Privacy Policy
Effective date: July 5, 2026
This page explains what information VMVTech, Ltd. collects through the e-sig.org website and its services, why we collect it, who we share it with, and the rights you have. This paragraph is only a plain-English summary and is not a substitute for the full policy below. The short version: this website has no accounts, no trackers, no advertising, and sets no cookies, and our self-hosted software sends us nothing.
1. Who we are and what this policy covers
This Privacy Policy is issued by VMVTech, Ltd., a United States company and a subsidiary of VMVCorporation ("VMVTech," "we," "us," or "our"). VMVTech operates the website at https://e-sig.org (the "Site") and offers the products described on it, including the open-source esig-suite SDK and the paid offerings listed on /pricing.
For personal information collected through the Site itself, VMVTech, Ltd. is the data controller. For content processed through the e-sig Cloud service on behalf of our customers, VMVTech acts as a processor or service provider, as explained in Section 5. Paid offerings are governed by their own separate agreements (order forms, master services agreements, data processing addenda); where those agreements address data handling, they control for the services they cover.
This policy should be read together with our Terms of Use and Legal Notices.
2. The short version: what we do not do
Before the detail, here is what does not happen on this Site, stated plainly:
- No accounts. The Site has no user accounts, no login, and no registration forms.
- No analytics trackers. We run no analytics scripts and no visitor-measurement pixels.
- No advertising. We show no ads, embed no ad networks, and place no advertising trackers.
- No cookies set by this Site. The Site itself sets no cookies of any kind, first-party or third-party.
- No selling of personal information, and no "sharing" for advertising. We do not sell personal information and do not share it for cross-context behavioral advertising within the meaning of California law. We do disclose limited information to the service providers and in the circumstances described in Section 9.
- No telemetry from the self-hosted SDK. The open-source esig-suite software sends us no documents, no signer data, and no usage telemetry (see Section 4).
Everything we do collect is described in Sections 3 through 5. We do not engage in data practices materially different from those described in this policy.
3. What we actually collect on this website
The Site is a static site hosted on Amazon Web Services (AWS S3 and CloudFront). The information connected with your visit is limited to the following:
- Server and CDN access logs. Like almost every website, our AWS hosting infrastructure automatically generates access logs when you request a page. These logs contain your IP address, browser user agent string, timestamps, and the URLs requested. We use them for security (detecting abuse, denial-of-service attempts, and scanning) and operations (diagnosing availability and performance problems). They are not used to build visitor profiles.
- Email correspondence. If you email us (for example at legal@e-sig.org, sales@e-sig.org, or security@e-sig.org), we receive your email address, anything you choose to include in your message, and routine email metadata. We use it to respond to you and to keep a record of the correspondence.
- Checkout and payment. If you purchase a paid plan from /pricing, checkout is routed to our payment processor, Stripe. Stripe collects and processes your payment details directly. VMVTech never stores your card numbers. Stripe's handling of your data is governed by its own privacy policy at https://stripe.com/privacy. We may receive limited, non-card information about your order from Stripe (for example, confirmation that a payment succeeded and the contact details needed to administer the subscription).
That is the complete list of what we intentionally collect through the Site. We do not collect precise location data, biometric data, or your browsing history on other websites, and we do not currently enrich Site data with information purchased from data brokers.
4. The self-hosted SDK sends us nothing
Our open-source product, esig-suite (the npm packages @e-sig/core, @e-sig/react, and @e-sig/supabase, published at https://github.com/vmvtech/esig-suite), is an MIT-licensed, self-hosted PDF e-signature SDK. It runs entirely inside your own infrastructure.
- VMVTech receives no documents, no signer data, and no telemetry from the SDK. There is no phone-home, no usage reporting, and no error reporting to us.
- The SDK's only optional network egress is to an RFC-3161 timestamp authority that you configure yourself. If you enable timestamping, that authority receives only a SHA-256 hash of the signed data, never the document itself. Your chosen timestamp authority's own terms and privacy practices apply to that request.
