Scriboflow

Privacy Policy

Last updated: [to be added]

This Privacy Policy explains how Scriboflow collects, uses, stores, and protects personal data.

Scriboflow is a contract management and electronic signature platform for businesses.

1. Who We Are

Scriboflow is a product operated by:

Asterly ApS
CVR: [to be added]
Denmark

For privacy-related questions, contact us at:

privacy@scriboflow.com

2. Our Role Under GDPR

Scriboflow may act as either a data controller or a data processor, depending on the type of data involved.

Asterly ApS acts as data controller for personal data related to:

  • account registration;
  • billing and subscriptions;
  • customer support;
  • website analytics;
  • service administration; and
  • communications with users.

For personal data contained in customer contracts, uploaded documents, signer information, signature records, and contract audit trails, Asterly ApS generally acts as a data processor on behalf of the customer.

Customers are responsible for ensuring that the personal data they upload to Scriboflow is processed lawfully.

3. Personal Data We Collect

When you use Scriboflow, we may collect the following types of personal data.

Account Information

  • name;
  • email address;
  • company name;
  • role or job title, if provided;
  • phone number, if provided.

Authentication Data

  • email and password credentials;
  • Google authentication data if you choose to sign in with Google;
  • multi-factor authentication data where enabled.

Billing Information

Payments are processed by Stripe.

Scriboflow does not store full payment card information.

We may store billing-related information such as subscription status, billing email, invoices, payment status, and customer identifiers.

Contract and Document Data

  • contracts and documents uploaded to the platform;
  • contract metadata, such as status, participants, timestamps, and signing order;
  • signer names and email addresses;
  • signature data;
  • signing consent records;
  • audit timeline events;
  • activity logs;
  • IP addresses related to signing and contract activity.

Technical and Usage Information

  • IP address;
  • browser type;
  • device information;
  • session information;
  • log data;
  • usage data related to the operation, security, and improvement of the service.

Analytics Data

We use analytics tools to understand how visitors and users interact with Scriboflow.

  • Google Analytics is used for website analytics.
  • PostHog is used for product analytics and usage insights.

Where required by law, analytics cookies or tracking technologies are only used after consent.

4. How We Use Personal Data

We use personal data to:

  • provide and operate the Scriboflow platform;
  • create and manage user accounts;
  • enable contract management and electronic signatures;
  • process subscriptions and payments;
  • send transactional emails and service notifications;
  • provide customer support;
  • maintain platform security;
  • prevent fraud and unauthorized access;
  • monitor performance and reliability;
  • improve the usability and functionality of the service;
  • comply with legal, accounting, and regulatory obligations.

5. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases:

Contractual Necessity

To provide Scriboflow, manage accounts, process subscriptions, and deliver requested platform functionality.

Legitimate Interest

To operate, secure, monitor, maintain, and improve the platform, prevent fraud, and communicate with customers.

Legal Obligation

To comply with applicable legal, accounting, tax, and regulatory requirements.

Consent

For analytics cookies, marketing communications, or other processing activities where consent is required by law.

6. Third-Party Service Providers and Subprocessors

Scriboflow uses selected third-party providers to operate the platform.

Current providers include:

ProviderPurpose
SupabaseDatabase, authentication, and application data
Google CloudContract file storage and supporting infrastructure
VercelApplication hosting and delivery
IduraElectronic signatures and identity verification
ResendTransactional emails and notifications
StripeBilling and payment processing
PostHogProduct analytics and usage insights
Google AnalyticsWebsite analytics

These providers may process personal data on our behalf under appropriate data protection terms.

More information is available on our Subprocessors page:

/trust/subprocessors

7. Data Location

Customer data is primarily stored and processed in Europe.

Scriboflow's core infrastructure is located in Europe, with primary infrastructure in Frankfurt, Germany.

Contract files are stored using Google Cloud.

Application data, authentication data, and contract metadata are managed through Supabase.

Where a provider may process data outside the European Economic Area, appropriate safeguards such as Standard Contractual Clauses may be used where required.

8. Security

We implement technical and organizational measures designed to protect personal data.

These measures include:

  • encryption in transit and at rest;
  • secure infrastructure providers;
  • multi-factor authentication;
  • email verification;
  • automatic session expiration after inactivity;
  • daily backups;
  • access controls for production systems;
  • activity logs;
  • contract audit timelines;
  • IP tracking for important contract and signing events;
  • monitoring and logging for security purposes.

No internet-based service can be guaranteed to be completely secure, but we work to protect customer data using appropriate security measures.

More information is available in our Security Overview:

/trust/security

9. Data Retention

We retain personal data for as long as necessary to provide the service, comply with legal obligations, resolve disputes, maintain security, and enforce agreements.

For active accounts, contract data and account data are retained while the account remains active.

When an account is deleted:

  • account data is removed or anonymized where possible;
  • documents and associated contract data are deleted from active systems where applicable;
  • certain information may be retained where required for legal, accounting, tax, security, or fraud-prevention purposes;
  • backups may retain data temporarily until they are overwritten or expire according to backup retention practices.

Customers may request deletion of account or contract data by contacting privacy@scriboflow.com.

10. Data Processing Agreement

For business customers requiring a Data Processing Agreement, information is available here:

/trust/dpa

A DPA may be relevant where Scriboflow processes personal data on behalf of a customer, especially personal data contained in contracts, documents, signer information, or audit records.

11. Your GDPR Rights

If you are located in the European Economic Area, you may have the right to:

  • access your personal data;
  • request correction of inaccurate personal data;
  • request deletion of personal data;
  • restrict processing;
  • object to processing;
  • request data portability;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with a supervisory authority.

Requests can be sent to:

privacy@scriboflow.com

We may need to verify your identity before responding to a request.

12. Cookies

Scriboflow uses cookies and similar technologies.

We may use:

  • necessary cookies required to operate the website and service;
  • authentication and session cookies;
  • analytics cookies to understand website and product usage.

Where required by law, analytics cookies are only activated after user consent.

13. Communications

We may send service-related emails, including account notifications, security messages, billing notices, signing notifications, and other transactional emails.

Where marketing communications are used, you may unsubscribe or withdraw consent where applicable.

14. Children

Scriboflow is intended for business use and is not directed at children.

Users must be at least 18 years old to use the service.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

When we do, the updated version will be published on this page with a revised "Last updated" date.

If material changes are made, we may notify users through the platform, by email, or by other reasonable means.

16. Contact

For privacy-related questions or requests, contact:

privacy@scriboflow.com