What we collect.
Why. Where it goes.

Novan LLC, a Maryland limited liability company, is the data controller for personal data processed through vouch.ink. You can reach us at privacy@vouch.ink.

vouch.ink is sold to organizations and individuals who need ESIGN/UETA-compliant electronic signatures. The Mindful Landlord (a separate business operated by the same owner) is one of our users; this Privacy Policy applies to vouch.ink only.

We collect three categories of data.

A. Account data (about Senders)

Email, name, organization name, hashed password (managed by Supabase Auth), billing details (handled by Stripe — we never see card numbers). We use this to authenticate you, bill you, and send you operational email about your account.

B. Document data

The PDFs you upload, the fields you place, the signatures collected, the recipients you send to, and the resulting signed documents. We process this only to operate the service for you. We never read, mine, or share document contents.

C. Audit data (about Signers and Senders)

Every signing event captures: the requester's IP address, browser user-agent, server-side timestamp, the unique signing-link token, and the affirmative consent text shown. Document opens, downloads, and PDF reads are also logged. This is the legal record — without it, the signature isn't enforceable. We retain it as long as we retain the signed document.

We use a single first-party session cookie to keep you logged in. We do not use third-party analytics that profile users. We do not run advertising trackers. We do not use Google Analytics, Meta Pixel, or similar tools that share visitor data with ad networks.

We do log basic, aggregated request data (URL, response code, response time) for operational reasons — diagnosing errors, detecting abuse. These logs are retained for 30 days and are not cross-referenced to user identity.

We use the following third-party providers to operate vouch.ink. Each is contractually bound to handle your data with at least the standards described in this Policy.

We share data only with the sub-processors listed above and only as needed to deliver the service. We do not sell personal data. We do not share data with advertisers or data brokers. We will disclose data to law enforcement only when required by valid legal process, and we will notify the affected account holder unless legally prohibited.

Account and document data is stored in Supabase's U.S. region. Email is delivered through Resend. Backend services run on Railway in U.S. infrastructure. The marketing site and dashboard are served from Netlify's global CDN. Backups are held in encrypted form for 30 days.

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256, managed by the underlying providers).

Signed documents and their audit trails are retained for seven (7) years from the date of sealing. This is the window we believe satisfies the substantive law of most U.S. jurisdictions and is required to keep the evidence enforceable.

Drafts and unsent documents are retained until you delete them or close your account. They are deleted within 30 days of account closure.

Operational logs (server access logs, error logs) are retained for 30 days.

Backups are retained for 30 days in encrypted form, then permanently deleted.

Wherever you are in the world, you have the following rights with respect to your data on vouch.ink. Email privacy@vouch.ink and we'll respond within 30 days.

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to fix inaccurate data.
• Deletion — ask us to delete your data, subject to the retention rules above for legally-binding signed documents.
• Portability — receive your documents and audit trails in a machine-readable format (PDF + JSON).
• Objection — object to specific processing (e.g., marketing email).
• Withdraw consent — including the ESIGN consent on a per-document basis (decline to sign).

For California residents (CCPA/CPRA): we do not sell or share personal information. You have the right to know, delete, correct, and limit use of sensitive personal information.

For EEA / UK residents (GDPR): our legal bases for processing are (a) contract performance for account and document data, (b) legitimate interest for audit data and operational logs, and (c) consent for any optional marketing email. You have the right to lodge a complaint with your local supervisory authority, though we'd appreciate the chance to address concerns first.

vouch.ink is not directed to children under 16, and we don't knowingly collect data from them. If you believe a child has created an account, email privacy@vouch.ink and we'll delete it.

We follow standard security practices: encrypted transport, encrypted at-rest storage, scoped access via Supabase row-level security, hash-chained audit logs, append-only audit tables, principle of least privilege for staff access. Detailed practices are documented in our security guide (available on request to enterprise customers).

If you discover a security vulnerability, please email security@vouch.ink. We welcome responsible disclosure and will respond within 5 business days.

If we discover a breach of personal data that creates a meaningful risk to you, we will notify affected users via the email on file within 72 hours of confirmation, and notify supervisory authorities where required by applicable law (including GDPR Art. 33 and U.S. state breach laws).

Material changes will be announced via email at least 30 days before they take effect. The Effective Date at the top of this page always reflects the current version. Past versions are available on request.

Data controller: Novan LLC, Baltimore, Maryland, USA.

Privacy and data requests: privacy@vouch.ink
Security: security@vouch.ink
General: hello@vouch.ink