DigiSig

Draft — this document is pending legal review and is not yet legally binding.

Privacy Policy

Last updated June 25, 2026

DigiSig is operated by SoftSplit d.o.o., Trg bana Josipa Jelačića 1, 10000 Zagreb, Croatia ("we", "us"). We are the data controller for the purposes of the EU General Data Protection Regulation (GDPR). You can reach us at hello@digisig.eu.

The short version

Your document is encrypted in your browser before it ever leaves your device. We never receive the decryption key, so we cannot read your documents. We keep only the minimum data needed to make signing work and to provide a tamper-evident audit trail.

What we process

  • Document contents: encrypted on your device (AES-256-GCM). Where an encrypted copy is stored to deliver a signing request, we hold only ciphertext and never the key.
  • Signing metadata / audit trail: a SHA-256 hash (fingerprint) of the document, signers' email addresses, signing timestamps, and event records. The tamper-evident trail stores hashes and pseudonymous identifiers rather than document content.
  • Email addresses: used to deliver the signing link and completion notices.
  • Technical data: limited request data (such as IP address and timestamp) needed for security and to evidence a signature.

Why we process it (lawful bases)

  • Performance of a contract (Art. 6(1)(b)) — to provide the signing service you request.
  • Legitimate interests (Art. 6(1)(f)) — to secure the service and to produce a reliable audit trail.
  • Consent (Art. 6(1)(a)) — where you opt into the paid certified copy or optional features.

Where your data is stored

Data is processed and stored within the European Union. Encrypted document blobs and signing metadata are held with EU-region infrastructure.

How long we keep it

Encrypted documents are ephemeral: they are deleted after a signing completes plus a short window. The audit record (hashes and pseudonymous identifiers) may be retained so that a completed signature remains verifiable. Raw personal data such as email addresses is kept separately and can be deleted on request.

Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. To exercise these rights, contact hello@digisig.eu. You also have the right to lodge a complaint with your local supervisory authority (in Croatia, AZOP).

Sharing

We do not sell your data. We use a small number of processors (for EU hosting and, for paid features, payment processing) under data-processing agreements. Payment is handled by our payment provider; we do not store card details.

Changes

This policy may change as the service develops. The "last updated" date above reflects the current version.