Privacy Policy

Last updated: 15 June 2026

1. Who We Are

Squigggle is an electronic signature platform operated by N90 Labs Limited, a company registered in England and Wales (company number 17006232) whose registered office is at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ ("we", "us", "our"). We are the data controller for the personal data described in this Privacy Policy. For data protection enquiries, contact us at privacy@squigggle.io or by post at our registered office above.

2. Data We Collect

2.1 Account Data

When you create an account, we collect your name, email address, and authentication credentials. If you sign up with Google or Apple, we receive your name and email from those providers.

2.2 Document Data

When you upload documents for signing, we store the document files, signer names and email addresses, signature images, and signing metadata (timestamps, IP addresses, user agents).

2.3 Payment Data

Payment processing is handled by Stripe. We store your Stripe customer ID and payment history, but we never store full card numbers. Card details are handled entirely by Stripe in accordance with PCI DSS standards.

2.4 Usage Data

We collect information about how you use the Service, including pages visited, features used, and interaction patterns. This is collected via cookies and analytics tools as described in Section 7.

3. How We Use Your Data

  • Service delivery: To provide e-signature services, process documents, send signing invitations, and generate certificates of completion
  • Authentication: To verify your identity and secure your account
  • Payments: To process payments and maintain billing records
  • Legal compliance: To maintain audit trails for signed documents as required by e-signature legislation
  • Communication: To send transactional emails (signing invitations, completions, receipts) and, with your consent, marketing communications
  • Improvement: To analyse usage patterns and improve the Service

4. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

  • Contract performance: Processing necessary to provide you with the Service
  • Legitimate interests: Fraud prevention, security, service improvement, and business operations
  • Legal obligation: Maintaining audit trails and records as required by law
  • Consent: Marketing communications and non-essential cookies

5. Data Sharing

We share personal data with the following categories of recipients:

  • Signing participants: Names and email addresses are shared with other signers on the same document
  • Service providers: Supabase (hosting/database), Stripe (payments), Resend (email delivery), Sentry (error monitoring), Google Cloud (document conversion)
  • Analytics providers: Google Analytics, Meta, LinkedIn (anonymised usage data)
  • Legal authorities: When required by law or court order

For a complete and current list of the third parties that process personal data on our behalf, see our Sub-processors page.

6. Data Retention

Account data is retained for the lifetime of your account plus 12 months. Signed documents and audit trails are retained for 7 years to support legal enforceability. Payment records are retained for 6 years as required by HMRC. You may request deletion of your account at any time, subject to our legal retention obligations.

7. Cookies and Tracking

We use the following categories of cookies and tracking technologies:

  • Essential: Session management and authentication (always active)
  • Analytics: Google Analytics 4, to understand how users interact with our Service (requires consent)
  • Marketing: Meta Pixel and LinkedIn Insight Tag, for remarketing and audience building (requires consent)

Non-essential cookies are off by default. When you first visit, a banner lets you accept all, reject all, or choose analytics and marketing categories individually — no analytics or marketing tags load until you opt in. Your choice is stored in a first-party cookie and you can change or withdraw it at any time using the “Cookie preferences” link in the footer. We apply Google Consent Mode so Google tags respect your selection.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (subject to legal retention requirements)
  • Restrict processing
  • Data portability
  • Object to processing
  • Withdraw consent at any time

To exercise these rights, contact privacy@squigggle.io. We will respond within 30 days.

9. International Transfers

Your data may be processed outside the UK by our service providers. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions.

10. Security

We implement appropriate technical and organisational measures to protect your data, including encryption at rest and in transit, access controls, and regular security assessments. Documents are cryptographically signed using ECDSA P-256 to ensure integrity.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email. The latest version is always available at squigggle.io/privacy.

12. Contact and Complaints

For privacy enquiries: privacy@squigggle.io

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.