Scope and global application
This Privacy Policy explains how we handle personal data when you use AlexSignum. It is primarily designed to comply with the EU General Data Protection Regulation (GDPR). We apply similar high standards globally as a matter of best practice.
Who we are
Data Controller:
Alliance Regulatory Limited
2301, 23/F, Bayfield Building
99 Hennessy Road, Wan Chai
Hong Kong
Privacy enquiries: contact@allianceregulatory.com
Data Protection Officer: Alliance Regulatory Limited has not appointed a Data Protection Officer as it is not required to do so under Article 37 GDPR. All privacy-related enquiries should be sent to the email address above.
What personal data we collect and why
We collect only the minimum personal data necessary to provide and secure the Service.
Account and profile data
Data: Name, email address, company/organisation, role/job title, password (hashed).
Purpose: Create and manage user accounts, access control, and service delivery.
Legal basis: Contractual necessity (Art. 6(1)(b) GDPR).
Mandatory? Yes. We cannot provide the Service without this information.
External signers are not required to create or log into a BoldSign account. Signing is completed via a secure email link sent by BoldSign. You (the workspace owner) control which signer details are shared with BoldSign.
Document and content data
Data: Templates selected, document content you create or upload, generated documents, internal review comments and notes.
Purpose: Deliver the core document generation, workflow, review, and signing service.
Legal basis: Contractual necessity (Art. 6(1)(b) GDPR).
On-chain data: Only cryptographic hashes, Merkle roots/manifests, and minimal metadata are anchored on the private blockchain (hosted on our self-hosted infrastructure in France). Full documents and personal data are not stored on-chain. Cryptographic hashes cannot be used to reconstruct the original document. They are retained solely to enable independent verification of document integrity.
Signing and workflow data
Data: Signer names and email addresses (provided by you) and phone numbers (where required for certain signature levels), signing status, timestamps, signed documents retrieved from BoldSign, case/workspace metadata and state transitions.
Purpose: Enable external signing workflows (including identity verification where applicable) and maintain accurate case lifecycle records.
Legal basis: Contractual necessity (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f) GDPR - reliable workflow and audit trail).
Note on data source: When you invite external signers, their contact details (including phone numbers if needed for the chosen signature level) are provided by you (the workspace owner or document creator), not collected directly from the signers.
Technical and usage data
Data: IP address (anonymised/truncated), device/browser information, approximate location (country/region), timestamps, and interaction metadata.
Purpose: Security, fraud prevention, service reliability, debugging, and basic analytics.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
External verification
External verification is available via public verification or restricted one-time/time-limited secure links (magic links). These links provide read-only access and do not require users to create an AlexSignum account.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR - enabling verification of anchored documents).
How long we keep your data
We retain personal data only for as long as necessary for the purposes described above, unless a longer retention period is required by law:
- Active account and workspace data: Retained while your account is active. Deleted or anonymised within 90 days after account closure, unless legal or regulatory obligations require longer retention.
- Generated and signed documents: Retained according to your organisation’s settings or applicable legal/regulatory retention requirements (particularly in the chemical, pharmaceutical, and regulatory affairs sectors, where retention periods of 5 to 30+ years may apply). You control certain retention parameters through your workspace settings.
- Signing logs, workflow metadata and audit records: Up to 2 years after the case is completed or archived, or longer if required for legal, regulatory or audit purposes.
- Technical logs and anonymised analytics: Up to 2 years.
- Data on the blockchain: Hashes and metadata are retained indefinitely as they form part of the immutable verification record.
Data is automatically deleted or anonymised when no longer needed.
Data location and international transfers
The core application, database, and private blockchain are hosted on our self-managed VPS infrastructure provided by Hetzner Cloud (located in the EU - Germany). All personal data and documents remain under our full control.
Authorised personnel based in Hong Kong may access personal data for administration, support, and operational purposes. We have implemented appropriate technical and organisational measures to protect the data and ensure compliance with GDPR for any international transfers.
Your rights
You have the following rights under GDPR (subject to applicable exceptions):
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Right to withdraw consent (where processing is based on consent)
Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
You also have the right to lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement.
To exercise your rights, please contact us at contact@allianceregulatory.com. We will respond within one month (this period may be extended by up to two further months for complex requests).
Automated decision-making and profiling
AlexSignum does not use automated decision-making or profiling that produces legal or similarly significant effects concerning individuals, as referred to in Article 22 GDPR.
Security of your data
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, and regular security monitoring. All infrastructure is self-hosted on our own network.
Children’s privacy
The Service is not directed at children under 16. We do not knowingly collect data from children.
Changes to this policy
We may update this policy. Significant changes will be notified via in-app notice or email (if provided). The latest version will always be available on the Platform.
Contact us
For privacy questions: contact@allianceregulatory.com
Your use of AlexSignum is subject to this Privacy Policy.