NomaSign Privacy Policy
1. Introduction
NomaSign ("we", "us", or "our") collects personal information when you use our digital signing platform. This policy explains what we collect, why, and what choices you have.
We operate under South Africa's Protection of Personal Information Act (POPIA). If you're in the EEA or UK, GDPR applies to you as well.
NomaSign lets you send documents out for signature, keeps track of who signed and when, and returns the completed version to you. Each signing event records a timestamp, the signer's IP address, and their browser information—this becomes the audit trail for your documents.
2. What Information We Collect
2.1 Information You Provide
When you create an account, we ask for your name and email address. A company name is optional. If you subscribe to a paid plan we also need billing details. Your payment card numbers go straight to our payment processor though, and are never stored on our servers.
When you kick off a signing workflow, you upload documents and provide recipient details along with whatever message you want to include. Records of support conversations and any feedback you send us are kept too.
2.2 Information Collected Automatically
Our servers log certain technical data automatically. Which pages you visit, which features you use, device information, browser type, IP address, and the times you access the service. That data is used for troubleshooting, security monitoring, and to understand how the product gets used in practice.
Signing events are logged in more detail. When someone views or signs a document we record the exact timestamp along with their IP address and browser details. That record becomes the proof of what happened and when.
2.3 Information from Third-Party Services
If you connect OneDrive or Google Drive, we receive access tokens. These let you browse your files and save signed documents back to your storage. Permissions are limited to what the integration actually needs. We only access your cloud storage when you start an action. No background syncing, no scanning.
3. How We Use Your Information
Most of it is used to actually run the service you signed up for. That means managing your account, sending signature requests on your behalf, firing off reminders, and generating audit trails so your signed documents have proper legal standing.
It also helps us process payments and handle billing, and to provide support when you need help. Activity patterns get monitored so we can spot fraud and stop abuse of the platform.
Usage data is also looked at in aggregate, not tied to any individual, to figure out what's working well, what's slow, and where people get stuck. Some records we're simply required to keep for tax, legal, and compliance reasons.
4. Legal Basis for Processing (GDPR Users)
For users in the EEA or UK, GDPR requires a lawful basis for processing personal data. Most of what we do falls under contractual necessity. We need your information to deliver the service you're paying for. Legitimate interests covers security measures, fraud prevention, and product improvements. Where we're legally required to keep records, that's legal obligation. For optional things like analytics cookies we rely on consent.
One important note. If someone sent you a document to sign through NomaSign, that person (or their organisation) is the data controller. They decide why and how your data is processed for that transaction. NomaSign acts as the processor, providing the technical infrastructure underneath.
5. Where Your Documents Are Stored
This was a deliberate design choice. Your documents stay in your own cloud storage (OneDrive or Google Drive), not on our servers. They keep whatever security settings you have configured in those services. We only access files when you start a signing workflow, and we don't keep long-term copies. What we do hold onto is the audit trail. The metadata showing who signed, when, and from where.
Data in transit is encrypted with TLS. Authentication is secured, access is role-based, and activity logs are kept.
6. Cookies
Yes, we use cookies.
Some are essential. These keep you logged in and help us prevent fraud. Google Analytics is also used to understand how people use the site, but only after we get consent where the law requires it. That's the cookie banner you see when you land on the page.
| Cookie | What it does | How long it lasts |
|---|---|---|
| nomasign_session | Keeps you logged in (essential) | Until you close your browser |
| nomasign_cookie_consent | Remembers your cookie preferences | 1 year |
| _ga, _gid | Google Analytics | Up to 2 years |
7. Who We Share Data With
We don't sell your personal information. Full stop.
Some information is shared with service providers who help us run NomaSign. That includes our payment processor, email delivery service, and hosting provider. When you send a document for signing, the recipient sees your name, email address, and whatever message you included. If we get a valid legal request (a subpoena or court order, that kind of thing), we comply. And if NomaSign is ever acquired or merged, user data would form part of that transaction.
Outside of those situations, your information is only shared when you specifically ask us to share it. Setting up an integration with another service is the typical example.
8. Your Rights
Depending on where you live, privacy laws may give you various rights over your personal information. You might be able to request a copy of the data we hold about you, or ask us to fix inaccuracies, or request deletion (though we may need to keep some records for legal reasons). Other possibilities include data portability, objecting to certain processing, and withdrawing consent.
To act on any of these, email . Most responses go out within 30 days. Complex requests or legal constraints can take longer.
9. How Long We Keep Data
Personal information is retained for as long as it's needed to operate the service, maintain security, resolve disputes and meet legal requirements. Your account data stays as long as your account is active. After you close the account, most of it gets deleted, unless we're legally required to keep it or have a legitimate business reason (resolving a billing dispute is the obvious one).
Documents themselves live in your own cloud storage, not ours. Audit trail data (who signed what and when) is kept for a period of time to support the integrity of signed transactions. Security logs stay around for monitoring and troubleshooting.
Want something deleted sooner, or want to know what we still have on file? Drop us an email and we'll explain what's possible.
10. International Transfers
A few of our service providers operate outside South Africa, which means your information may be processed in other countries. When that happens, appropriate safeguards are put in place and providers are contractually required to protect your data.
11. Children
NomaSign is meant for users 18 and older. We don't knowingly collect information from children. If you think a minor has created an account or submitted personal information, let us know so we can sort it out.
12. Browser Extension
If you use our browser extension for Chrome, Firefox or Edge, here's what data it touches and why.
The extension needs the tabs and webNavigation permissions so it can spot when you open a PDF in your browser. The identity permission lets you sign in via Google or Microsoft. Storage is used to keep your login state and preferences locally. And the host permissions for NomaSign domains let the extension talk to our servers when you start a workflow.
Locally, the extension stores your login state, preferences, and some attribution data inside itself. It only communicates with our servers when you're actively using it. Nothing happens in the background.
On PDF detection: when you open a PDF, the extension notices and offers to help you send it for signing. That's the core feature. Detection runs locally, and nothing leaves your browser unless you explicitly start a signing workflow.
The extension follows the same privacy practices as the main web app, and no separate browsing profile is created. Got questions about how it works? Reach out at.
13. Policy Updates
This policy may change as the product evolves or when the law requires it. Updated versions go up on this page. For material changes we may also notify you by email or inside the application.
14. Contact
Questions about this policy or want to exercise your privacy rights? Email us at .
If you're not satisfied with our response, you can contact your local data protection authority. In South Africa, that's the Information Regulator.