NomaSign Privacy Policy
1. Introduction
NomaSign ("we", "us", or "our") collects personal information when you use our digital signing platform. This policy explains what we collect, why, and what choices you have.
We operate under South Africa's Protection of Personal Information Act (POPIA). If you're in the EEA or UK, GDPR applies to you as well.
NomaSign lets you send documents out for signature, keeps track of who signed and when, and returns the completed version to you. Each signing event records a timestamp, the signer's IP address, and their browser information—this becomes the audit trail for your documents.
2. What Information We Collect
2.1 Information You Provide
When you create an account, we ask for your name and email address. You can optionally add a company name. If you subscribe to a paid plan, we need billing details—but your payment card numbers go directly to our payment processor and are never stored on our servers.
When you start a signing workflow, you upload documents and provide recipient details along with any message you want to include. We also keep records of support conversations and any feedback you send us.
2.2 Information Collected Automatically
Our servers automatically log certain technical data: which pages you visit, which features you use, device information, browser type, IP address, and when you access the service. We use this for troubleshooting, security monitoring, and to understand how the product is being used.
Signing events are logged in more detail. When someone views or signs a document, we record the exact timestamp, their IP address, and browser details. This information forms the proof of what happened and when.
2.3 Information from Third-Party Services
If you connect OneDrive or Google Drive, we receive access tokens that let you browse your files and save signed documents back to your storage. These permissions are limited to what's necessary for the integration to work. We only access your cloud storage when you initiate an action—there's no background syncing or scanning.
3. How We Use Your Information
Primarily, we use your information to provide the service you signed up for: managing your account, sending signature requests on your behalf, delivering reminders, and generating audit trails so your signed documents have legal standing.
We also use it to process payments, handle billing, and provide support when you need help. We monitor activity patterns to detect fraud and prevent abuse of the platform.
In aggregate (meaning not tied to you specifically), we analyse usage data to understand what's working, what's slow, and where users run into problems. We're also required to retain certain records for tax, legal, and compliance reasons.
4. Legal Basis for Processing (GDPR Users)
For users in the EEA or UK, GDPR requires a lawful basis for processing personal data. Most of what we do falls under contractual necessity—we need your information to deliver the service you're paying for. Legitimate interests covers security measures, fraud prevention, and improvements to the product. Where we're legally required to keep records, that's legal obligation. For optional things like analytics cookies, we rely on consent.
One thing worth noting: if someone sent you a document to sign through NomaSign, that person (or their organisation) is the data controller—they decide why and how your data is processed for that transaction. NomaSign acts as the processor, providing the technical infrastructure.
5. Where Your Documents Are Stored
This is a deliberate architectural decision: your documents remain in your own cloud storage (OneDrive or Google Drive), not on our servers. They stay protected by whatever security settings you've configured in those services. We only access files when you start a signing workflow—we don't maintain long-term copies. What we do preserve is the audit trail: the metadata showing who signed, when, and from where.
Data in transit is encrypted using TLS. We use secure authentication, role-based access controls, and maintain activity logs.
6. Cookies
We use cookies.
Some are essential—they keep you logged in and help prevent fraud. You can't opt out of these without breaking core functionality. We also use Google Analytics to understand how people use the site, but only after getting consent where required by law (that's why you see a cookie banner).
| Cookie | What it does | How long it lasts |
|---|---|---|
| nomasign_session | Keeps you logged in (essential) | Until you close your browser |
| nomasign_cookie_consent | Remembers your cookie preferences | 1 year |
| _ga, _gid | Google Analytics | Up to 2 years |
7. Who We Share Data With
We do not sell your personal information.
We do share certain information with service providers who help us run NomaSign—our payment processor, email delivery service, and hosting provider. When you send a document for signing, the recipient sees your name, email address, and whatever message you included. If we receive a valid legal request (subpoena, court order, etc.), we comply. And if NomaSign is ever acquired or merged, user data would be part of that transaction.
Beyond these situations, we only share your information when you explicitly ask us to—for example, if you set up an integration with another service.
8. Your Rights
Depending on where you live, privacy laws may give you certain rights over your personal information. You may be able to request a copy of the data we hold about you, ask us to correct inaccuracies, or request deletion (though we may need to retain some records for legal reasons). You may also have rights around data portability, objecting to certain processing, or withdrawing consent.
To exercise any of these, email 
. We typically respond within 30 days, though complex requests or legal constraints may take longer.
9. How Long We Keep Data
We retain personal information for as long as necessary to operate the service, maintain security, resolve disputes, and meet legal requirements. Your account data stays as long as your account is active. After you close your account, we delete most of it—unless we're legally required to keep it or have a legitimate business reason (like resolving a billing dispute).
Your documents live in your own cloud storage, not ours. We keep audit trail data (who signed what and when) for a period of time to support the integrity of signed transactions. Security logs are retained for monitoring and troubleshooting.
If you want something deleted sooner or want to know what we still have on file, email us and we'll explain what's possible.
10. International Transfers
Some of our service providers operate outside South Africa, which means your information may be processed in other countries. When this happens, we put appropriate safeguards in place and ensure providers are contractually obligated to protect your information.
11. Children
NomaSign is intended for users 18 and older. We do not knowingly collect information from children. If you believe a minor has created an account or submitted personal information, please let us know so we can address it.
12. Browser Extension
If you use our browser extension for Chrome, Firefox, or Edge, this section explains what data it accesses and why.
The permissions we request: The extension needs tabs and webNavigation permissions to detect when you open a PDF in your browser. Identity allows you to sign in via Google or Microsoft. Storage keeps your login state and preferences locally. Host permissions for NomaSign domains let the extension communicate with our servers when you initiate a workflow.
What happens locally: Your login state, preferences, and some attribution data are stored in the extension itself. The extension only communicates with our servers when you're actively using it—not in the background.
PDF detection: When you open a PDF, the extension notices and offers to help you send it for signing. That's the core feature. What does not happen: the extension does not read PDF contents, track your browsing, or send data to servers just because you opened a file. Detection happens locally, and nothing leaves your browser unless you explicitly start a signing workflow.
The extension follows the same privacy practices as the main web app. No separate browsing profile is created. If you have questions about the extension or want to know more about how it works, feel free to reach out to us at .
13. Policy Updates
We may update this policy when the product changes or when required by law. Updated versions will be posted on this page. If we make material changes, we may notify you via email or through the application.
14. Contact
Questions about this policy or want to exercise your privacy rights? Email us at .
If you're not satisfied with our response, you can contact your local data protection authority. In South Africa, that's the Information Regulator.