Because the SDK operates entirely under your control, you (not VMVTech) are responsible for the personal data your deployment processes and for your own compliance obligations as its controller or processor.
5. The e-sig Cloud service: we act as a processor
When a customer uses the paid e-sig Cloud service, VMVTech hosts and operates the signing infrastructure on that customer's behalf. In doing so we process customer content, which can include:
- documents uploaded for signature;
- signer names and email addresses;
- signer IP addresses and user agent strings;
- signature images; and
- append-only audit records (a hash-chained audit log of signing events).
For this customer content, the Cloud customer is the data controller (or "business" under California law) and VMVTech acts as a processor or service provider, handling the data only on the customer's documented instructions and as needed to provide the service. A data processing addendum (DPA) is available for our paid offerings; contact legal@e-sig.org to request one.
If you are a signer: if you received a document for signature through the e-sig Cloud service, the organization that sent you the document controls that data. Please direct requests to access, correct, or delete your data to that organization. If you contact us instead, we will refer your request to the relevant customer and assist as their processor where required by law or by our agreement with them.
6. How we use information
We use the limited information described above only for the following purposes:
- to operate, secure, and troubleshoot the Site and our services (access logs);
- to respond to inquiries, sales questions, legal requests, and security reports (email correspondence);
- to provide, bill for, and support paid services you purchase (order and billing information, customer content as instructed);
- to comply with legal obligations, including tax, accounting, and lawful requests from authorities; and
- to establish, exercise, or defend legal claims.
We do not use personal information for advertising or profiling, we do not currently use automated decision-making that produces legal or similarly significant effects, and we do not currently use customer content to train machine-learning models.
7. Legal bases for processing (EEA and UK)
Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases:
- Legitimate interests (Article 6(1)(f)): maintaining access logs to secure and operate the Site, preventing abuse, and defending legal claims. Our interest in keeping the Site available and secure is balanced against the minimal intrusiveness of standard access logs.
- Performance of a contract (Article 6(1)(b)): providing services you purchase, processing your checkout, and responding to your pre-contract inquiries.
- Legal obligation (Article 6(1)(c)): retaining records and disclosing information where the law requires it.
For customer content processed through e-sig Cloud, the legal basis is determined by the customer as controller; we process on the customer's instructions.
8. How long we keep information
- Access logs are kept only as long as needed for security and operational purposes and are then deleted or rotated out in the ordinary course.
- Email correspondence is kept as long as needed to handle the matter it relates to and to maintain a reasonable business record, after which it may be deleted.
- Billing and transaction records are kept for as long as tax, accounting, and other legal obligations require.
- e-sig Cloud customer content is retained according to the customer's instructions and the applicable service agreement, and is deleted or returned as that agreement provides.
9. When we share information
We never sell personal information. We share it only in these circumstances:
- Service providers and subprocessors. We use a small number of infrastructure and payment providers to run our business, currently including Amazon Web Services (hosting and content delivery) and Stripe (payment processing). They may process personal information only to provide their services to us and are bound by their own contractual and legal obligations.
- Legal compulsion. We may disclose information where required by law, regulation, subpoena, court order, or other lawful process, or where reasonably necessary to protect the rights, safety, or property of VMVTech, our customers, or others.
- Corporate transactions. If VMVTech is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to this policy or successor terms that provide comparable protection.
For e-sig Cloud, a current list of subprocessors is available on request via legal@e-sig.org and is addressed in the DPA.
10. International data transfers
VMVTech is a United States company, and our infrastructure is hosted with AWS in the United States (us-east-1). Information described in this policy is processed in the United States, which may have data protection laws different from those of your jurisdiction. Where required for transfers of EEA, UK, or Swiss personal data, we rely on appropriate safeguards, such as standard contractual clauses where applicable; transfer mechanisms for paid services are addressed in our DPA. You can request more information about transfer safeguards via legal@e-sig.org.
11. Security
We apply technical and organizational measures appropriate to the limited data we handle, including:
- Encryption in transit. The Site and our services are served over TLS.
