Privacy by design

Privacy is not a checkbox. It is how we built this.

BuiltSign processes personal data on behalf of its customers. We take that seriously. This page explains what we store, why, for how long, and what both you and your document recipients are entitled to.

How we approach data

The principles behind our choices

Every decision about what data to collect and how long to keep it comes back to one question: is this the minimum needed to do the job well?

Minimum data, always

We collect what the service requires. If a piece of data is not needed to create, send, or verify a signed document, we do not ask for it.

Purpose-bound processing

Data collected for signing is used for signing. We do not build profiles, sell data, or repurpose information for advertising.

Encryption at rest and in transit

All stored documents and personal data are encrypted. Connections are secured with modern transport encryption. Data is never transmitted in plain text.

Pseudonymisation where possible

Audit trail entries and identity check outcomes reference internal identifiers, not full personal records, wherever the legal evidential value allows.

Clear retention periods

We do not store data indefinitely. Signed documents, audit trails, and account data follow defined retention schedules linked to the legal requirements of the document type.

Processor, not controller

BuiltSign acts as a data processor on behalf of its customers. The customer determines the purpose of the signing transaction. We follow those instructions.

What data we handle

What personal data flows through BuiltSign

There are two categories of people whose data we process: account holders (our customers) and document recipients (the people invited to sign).

Account holders

  • Name and email address
  • Company name and role
  • Billing address and payment reference
  • Signature image (stored per your account settings)
  • Activity logs within your own account

Document recipients (signers)

  • Name and email address
  • IP address at the time of signing
  • Device and browser information
  • Signature placement and timestamp
  • Identity verification outcome (if enabled by the sender)

Identity verification outcomes are stored as a result code and timestamp only. The actual identity documents used during verification are not retained by BuiltSign after the check is complete.

WPG compliance

Why WPG matters for signed documents

The WPG (Wet Politiegegevens) is Dutch legislation governing the processing of personal data in the context of crime investigation and enforcement. For BuiltSign, this becomes relevant when signed documents are used as legal evidence in disputes, enforcement proceedings, or regulatory reviews.

Audit trails are tamper-evident

Every event in the signing process is recorded with a cryptographic trail that cannot be altered after the fact. This makes the audit log admissible as evidence in legal proceedings.

Chain of custody is preserved

From the moment a document is uploaded to the moment all parties have signed, every action is timestamped and attributed. No step is left undocumented.

Minimal data for maximum legal weight

We record what courts and regulators need to verify authenticity, and nothing more. Oversharing personal data weakens legal positions under WPG rather than strengthening them.

How long we keep data

Data retention is not one-size-fits-all

Different types of data serve different legal purposes and have different retention requirements. We align our defaults to Dutch and EU legal standards.

Data typePeriod
Signed documents and audit certificates7 years
Identity verification results7 years
Account dataDuration of the contract plus 2 years
Signing invitations and activity logs7 years
Payment data7 years

Enterprise customers may request custom retention schedules via a data processing agreement. Contact us if your industry has specific legal requirements.

Your rights under GDPR

What you and your document signers are entitled to

As a data subject under GDPR, you have the following rights. Both account holders and document recipients can exercise these rights.

Right of access

You can request an overview of the personal data we hold about you.

Right to rectification

If data we hold is incorrect, you can ask us to correct it.

Right to erasure

You can request deletion of your personal data, subject to retention obligations linked to signed documents.

Right to restriction

You can ask us to restrict how we use your data while a request is being reviewed.

Right to data portability

You can request a machine-readable export of your personal data.

Right to object

You can object to the processing of your personal data in specific circumstances.

To exercise any of these rights, contact us at privacy@builtsign.com. We respond within 30 days.

For business customers

Data processing agreements

If you process personal data of third parties through BuiltSign (for example, your customers or employees), you are the data controller and BuiltSign acts as your data processor. Dutch and EU law require a written data processing agreement in this case.

A standard DPA is available on request. Enterprise customers can request a customised DPA to match their internal compliance requirements.

Frequently asked questions about privacy

Yes. BuiltSign processes personal data in accordance with the GDPR. We act as a data processor for our customers and as a data controller for our own account management. Our data centres are located within the EU.
All documents and personal data are stored in EU-based infrastructure. We do not transfer data outside the European Economic Area without appropriate safeguards in place.
We share data only with sub-processors who are necessary to deliver the service, such as our cloud storage and email delivery providers. All sub-processors are contractually bound to GDPR-compliant data handling. We do not sell data.
Documents that have passed the minimum legal retention period are deleted. Documents within the retention window are held for the remainder of the applicable period, then deleted. You can request an export before closing your account.
For questions or data subject requests, contact privacy@builtsign.com. We will advise on DPO obligations as they apply to your specific plan and usage.

Ready to get started?

Create a free account in seconds. Try everything free for 7 days, no credit card needed.

1GB+ uploadsBank-grade securityLegally binding