Alliance Regulatory
Alliance Regulatory AlexSignum Privacy Policy

Legal Information

Privacy Policy

Alliance Regulatory Limited ("we", "us", "our") operates AlexSignum (“AlexSignum”, “the Platform”, “the Service”), a SaaS platform that enables chemical and regulatory affairs professionals to generate validated legal and commercial documents from controlled templates.

Documents can go through optional internal review, external electronic signing via BoldSign, and cryptographic anchoring on a private blockchain. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR), the ePrivacy Directive, and other applicable data protection laws.

Last Updated June 28, 2026
Effective Date July 01, 2026

Scope and global application

This Privacy Policy explains how we handle personal data when you use AlexSignum. It is primarily designed to comply with the EU General Data Protection Regulation (GDPR). We apply similar high standards globally as a matter of best practice.

Who we are

Data Controller:
Alliance Regulatory Limited
2301, 23/F, Bayfield Building
99 Hennessy Road, Wan Chai
Hong Kong

Privacy enquiries: contact@allianceregulatory.com

Data Protection Officer: Alliance Regulatory Limited has not appointed a Data Protection Officer as it is not required to do so under Article 37 GDPR. All privacy-related enquiries should be sent to the email address above.

What personal data we collect and why

We collect only the minimum personal data necessary to provide and secure the Service.

Account and profile data

Data: Name, email address, company/organisation, role/job title, password (hashed).

Purpose: Create and manage user accounts, access control, and service delivery.

Legal basis: Contractual necessity (Art. 6(1)(b) GDPR).

Mandatory? Yes. We cannot provide the Service without this information.

External signers are not required to create or log into a BoldSign account. Signing is completed via a secure email link sent by BoldSign. You (the workspace owner) control which signer details are shared with BoldSign.

Document and content data

Data: Templates selected, document content you create or upload, generated documents, internal review comments and notes.

Purpose: Deliver the core document generation, workflow, review, and signing service.

Legal basis: Contractual necessity (Art. 6(1)(b) GDPR).

On-chain data: Only cryptographic hashes, Merkle roots/manifests, and minimal metadata are anchored on the private blockchain (hosted on our self-hosted infrastructure in France). Full documents and personal data are not stored on-chain. Cryptographic hashes cannot be used to reconstruct the original document. They are retained solely to enable independent verification of document integrity.

Signing and workflow data

Data: Signer names and email addresses (provided by you) and phone numbers (where required for certain signature levels), signing status, timestamps, signed documents retrieved from BoldSign, case/workspace metadata and state transitions.

Purpose: Enable external signing workflows (including identity verification where applicable) and maintain accurate case lifecycle records.

Legal basis: Contractual necessity (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f) GDPR - reliable workflow and audit trail).

Note on data source: When you invite external signers, their contact details (including phone numbers if needed for the chosen signature level) are provided by you (the workspace owner or document creator), not collected directly from the signers.

Technical and usage data

Data: IP address (anonymised/truncated), device/browser information, approximate location (country/region), timestamps, and interaction metadata.

Purpose: Security, fraud prevention, service reliability, debugging, and basic analytics.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

External verification

External verification is available via public verification or restricted one-time/time-limited secure links (magic links). These links provide read-only access and do not require users to create an AlexSignum account.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR - enabling verification of anchored documents).

How long we keep your data

We retain personal data only for as long as necessary for the purposes described above, unless a longer retention period is required by law:

  • Active account and workspace data: Retained while your account is active. Deleted or anonymised within 90 days after account closure, unless legal or regulatory obligations require longer retention.
  • Generated and signed documents: Retained according to your organisation’s settings or applicable legal/regulatory retention requirements (particularly in the chemical, pharmaceutical, and regulatory affairs sectors, where retention periods of 5 to 30+ years may apply). You control certain retention parameters through your workspace settings.
  • Signing logs, workflow metadata and audit records: Up to 2 years after the case is completed or archived, or longer if required for legal, regulatory or audit purposes.
  • Technical logs and anonymised analytics: Up to 2 years.
  • Data on the blockchain: Hashes and metadata are retained indefinitely as they form part of the immutable verification record.

Data is automatically deleted or anonymised when no longer needed.

Who we share data with

We do not sell personal data.

We use the following external processors, each acting on our behalf under a Data Processing Agreement (or equivalent safeguards):

  • BoldSign (electronic signature provider): We share only the minimum necessary signer details (names, email addresses, and phone numbers where required for certain signature levels) and documents to enable the signing process.
  • Stripe (payment processing provider): We share necessary billing and payment information to process subscriptions and payments.
  • Resend (email delivery service): We share email addresses and email content (such as signing invitations and notifications) to ensure reliable delivery of transactional emails.
  • Hetzner Cloud (hosting provider): We use a VPS for hosting the application. All personal data remains under our control, and no data is shared beyond the infrastructure hosting.

Infrastructure note: The core application, database, and private blockchain are hosted on our self-managed infrastructure (VPS in EU). Full documents and personal data stay under our responsibility. We do not use external cloud storage or third-party blockchain providers.

We may disclose personal data if required by law or to protect rights and safety.

Data location and international transfers

The core application, database, and private blockchain are hosted on our self-managed VPS infrastructure provided by Hetzner Cloud (located in the EU - Germany). All personal data and documents remain under our full control.

Authorised personnel based in Hong Kong may access personal data for administration, support, and operational purposes. We have implemented appropriate technical and organisational measures to protect the data and ensure compliance with GDPR for any international transfers.

Your rights

You have the following rights under GDPR (subject to applicable exceptions):

  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent (where processing is based on consent)

Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

You also have the right to lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement.

To exercise your rights, please contact us at contact@allianceregulatory.com. We will respond within one month (this period may be extended by up to two further months for complex requests).

Automated decision-making and profiling

AlexSignum does not use automated decision-making or profiling that produces legal or similarly significant effects concerning individuals, as referred to in Article 22 GDPR.

Security of your data

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, and regular security monitoring. All infrastructure is self-hosted on our own network.

Cookies and tracking technologies

We use the following types of cookies and similar technologies required for the proper functioning of the Platform:

  • Essential cookies/technologies: Required for login, session management, security and core Platform functionality. They do not require consent under applicable laws.

We do not use analytics, advertising, marketing, or any non-essential cookies at this time. You can manage your cookie preferences (where applicable) via the settings on the Platform or by configuring your browser settings.

Children’s privacy

The Service is not directed at children under 16. We do not knowingly collect data from children.

Changes to this policy

We may update this policy. Significant changes will be notified via in-app notice or email (if provided). The latest version will always be available on the Platform.

Contact us

For privacy questions: contact@allianceregulatory.com

Your use of AlexSignum is subject to this Privacy Policy.