies.
e. Communications
If you contact us by email or through the Service, we keep a record of the correspondence to respond to you and maintain support history.
f. What we do not collect
We do not knowingly collect personal data from children under 16. We do not collect special-category personal data (such as health, racial or ethnic origin, religious beliefs, or biometric data for identification) unless you or a signer chooses to include it in a document.
4. Why we use your data and our legal bases (EU/UK)
| Purpose | Categories of data | Legal basis (GDPR / UK GDPR) |
|---|---|---|
| Providing, operating, and securing the Service | Account, document, audit, usage | Performance of a contract (Art. 6(1)(b)) |
| Billing, invoicing, and tax records | Account, billing | Contract and legal obligation (Art. 6(1)(b), (c)) |
| Detecting, preventing, and responding to fraud, abuse, and security incidents | Account, audit, usage | Legitimate interests in protecting the Service and our users (Art. 6(1)(f)) |
| Product analytics and improvement of features and reliability | Usage, device | Legitimate interests (Art. 6(1)(f)) or consent where required |
| Sending service and transactional emails | Account, communications | Contract (Art. 6(1)(b)) |
| Marketing emails about new features or offers | Account, communications | Consent (Art. 6(1)(a)) or soft opt-in where permitted |
| Complying with legal obligations and defending claims | All | Legal obligation / legitimate interests (Art. 6(1)(c), (f)) |
5. Who we share data with
We share personal data only with the following categories of recipients:
- Signers and document recipients you invite through the Service — they receive the document and your identifying information.
- Sub-processors that provide hosting, email delivery, analytics, customer support, and payment processing on our behalf. A current list is maintained at /legal/subprocessors. Each sub-processor is bound by written contract, confidentiality, and appropriate data-protection terms.
- Professional advisers such as lawyers, auditors, and accountants, subject to confidentiality.
- Authorities and law enforcement where required by law, court order, or valid legal process, or to exercise or defend our legal rights.
- Acquirers and successorsin the event of a merger, acquisition, reorganisation, or sale of assets, subject to this policy’s commitments continuing to apply.
We do not sell or rentyour personal data, and we do not “share” personal data for cross-context behavioural advertising as those terms are defined under CCPA/CPRA.
6. International transfers
We are based in the United Arab Emirates and our sub-processors may be located in the United States, the European Economic Area, the United Kingdom, or other countries. Where personal data of residents of the EEA, UK, or Switzerland is transferred to a country that has not been deemed adequate by the relevant authority, we rely on the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914) and, where needed, the UK International Data Transfer Addendum, together with supplementary technical and organisational measures. A copy is available on request at privacy@onesign.click.
Transfers of personal data out of the UAE are made in compliance with Articles 22–23 of the UAE PDPL, which permit transfers to jurisdictions with an adequate level of protection or on the basis of appropriate safeguards such as contractual clauses.
7. How long we keep data
| Category | Retention |
|---|---|
| Account data | For the life of your account + up to 30 days after deletion, then irreversibly deleted or anonymised |
| Completed signed documents and audit trails | For the life of your account; available for download for 30 days after account termination unless you delete them earlier |
| Billing and tax records | As required by UAE tax law and other applicable law, typically 5 years |
| Server and security logs | Up to 12 months, unless retained longer for investigation |
| Marketing preferences / unsubscribes | Indefinitely, to honour your opt-out |
8. Your rights
Subject to your jurisdiction, you have the right to:
- access the personal data we hold about you;
- have inaccurate data rectified and incomplete data completed;
- request erasure of personal data where one of the grounds under Art. 17 GDPR / applicable law applies;
- request restriction of processing or object to processing based on our legitimate interests;
- receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller (data portability);
- withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing;
- not be subject to a decision based solely on automated processing that produces legal or similarly significant effects — we do not carry out such decision-making;
- lodge a complaint with your local data-protection supervisory authority. EU residents can find theirs at edpb.europa.eu; UK residents can contact the ICO at ico.org.uk; UAE residents can contact the UAE Data Office.
California residents (CCPA/CPRA)
Californians additionally have the rights to know, delete, correct, and limit the use of sensitive personal information, and to opt out of the sale or sharing of personal information. As stated above, we do not sell or share personal information for cross-context behavioural advertising. To exercise your rights, email privacy@onesign.click. We will not discriminate against you for exercising your rights.
To exercise any of these rights, email privacy@onesign.click. We may need to verify your identity before acting on your request. We respond within 30 days (or the period required by applicable law).
9. Security
We protect personal data with encryption in transit (TLS 1.2+) and at rest, role-based access controls, audit logging, least-privilege operational access, and regular backups. Our full approach is summarised on our Security page. No system is perfectly secure; we encourage you to use strong, unique passwords and to report any suspected vulnerability to security@onesign.click.
10. Automated decisions and profiling
We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing.
11. Cookies
See our Cookie Policy.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the Service or by email at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the latest version.
13. Contact
If you have questions or concerns, or wish to exercise any of the rights described above, please contact our privacy team at privacy@onesign.click.