Privacy Policy
This policy describes how Filosign processes personal data for encrypted document workflows, wallet-based signing, analytics, billing, and payout packets.
Last updated: June 20, 2026
Version 2026-06-20
1. Who operates Filosign
The Service is operated by Kartikay Tiwari, trading as Filosign. Contact: privacy@filosign.xyz (privacy) and support@filosign.xyz (support).
2. Data Fiduciary and Merchant of Record roles
Under applicable data protection frameworks, including the India Digital Personal Data Protection (DPDP) Act, 2023, different parties may process personal data as follows:
- Filosign as Data Fiduciary (DPDP): We act as fiduciary for personal data needed to operate the Service, including account registration, display profiles, workspace and signing metadata, security and operation logs, support communications, and non-essential product analytics (where consent applies).
- Dodo Payments, Inc. as Merchant of Record: When you purchase a paid subscription, Dodo Payments, Inc. is the legal seller and acts as an independent controller for checkout and payment data (such as payment method details, billing address where collected, tax identifiers, fraud signals, and transaction records). That processing is described in Dodo's privacy policy. We receive limited billing identifiers and subscription status from Dodo to provision your plan.
- Filosign as Processor: When a customer uploads encrypted documents, recipient details, and signer inputs to run an envelope, we process that data on the customer's instructions. The customer initiating the workflow remains the data fiduciary/controller for their recipients and signers.
3. Who this policy covers
This policy applies to individuals whose personal data is processed by Filosign websites, applications, and APIs ("Service"). In these terms, individuals are referred to as "Data Principals" (under the DPDP Act).
4. Data we process
We process the following categories of personal data:
- Account and profile data such as email, wallet address, display name, profile fields, authentication identifiers, and linked accounts.
- Organization and team data such as members, roles, invitations, subscription status, and workspace settings.
- Recipient and workflow data such as names, emails, roles, permissions, timestamps, document titles, status, and audit events.
- Encrypted document content and encrypted key envelopes.
- Signing records, proof packets, acknowledgements, signature metadata, and related audit records.
- Optional payout attachment metadata such as token, amount, payer, recipient, rule identifiers, transaction hashes, allowance status, and payout status.
- Billing identifiers such as plan, checkout status, Dodo customer or subscription identifiers, and subscription events (not full payment card data).
- Operational data such as device, browser, IP address, logs, analytics events, crash reports, support messages, and security events.
5. Purposes of processing
- Contract performance: account authentication, requested signing workflows, workspace administration, support, and subscription provisioning.
- Legitimate business interests: service security, fraud and abuse prevention, reliability, limited operational analytics, and establishment or defense of legal claims.
- Legal obligation: tax, accounting, regulatory, sanctions, lawful-request, and incident-response duties that apply to us.
- Consent: non-essential browser analytics and other processing for which applicable law requires consent. Consent can be withdrawn without affecting earlier lawful processing.
Account, authentication, and workflow data marked as required are necessary to provide the requested Service. Without them, we may be unable to create an account, authenticate you, deliver a document, or complete a requested workflow.
We may receive recipient names, email addresses, roles, and workflow instructions from the customer or sender rather than directly from the recipient. We may also receive authentication and wallet data from thirdweb, billing status from Dodo, delivery events from email providers, and public transaction data from blockchain networks.
6. Encrypted document content
Filosign is designed so document contents are encrypted client-side in the browser before upload. We store encrypted ciphertext and encrypted key material needed to run the workflow. Filosign does not hold decryption keys, and in normal operation, we cannot read plaintext document contents.
Encryption does not make all related data private. We still process metadata, participant details, wallet addresses, timestamps, transaction hashes, billing records, and support information needed to operate the service.
7. On-chain data
Blockchain transactions and contract records are public. Filosign does not control public network data, and deletion requests cannot remove data from a public blockchain. On-chain records are designed to avoid plaintext document contents, but transaction metadata may still be publicly observable.
8. How we use data
We use data to operate signing workflows, authenticate users, route documents, generate proof exports, show payout status, prevent abuse, enforce entitlements, provision subscriptions, improve the product, respond to support requests, and protect the service.
Filosign does not sell personal data for advertising and does not use user documents to train AI models. The app does not currently use AI vendors to process document contents.
9. Service providers
We use service providers for hosting, storage, email, analytics, authentication, billing, blockchain infrastructure, and support. See our Subprocessors page for the current register. For our current processor posture, see the Data Processing Overview. It is not a binding data processing agreement.
