Privacy Policy

    Last updated: 20 March 2026

    1. Who We Are

    Squigggle is an electronic signature platform operated by N90 Labs Limited, a company registered in England and Wales ("we", "us", "our"). We are the data controller for the personal data described in this Privacy Policy. For data protection enquiries, contact us at privacy@squigggle.io.

    2. Data We Collect

    2.1 Account Data

    When you create an account, we collect your name, email address, and authentication credentials. If you sign up with Google or Apple, we receive your name and email from those providers.

    2.2 Document Data

    When you upload documents for signing, we store the document files, signer names and email addresses, signature images, and signing metadata (timestamps, IP addresses, user agents).

    2.3 Payment Data

    Payment processing is handled by Stripe. We store your Stripe customer ID and payment history, but we never store full card numbers. Card details are handled entirely by Stripe in accordance with PCI DSS standards.

    2.4 Usage Data

    We collect information about how you use the Service, including pages visited, features used, and interaction patterns. This is collected via cookies and analytics tools as described in Section 7.

    3. How We Use Your Data

    • Service delivery: To provide e-signature services, process documents, send signing invitations, and generate certificates of completion
    • Authentication: To verify your identity and secure your account
    • Payments: To process payments and maintain billing records
    • Legal compliance: To maintain audit trails for signed documents as required by e-signature legislation
    • Communication: To send transactional emails (signing invitations, completions, receipts) and, with your consent, marketing communications
    • Improvement: To analyse usage patterns and improve the Service

    4. Legal Basis for Processing

    We process your personal data on the following legal bases under UK GDPR:

    • Contract performance: Processing necessary to provide you with the Service
    • Legitimate interests: Fraud prevention, security, service improvement, and business operations
    • Legal obligation: Maintaining audit trails and records as required by law
    • Consent: Marketing communications and non-essential cookies

    5. Data Sharing

    We share personal data with the following categories of recipients:

    • Signing participants: Names and email addresses are shared with other signers on the same document
    • Service providers: Supabase (hosting/database), Stripe (payments), Resend (email delivery)
    • Analytics providers: Google Analytics, Meta, LinkedIn (anonymised usage data)
    • Legal authorities: When required by law or court order

    6. Data Retention

    Account data is retained for the lifetime of your account plus 12 months. Signed documents and audit trails are retained for 7 years to support legal enforceability. Payment records are retained for 6 years as required by HMRC. You may request deletion of your account at any time, subject to our legal retention obligations.

    7. Cookies and Tracking

    We use the following categories of cookies and tracking technologies:

    • Essential: Session management and authentication (always active)
    • Analytics: Google Analytics 4, to understand how users interact with our Service (requires consent)
    • Marketing: Meta Pixel and LinkedIn Insight Tag, for remarketing and audience building (requires consent)

    8. Your Rights

    Under UK GDPR, you have the right to:

    • Access your personal data
    • Rectify inaccurate data
    • Erase your data (subject to legal retention requirements)
    • Restrict processing
    • Data portability
    • Object to processing
    • Withdraw consent at any time

    To exercise these rights, contact privacy@squigggle.io. We will respond within 30 days.

    9. International Transfers

    Your data may be processed outside the UK by our service providers. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions.

    10. Security

    We implement appropriate technical and organisational measures to protect your data, including encryption at rest and in transit, access controls, and regular security assessments. Documents are cryptographically signed using ECDSA P-256 to ensure integrity.

    11. Changes to This Policy

    We may update this Privacy Policy from time to time. We will notify you of material changes by email. The latest version is always available at squigggle.io/privacy.

    12. Contact and Complaints

    For privacy enquiries: privacy@squigggle.io

    You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.