- Restricted access. Access to logs, correspondence, and service infrastructure is limited to personnel who need it.
- Tamper-evidence by design. The product itself is built around integrity controls: PKCS#7/PAdES signatures, RFC-3161 timestamps, and hash-chained, append-only audit logs, designed so that alterations to signed material and audit records can be detected.
No system is perfectly secure, and we cannot guarantee absolute security. If you believe you have found a security vulnerability, please report it to security@e-sig.org as described in the SECURITY.md file in our GitHub repository.
12. Your rights in the EEA, the UK, and similar jurisdictions
If the GDPR or UK GDPR applies to you, you have the following rights with respect to personal data for which VMVTech is the controller:
- the right of access to your personal data;
- the right to rectification of inaccurate data;
- the right to erasure ("right to be forgotten") in certain circumstances;
- the right to restriction of processing in certain circumstances;
- the right to data portability for data you provided to us that we process by automated means on the basis of contract or consent;
- the right to object to processing based on legitimate interests;
- the right to withdraw consent at any time, where processing is based on consent, without affecting prior processing; and
- the right to lodge a complaint with your local supervisory authority.
To exercise any of these rights, email legal@e-sig.org. We may need to verify your identity before acting on a request, and we will respond within the timeframes required by applicable law. If your request concerns data processed through e-sig Cloud on behalf of one of our customers, we will refer you to that customer, who is the controller (see Section 5).
If you reside in a jurisdiction with a similar privacy law (including other US states), you may exercise the corresponding rights by emailing legal@e-sig.org. Where the law of your state gives you a right to appeal our decision on a request, our response will explain how to appeal.
13. California privacy rights
If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) gives you rights over your personal information, including the rights to know what we collect, to access it, to correct it, to delete it, and to be free from discrimination for exercising these rights. You may exercise them by emailing legal@e-sig.org; we will verify your identity and respond as the law requires. You may use an authorized agent, subject to verification.
Notice of no sale or sharing: we do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We have not done so in the preceding 12 months. Because there is no sale or sharing to opt out of, we do not provide a "Do Not Sell or Share" link.
Global Privacy Control: we honor the Global Privacy Control (GPC) signal in the most direct way possible: we do not track visitors in the first place. With no cookies, no trackers, and no sale or sharing of personal information, a GPC-enabled browser receives exactly the same treatment as any other, which is the treatment GPC is designed to secure. For the same reason, our response to browser "Do Not Track" signals is uniform: we do not track visitors, so no signal changes how the Site treats you.
Acting as a business (rather than as a service provider processing customer content under Section 5), we do not collect the categories of sensitive personal information that trigger a right to limit use, and we do not use or disclose personal information for purposes beyond those described in this policy. The categories of personal information we collect, the purposes, and the recipients are set out in Sections 3, 6, and 9.
14. Children
The Site and our services are not directed at children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has provided us personal information, contact legal@e-sig.org and we will delete it. Entering into contracts through our services requires legal capacity, as described in our Terms of Use.
15. Third-party sites and services
The Site links to third-party sites and services we do not control, including GitHub, npm, Stripe's checkout pages, and the websites of other vendors named in our comparison tables. Those third parties have their own privacy practices and policies, and this policy does not apply to them. In particular, if you proceed to checkout, Stripe's pages operate under Stripe's own privacy policy, and Stripe may set its own cookies on its own domains. We encourage you to review the policies of any third-party service before providing it your information.
16. Changes to this policy
We may update this Privacy Policy from time to time, for example to reflect changes in our practices, services, or applicable law. When we do, we will post the revised policy at /privacy and update the effective date at the top of this page. Material changes will be indicated by that new effective date; we encourage you to review this page periodically.
17. How to contact us
Questions, concerns, or requests about privacy and this policy should be directed to:
- Privacy and legal: legal@e-sig.org
- Security vulnerability reports: security@e-sig.org
- Sales: sales@e-sig.org
VMVTech, Ltd. is a United States company. Our postal address is available on request via legal@e-sig.org. Related documents: Terms of Use and Legal Notices.