Privacy Policy

Spenat Labs Inc. (“Spenat Labs,” “we,” “us,” or “our”) provides electronic document, signature, approval, workflow, and related software and services (collectively, the “Service”).

This Privacy Policy explains how we collect, use, disclose, store, and otherwise process personal information in connection with the Service, including when you create an account, upload documents, send signature requests, receive or access a signing link, sign or review a document, visit our website, contact us, or otherwise interact with us.

This Privacy Policy applies to personal information we process as a business, controller, or similar primary responsible party under applicable law. In some cases, we may process personal information on behalf of our business customers or other users who use the Service to send documents and collect signatures. In those cases, we may act as a service provider, processor, or similar role, and the relevant customer or sender may separately determine how your personal information is used.

By using the Service, you acknowledge this Privacy Policy.

1. Scope and Roles

Depending on the circumstances, Spenat Labs may process personal information in different roles:

• When you interact with us directly — for example by creating an account, visiting our website, contacting us, or subscribing to a service — we generally act as the business, controller, or similar responsible party for that processing.
• When a customer or sender uses our platform to send you a document, request your signature, or manage a workflow — we may process personal information on that customer’s behalf. In those cases, the customer or sender may be the business, controller, or similar responsible party for the document workflow and related personal information.

If you are a signer, reviewer, recipient, employee, contractor, or other individual whose information was submitted to our platform by a customer or sender, please contact that customer or sender first for questions about the contents of the document, the legal basis for the transaction, or requests relating to that particular workflow.

2. Personal Information We Collect

We may collect the following categories of personal information, depending on how you use the Service.

A. Information You Provide Directly

This may include:

• name, display name, username, title, company name, and organization details;
• email address, phone number, mailing address, and billing information;
• account credentials and authentication-related information;
• profile information, workspace information, seat assignments, and administrative settings;
• content of documents, templates, forms, messages, custom fields, branding assets, and instructions you upload or submit;
• signer, recipient, approver, reviewer, witness, or other participant details you provide;
• support requests, emails, chat messages, survey responses, and other communications with us; and
• payment and transaction-related information, to the extent we or our payment providers process it.

B. Information Collected Automatically

When you use the Service, open a signing link, or interact with our website or applications, we may automatically collect:

• device information, browser type, operating system, language, settings, and identifiers;
• IP address, approximate location derived from IP, time zone, and network information;
• log data, timestamps, event histories, clickstream data, page views, navigation paths, referrer URLs, and session activity;
• document interaction data, such as when a link was sent, opened, viewed, scrolled, clicked, approved, signed, declined, or completed;
• technical and diagnostic data, crash data, performance data, and error reports; and
• cookie, SDK, pixel, local storage, and similar tracking data.

C. Signature and Transaction Information

In connection with document workflows, we may collect and generate:

• signature images, typed signature selections, drawn signatures, initials, checkboxes, consent events, and related signing actions;
• audit trail information, completion records, certificates, event logs, timestamps, IP logs, and user-agent information;
• identity- or access-related signals used to route, track, or secure the workflow; and
• metadata relating to document status, delivery, access, authentication, and completion.

D. Information from Third Parties

We may receive information from:

• account authentication and identity providers;
• payment processors and billing vendors;
• analytics, hosting, security, communications, and infrastructure providers;
• customer integrations, workspace administrators, or users who invite you to a workflow; and
• public sources or third-party sources used for compliance, fraud prevention, or business operations.

E. AI, OCR, and Automated Processing Inputs and Outputs

If the Service includes AI-assisted, OCR, extraction, classification, auto-field detection, or similar functionality, we may process uploaded documents, document images, metadata, prompts, instructions, extracted text, suggested fields, and related outputs generated by such systems.

3. How We Use Personal Information

We may use personal information for the following purposes:

• to provide, operate, maintain, host, support, secure, monitor, and improve the Service;
• to create and manage accounts, workspaces, permissions, subscriptions, and administrative controls;
• to upload, store, process, deliver, display, route, sign, complete, and manage documents and workflows;
• to send transactional communications, security alerts, service messages, reminders, confirmations, and support responses;
• to process payments, invoices, and billing-related matters;
• to provide customer support, troubleshoot issues, and respond to requests;
• to develop and improve features, user experience, quality, and product performance;
• to detect, investigate, prevent, and address fraud, abuse, unauthorized access, security incidents, technical issues, and violations of our terms or policies;
• to enforce our agreements and protect our rights, users, systems, and business operations;
• to comply with legal obligations, respond to lawful requests, and establish, exercise, or defend legal claims;
• to analyze usage, trends, performance, and engagement;
• to personalize parts of the Service, including workspace settings and product experiences; and
• to support AI-, OCR-, or automation-related functionality and related quality, safety, and service operations.

We may also use aggregated, anonymized, or de-identified data for analytics, security, benchmarking, product development, research, and business purposes.

4. Legal Bases for Processing

Where required by applicable law, we rely on one or more of the following legal bases:

• performance of a contract or steps taken at your request before entering into a contract;
• our legitimate interests, such as operating the Service, securing systems, preventing abuse, improving products, and communicating with users, where those interests are not overridden by your rights;
• compliance with legal obligations;
• your consent, where required by law; and
• other lawful bases available under applicable law.

