Privacy notice

Quill is a trading name of Bright Sustainability Ltd, a company registered in England and Wales (company number 15484715) at 75 Royal Court Drive, Bolton, BL1 4AZ. We are registered with the Information Commissioner's Office (ICO). Quill provides a pay-per-use electronic signature platform at quillsign.app. This notice explains how we collect, use, and protect your personal data when you use our service.

We collect the following personal data:

• Email address — to authenticate you via one-time passcode and to send signing-related notifications.
• Signer name and email — provided by the document sender to identify signers and deliver signing invitations.
• IP address (pseudonymised) — recorded when a signer completes signing. The last octet is zeroed before storage (e.g. 192.168.1.x becomes 192.168.1.0).
• Timestamps — when documents are sent, opened, and signed.
• Signature and field data — signatures (drawn, typed, or uploaded) and any text fields completed during signing.
• PDF documents — uploaded by the sender for signature.
• Payment information — processed entirely by Stripe. We do not store card numbers or payment details.

• To provide the service — processing documents, delivering signing invitations, recording signatures.
• Legal compliance — maintaining an audit trail as required by the Electronic Communications Act 2000, UK eIDAS, and UK GDPR.
• To prevent fraud — verifying signer identity through email and recording pseudonymised IP addresses.
• To communicate with you — sending OTP codes, signing invitations, reminders, and completion notifications.

• Contract — processing necessary to provide the signing service you requested.
• Legitimate interest — maintaining audit trails and preventing fraud.
• Legal obligation — retaining records as required by UK law.
• Consent — signers explicitly consent before signing via a checkbox acknowledging the audit trail.

• Signed documents and audit trails — retained for 6 years from completion, cancellation, or expiry, in line with the Limitation Act 1980.
• PDF files — original and completed PDFs retained for the same 6-year period, then permanently deleted.
• OTP codes — deleted after verification or expiry (10 minutes).
• Payment records — retained as required by financial regulations.

All data is stored in the European Union. Our database and file storage are hosted in Supabase's EU region. Our application is deployed on Vercel's EU infrastructure (London, lhr1). We do not transfer personal data outside the EU/UK.

• Supabase (EU) — database and file storage.
• Vercel (EU) — application hosting.
• Stripe — payment processing. Subject to Stripe's own privacy policy.
• Resend — transactional email delivery.

Under UK GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate data.
• Erasure — request deletion of your data, subject to legal retention requirements.
• Portability — receive your data in a machine-readable format.
• Object — object to processing based on legitimate interest.

Note: we cannot delete signed documents or audit trails within the 6-year retention period, as this would compromise the legal validity of the signatures.

To exercise your rights or ask questions about this notice, email us at privacy@quillsign.app.

Quill does not use cookies for tracking or analytics. We store a JSON Web Token (JWT) in your browser's localStorage for authentication. This token expires after 24 hours.