10. Analytics and cookies
We may use PostHog for optional product analytics to understand usage and improve workflows. Analytics are non-essential. Where required by law, we ask for consent before enabling PostHog in the app. You can change this choice anytime under Profile settings.
Our marketing site may use Cloudflare Web Analytics for aggregate, cookie-free traffic metrics. That service does not replace in-app product analytics and is separate from PostHog.
Some cookies or local storage may be necessary for authentication, session state, preferences, wallet flows, and security. You can control browser cookies through your browser settings, but disabling necessary storage may break parts of the app.
11. Data Retention Schedule
We process and retain different categories of personal data according to the following schedule:
| Data Category | Retention Period | Action Post-Retention |
|---|---|---|
| Document Envelopes (Ciphertext) | While needed to provide the active workspace, signing, export, and purchased retention or archival service, plus any stated export period. | Deleted from operator-controlled storage when the applicable service and retention period ends, subject to legal holds, backup handling, and decentralized archival commitments. |
| Active Hot Storage Cache | While the envelope is active and through the hot-storage window that begins when routing completes (not a fixed calendar period). Replication to archival storage may proceed after that window even if the sender has not exported a compliance packet. | Deleted from hot object storage after verified replication or when no continuing retention applies. |
| Signed Evidence and Proof Metadata | For the applicable legal-claims, dispute, security, and recordkeeping period. Public blockchain data follows the network's own retention. | Core evidence may be retained while directly identifying metadata is redacted or minimized where lawful. |
| Account Profile & Metadata | Retained while your account remains active. | Deleted or anonymized after a valid erasure request and operational processing, except where retention is legally permitted or required. |
| Archived Drafts and Expired Invites | Archived draft artifacts are scheduled for purge after 30 days. Expired unclaimed invitations are scheduled for purge after 90 days. | Eligible database rows and operator-controlled objects are deleted by lifecycle jobs. |
| Security Logs, Request Metadata, and Backups | According to operational need, provider schedules, and legal obligations. Compliance request IP and user-agent metadata is scheduled for redaction after 365 days. | Rotated, redacted, or overwritten. If erased data is restored from backup, the erasure or anonymization process is reapplied before normal operation resumes. |
You may request export or deletion of your account data, encrypted documents, metadata, and stored files where feasible. We may retain records needed for security, billing, taxes, fraud prevention, dispute handling, legal obligations, or backups. Please note that we cannot delete or modify data recorded on a public blockchain, such as smart contract calls, transaction hashes, or wallet balances.
12. Rights of Data Principals (India, US)
Depending on your location, you may have rights such as access, correction, deletion, restriction, objection, portability, withdrawal of consent, nomination (under India's DPDP Act), and grievance redressal. US state laws may provide additional rights for residents of certain states.
- Access and information: Request details about personal data we process about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request erasure where applicable. We cannot erase public blockchain records or data we must retain for legal compliance.
- Consent withdrawal: Where processing is based on consent (e.g., analytics), withdraw consent via in-product controls.
- Portability / objection / restriction: Available where required by applicable law.
- Nomination (India): Nominate another individual to exercise your rights upon death or incapacity, as permitted by law.
We do not currently make decisions producing legal or similarly significant effects solely through automated processing. Automated entitlement, fraud, abuse, and access checks may restrict a feature or route a matter for review, but do not determine the validity of an agreement between users.
13. Grievance Redressal and Contact Details
For privacy questions, rights requests, or complaints, contact our Grievance Officer:
- Grievance Officer: Kartikay Tiwari
- Address: Jaunpur, India
- Email: privacy@filosign.xyz
We will acknowledge legitimate requests within a reasonable time and respond within timelines required by applicable law. If you are unsatisfied with our response, you may escalate to the Data Protection Board of India or your local data protection authority where applicable.
14. Regional restrictions (EEA, UK, Canada)
Strict Exclusion: The Service is not intended for and must not be used by individuals or organizations located in the European Economic Area (EEA), the United Kingdom (UK), or Canada. We do not represent or claim compliance with the GDPR or PIPEDA. Customers are strictly prohibited from creating workflows subject to those laws or uploading personal data governed by them.
15. Children
Filosign is not intended for children. You must be at least 18 years old, or the age required in your jurisdiction, to use the service.
16. Contact
Operator: Kartikay Tiwari, trading as Filosign.
Privacy requests: privacy@filosign.xyz. Support: support@filosign.xyz. Security: security@filosign.xyz. See our Terms of Service for payment, governing law, and non-custody terms.