GDPR compliance
This page contains information specifically about our compliance with the EU General Data Protection Regulation (GDPR). More general information can be found in our privacy policy.
Is SigMonster GDPR compliant?
SigMonster is committed to complying with the GDPR.
We take our responsibilities (and your data) seriously. As per the guidelines published by the Office of the Australian Information Commissioner , and as an Australian business offering services to citizens and residents of the European Union, SigMonster has obligations under the GDPR as well as the Australian Privacy Act 1988 (Cth).
We take a proactive approach to privacy and information security. This includes:
- minimizing the amount of information we collect;
- only retaining that information whilst it is necessary to provide our services to you;
- being clear about what information we hold about you, and giving you visibility of that information;
- allowing you to update and/or remove that information;
- notifying you if we believe any of that information has been compromised; and
- having zero knowledge of payment mechanism details (using a trusted third party).
FAQ
How can I see/modify what data is held about me?
All of the data held about you within the service is visible from within the web application, either via your profile page or your signatures pages.
Information held about you relating to support requests, billing inquiries etc. may be held in different systems. Please contact us and we will assist with determining which systems may hold such information and disclosing that information to you, and/or assist you to modify that information where it may be incorrect.
How can I delete my data?
Deleting your account
In order to remove your personal data from our systems, simply delete your account. Deleting your personal account is permanent and unrecoverable.
Once your account is deleted:
- Any emails sent containing a personal signature will contain a placeholder image with no personally-identifying information.
- Any emails sent containing an organizational signature will contain the generic signature for that organization with no personally-identifying information.
- All of your personal data will be deleted immediately from operational systems.
- All of your personal data will be deleted as soon as practicable for downstream systems (e.g. billing).
- Where financial transactions have taken place (e.g. when you have paid for a service) we are obliged to retain those transactional records for audit purposes under Australian law. We will only use those records for those purposes required by law.
After an account is deleted, we keep no records beyond what we are legally required to retain, and for no longer than the duration we are required to retain them, subject to applicable statutory obligations and/or court orders.
Deleting an organization
In order to remove your organization's data from our systems, simply delete the organization. Deleting an organization is permanent and unrecoverable.
Once an organization is deleted:
- All organizational information will be immediately removed from operational systems.
- All organizational data will be deleted as soon as practicable for downstream systems (e.g. billing).
-
All members of the organization will be immediately removed from that organization.
- All individual members' accounts will continue to exist in the system as accounts may also be used privately and/or be a member of more than one organization.
- Member accounts may be deleted separately by the respective account-holders.
- Any emails sent using an organizational signature will contain a placeholder image with no personally-identifying or organization-identifying information.
- Where financial transactions have taken place (e.g. when you have paid for a service) we are obliged to retain those transactional records for audit purposes under Australian law. We will only use those records for those purposes required by law.
Your data, third-party providers and the GDPR.
We use a number of third-party companies to provide our services. We only disclose the necessary information to each service provider in order for them to provide their service.
Below is a list of third-party service providers we use, the nature of the service provided by them to us and the nature of your data which will be transferred to them or collected by them on our behalf.
| Entity | Nature of service | Nature of data stored | GDPR compliance |
|---|---|---|---|
| Cloudflare | Content delivery network | Caching and delivery of rendered signature images. | Compliance Statement |
| Google Analytics | Google Analytics | Compliance Statement | |
| Google Mail (GMail/G Suite) | Email. Used for customer support and onboarding. | Data Subject's name, email address, phone number, organization's name if applicable, billing details and whatever else may need to be communicated via email to resolve a customer's issue. | Compliance Statement |
| Linode (Australia) | Cloud hosting. | All Data Subject's details stored within the application suite. Name, email addresses, phone number, organization memberships, email signatures. | Compliance Statement |
| MailChimp | Email campaigns. | Data Subject's name and email address. | Compliance Statement |
| Microsoft Azure (Australia) | Cloud hosting. | All Data Subject's details stored within the application suite. Name, email addresses, phone number, organization memberships, email signatures. | Compliance Statement |
| Stripe (Australia) | Payment gateway. | Data Subject's name, email address, organization name, credit card details (never visible to us), transaction history.' | Compliance Statement |
| Xero (Australia) | Cloud-based accounting system. | Data Subject's name, email address and phone number. Organization name. Transactional history. | Compliance Statement |