When we process personal information on behalf of a customer or sender in a processor or service-provider capacity, that customer or sender is typically responsible for establishing the legal basis for the underlying workflow or transaction.

5. Cookies and Similar Technologies

We and our service providers may use cookies, pixels, tags, SDKs, local storage, and similar technologies to:

• keep you signed in and remember preferences;
• operate security and fraud-prevention features;
• understand how the Service is used;
• measure traffic, engagement, and performance;
• diagnose issues and improve functionality; and
• support product analytics and service operations.

Some cookies or similar technologies may be essential for the Service to function. Others may be used for analytics or related operational purposes.

If required by applicable law, we will provide additional notice, consent mechanisms, or controls regarding non-essential cookies or similar technologies.

6. How We Disclose Personal Information

We may disclose personal information to:

• your organization, workspace administrators, account owners, and authorized users within a workspace;
• senders, signers, recipients, reviewers, approvers, witnesses, and other participants involved in a document workflow;
• vendors, service providers, subprocessors, contractors, and advisors that help us operate the Service, including providers of hosting, storage, infrastructure, authentication, payments, communications, analytics, AI/OCR, customer support, logging, monitoring, and security services;
• professional advisors such as lawyers, accountants, auditors, insurers, and financing counterparties;
• regulators, law enforcement, courts, governmental authorities, and other third parties when required by law or when we believe disclosure is necessary to comply with legal process, protect rights, investigate misconduct, or prevent harm;
• parties involved in an actual or proposed merger, acquisition, financing, reorganization, asset sale, insolvency event, or similar corporate transaction; and
• other parties at your direction or with your consent.

We do not sell personal information for money. However, some privacy laws define “sale,” “sharing,” or similar terms broadly. Depending on the applicable law and how our analytics or similar tools operate, certain disclosures may be considered “sharing” or a similar regulated activity.

7. International Data Transfers

We may process and store personal information in the United States and other countries where we or our service providers operate. These locations may have data protection laws that differ from those of your jurisdiction.

Where required by law, we will implement appropriate safeguards for cross-border transfers, which may include contractual safeguards or other lawful transfer mechanisms.

8. Data Retention

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and support business operations.

Retention periods may vary based on the type of information, the nature of the Service, applicable contractual arrangements, legal requirements, dispute risk, system backups, and operational needs.

We are not obligated to retain documents or personal information for any minimum period unless required by law or expressly agreed in writing. We may delete documents, workflows, accounts, or related data at any time in our discretion, subject to applicable law and contractual commitments.

9. Data Security

We use commercially reasonable administrative, technical, and organizational measures designed to protect personal information. However, no method of transmission, storage, or security control is completely secure, and we cannot guarantee absolute security.

Users are responsible for safeguarding account credentials, controlling access to devices and email accounts, maintaining their own backups, and using the Service appropriately.

10. Your Privacy Rights

Depending on your location and applicable law, you may have rights regarding your personal information, such as the right to:

• know or access certain personal information;
• request correction of inaccurate personal information;
• request deletion of certain personal information;
• object to or restrict certain processing;
• request portability of certain personal information;
• withdraw consent where processing is based on consent; and
• opt out of certain types of data use where required by law.

These rights are not absolute and may be subject to exceptions and limitations.

If we process your personal information on behalf of a customer or sender, we may direct your request to that customer or sender or advise you to contact them directly, especially where they control the relevant document workflow or content.

To submit a privacy request to us, contact hello@spenatlabs.com.

11. U.S. State Privacy Rights

If you are a resident of a U.S. state that provides privacy rights, you may have rights under applicable state law, subject to statutory exceptions and limitations. These may include rights to access, delete, correct, or obtain a copy of certain personal information, as well as rights relating to certain data uses.

We will not unlawfully discriminate against you for exercising privacy rights.

If applicable law requires an appeals process for denied privacy requests, you may submit an appeal by replying to our response or contacting hello@spenatlabs.com with the subject line Privacy Appeal.

12. European Economic Area, United Kingdom, and Similar Jurisdictions

If you are in the European Economic Area, the United Kingdom, Switzerland, or a similar jurisdiction, you may have rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, objection, and complaint to a competent supervisory authority.

Where required, our legal bases are described in Section 4. If we rely on legitimate interests, you may request more information about those interests.

13. Children's Privacy

The Service is not intended for children under 18, and we do not knowingly collect personal information directly from children under 18 for our own purposes. If you believe a child has provided personal information to us in violation of this section, contact us at hello@spenatlabs.com.

14. Third-Party Services and Links

The Service may contain links to third-party sites, integrations, or services, or may interoperate with third-party products. We are not responsible for the privacy, security, or content practices of third parties. Their use of personal information is governed by their own terms and privacy policies.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by a revised effective date or as otherwise required by law. Your continued use of the Service after an updated Privacy Policy becomes effective constitutes acknowledgment of the updated policy, to the extent permitted by law.

16. Contact Us

If you have questions about this Privacy Policy or want to submit a privacy-related request, contact:

Spenat Labs Inc.
995 Market St
San Francisco, CA 94103
USA
hello@spenatlabs.com