Privacy Policy

• Account info — your email and name from Google sign-in. Used to identify your account.
• Session metadata — when each writing session started and ended, total edit event counts by category (insertions, deletions, undo, redo, cut), pause patterns, and the length (not content) of paste events.
• Document fingerprints — mathematical hashes of your document's state at intervals. Hashes cannot be reversed to reveal text — the text itself never leaves your device.
• Certificate records — when you generate a Certificate of Authorship, we store its metadata (timing, session summary, document title) to support permanent verification URLs.
• Form submissions — when you submit a contact form or waitlist signup on our website, we receive your email, name, optional institution, and any message you wrote. Used to respond to your inquiry and (where applicable) to add you to a waitlist.

• Document text or content
• Which specific keys you pressed
• Clipboard content
• Data from any site outside Google Docs
• Browsing history

This is architectural, not just policy — the code that sends data to our servers has no access to document content.

To operate the service, generate and verify certificates, and send automated confirmation emails when you submit a contact form or waitlist signup on our website. We do not currently send automated emails during onboarding, while using the extension, or when generating certificates. We do not sell your data. We do not use your data for advertising. We do not run third-party analytics or tracking inside the Chrome extension.

Session data is encrypted in your browser before being synced to your Signet account. The local copy is cleared after sync is confirmed.

Signet's infrastructure runs on the following third-party providers, all operating in the United States:

• Supabase, Inc. — database, authentication, and file storage. Holds your account, session metadata, and certificate records.
• Vercel, Inc. — hosts the getsignet.app web application and provides anonymous web analytics (page paths visited, country, device class, referrer). Does not receive account data, document content, or any data from inside the dashboard or extension.
• PostHog, Inc. — receives product analytics events (e.g., "user signed in," "onboarding completed," "certificate generated," "verification document generated") to help us improve the product. Never receives document content, document titles, paste content, paste annotations, or certificate hashes.
• Google LLC — handles the OAuth sign-in flow. We receive your email and name from Google; Google does not receive your writing data.
• Resend, Inc. — delivers automated confirmation emails when you submit a contact form or waitlist signup on our website, and notifications to our team about new submissions. Receives your email address, name, and any message content you submitted. Not used for emails about onboarding, extension usage, or certificate generation — no automated emails are sent for those flows today.

None of these providers have access to your document content. We do not share your data with any party outside this list, except when required by valid legal process (subpoena, court order) or with your explicit consent.

We do not use your data — including session metadata, document fingerprints, certificate records, or any behavioral signals — to train AI systems, our own or anyone else's. Our infrastructure providers operate under their own terms, but none have access to your document content, and we do not authorize our metadata to be used as training data for AI systems of any kind.

• Exclude any document from recording at any time via the extension.
• Download a signed copy of your complete record from your dashboard.
• Delete your account by contacting support@getsignet.app.
• Sign out of the dashboard at any time. Note that signing out of the dashboard does not stop the extension from recording — you must use the extension's exclude or uninstall options to do that.

• Session metadata — kept while your account is active. Deleted 90 days after account cancellation.
• Certificate records — kept indefinitely to support permanent verification URLs. On account deletion, certificate records are anonymized (your account identifier is removed) rather than deleted, so verification keeps working for anyone holding a certificate you previously issued.
• Account data — deleted on request, typically within 30 days.

You may request access to, correction of, or deletion of your personal data at any time by emailing support@getsignet.app. We respond within 30 days.

The Signet /Draft extension operates only on docs.google.com. It does not run on any other site. It does not intercept network traffic or modify the Google Docs interface beyond a small, dismissable indicator. The extension requests only the minimum Chrome permissions required to function: storage (for authentication tokens and queued session data) and alarms (for background token refresh).

Signet /Draft is not directed to children under 13. By creating an account, you confirm that you are at least 13 years of age. If you are under 18, you should review these terms with a parent or guardian. If we become aware that we have collected personal information from a child under 13, we will delete that information.

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) give you specific rights regarding your personal information:

• Right to know what personal information we have collected about you.
• Right to delete personal information we have collected about you, subject to certain exceptions (including certificate records, which are preserved for permanent verification — these are anonymized on account deletion).
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. Signet does not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to non-discrimination for exercising any of these rights.

To exercise these rights, contact us at support@getsignet.app. We respond within 45 days as required by California law. You may also designate an authorized agent to make a request on your behalf — we will verify your identity before fulfilling the request.

If we make material changes, we will update the date above and notify active users by email. Continued use after changes take effect constitutes acceptance.

Privacy questions: support@getsignet.app