Privacy notice

Quill is a trading name of Bright Sustainability Ltd, a company registered in England and Wales (company number 15484715) at 75 Royal Court Drive, Bolton, BL1 4AZ. We are registered with the Information Commissioner's Office (ICO). Quill provides a pay-per-use electronic signature platform at app.quillsign.app. This notice explains how we collect, use, and protect your personal data when you use our service.

This notice applies under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and applicable US state privacy laws including the California Consumer Privacy Act (CCPA/CPRA).

We collect the following personal data:

• Email address — to authenticate you via one-time passcode and to send signing-related notifications.
• Signer name and email — provided by the document sender to identify signers and deliver signing invitations.
• IP address (pseudonymised) — recorded when a signer completes signing. The last octet is zeroed before storage (e.g. 192.168.1.x becomes 192.168.1.0).
• Timestamps — when documents are sent, opened, and signed.
• Signature and field data — signatures (drawn, typed, or uploaded) and any text fields completed during signing.
• PDF documents — uploaded by the sender for signature.
• Payment information — processed entirely by Stripe. We do not store card numbers or payment details.

• To provide the service — processing documents, delivering signing invitations, recording signatures.
• Legal compliance — maintaining an audit trail as required by applicable electronic signature legislation, including the Electronic Communications Act 2000 (UK), EU eIDAS Regulation, UK GDPR, and EU GDPR.
• To prevent fraud — verifying signer identity through email and recording pseudonymised IP addresses.
• To communicate with you — sending OTP codes, signing invitations, reminders, and completion notifications.

Under UK GDPR and EU GDPR, our legal bases for processing are:

• Contract — processing necessary to provide the signing service you requested.
• Legitimate interest — maintaining audit trails and preventing fraud.
• Legal obligation — retaining records as required by applicable law.
• Consent — signers explicitly consent before signing via a checkbox acknowledging the audit trail.

• Signed documents and audit trails — retained for 6 years from completion, cancellation, or expiry, in line with the Limitation Act 1980.
• PDF files — original and completed PDFs retained for the same 6-year period, then permanently deleted.
• OTP codes — deleted after verification or expiry (10 minutes).
• Payment records — retained as required by financial regulations.

All data is stored in the European Union. Our database and file storage are hosted in Supabase's EU region. Our application is deployed on Vercel's EU infrastructure (London, lhr1). We do not transfer personal data outside the EU/UK.

The European Commission renewed its adequacy decision for the UK on 19 December 2025 (valid until 27 December 2031), confirming that personal data can flow freely between the EU and UK without additional safeguards.

• Supabase (EU) — database and file storage.
• Vercel (EU) — application hosting.
• Stripe — payment processing. Subject to Stripe's own privacy policy.
• Resend — transactional email delivery.

Under UK GDPR and EU GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate data.
• Erasure — request deletion of your data, subject to legal retention requirements.
• Portability — receive your data in a machine-readable format.
• Object — object to processing based on legitimate interest.
• Restriction — request that we restrict processing of your data in certain circumstances.
• Complaint — lodge a complaint with a supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO). For EU residents, you may contact the data protection authority in your country of residence.

Note: we cannot delete signed documents or audit trails within the 6-year retention period, as this would compromise the legal validity of the signatures.

If you are a resident of California or another US state with applicable privacy legislation (including Virginia, Colorado, Connecticut, and others), you have the following rights:

• Right to know — you may request details of the personal data we collect about you and how it is used.
• Right to delete — you may request deletion of your personal data, subject to legal retention requirements.
• Right to opt out of sale — Quill does not sell, share, or disclose your personal data to third parties for monetary or other valuable consideration. There is nothing to opt out of.
• Right to non-discrimination — we will not discriminate against you for exercising your privacy rights.

To exercise your rights or ask questions about this notice, email us at privacy@quillsign.app.

The Quill application does not use cookies for tracking or analytics. We store a JSON Web Token (JWT) in your browser's localStorage for authentication. This token expires after 24 hours.

Our marketing website (www.quillsign.app) uses Google Analytics, which sets cookies. Where required by law, we obtain your consent before setting these cookies.