Privacy Policy
Effective date: March 12, 2026
1. Introduction
Stage 11 Agentics ("we," "us," or "our") operates Sigil-Sign, an electronic signature platform available at sigilsign.stage11.ai. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use the Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address — used for login, notifications, and communication
- Full name — displayed in documents and signing workflows
- Password — stored as a secure hash by our authentication provider (Supabase); we never store plaintext passwords
- Organization name — for multi-user team features
2.2 Signer Information
When you are designated as a signer on a document, the document sender provides us with:
- Your name and email address
- Your role (signer, counter-signer, approver, or witness)
Signers do not need to create an account. Access is provided via a unique, time-limited signing link.
2.3 Documents
Users upload PDF documents for signature. We store:
- The original uploaded PDF
- Versioned copies as each signer signs
- The final signed PDF
- A Certificate of Completion (audit trail PDF)
- SHA-256 hashes of original and signed documents for integrity verification
We do not access or analyze the content of your documents except as necessary to render them for signing or comply with law.
2.4 Audit Trail Data
For every document, we maintain an immutable, cryptographically chained audit trail that records:
- Timestamps (UTC) for each event (creation, viewing, signing, completion)
- IP addresses of participants
- User agent strings (browser/device information)
- Event type and actor (who performed what action)
- Consent records (the exact disclosure text shown and acknowledged by each signer)
This data is essential for establishing the legal validity of electronic signatures and cannot be deleted or modified once recorded.
2.5 API Keys
If you use the API, we store a SHA-256 hash of your API key and the key's name, creation date, and last-used timestamp. The plaintext key is shown only once at creation and is not stored.
2.6 Usage and Billing Data
We track document completion events for billing purposes. Payment processing is handled by Stripe; we store your Stripe customer ID but do not store credit card numbers or full payment details on our servers.
2.7 Automatically Collected Data
When you use the Service, we automatically collect:
- IP address
- Browser type and version (user agent)
- Pages visited and actions taken
- Error and performance data (via Sentry, when enabled)
3. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Authenticate users and authorize access
- Send transactional emails (signing requests, completion notifications, payment alerts, team invitations)
- Process billing and payments
- Maintain audit trails that establish the legal validity of signatures
- Monitor for abuse and ensure security
- Comply with legal obligations
4. How We Share Your Information
We do not sell your personal information. We share data only in the following circumstances:
4.1 With Other Users
When you sign a document, your name, email, and signing activity are visible to the document sender and other signers on the same document. Certificates of Completion include signer names, timestamps, and IP addresses.
4.2 With Service Providers
We use the following third-party services to operate Sigil-Sign:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication and user management | Email, password hash, account metadata |
| Stripe | Payment processing and billing | Email, usage events, payment information |
| Resend | Transactional email delivery | Recipient email, sender name, document name |
| Sentry | Error tracking and monitoring | Error data, request metadata (when enabled) |
Each provider processes data under their own privacy policy and our data processing agreements.
4.3 For Legal Reasons
We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Stage 11 Agentics, our users, or the public.
5. Cookies and Session Data
We use cookies to maintain your login session:
- sigil_session — stores your authentication token for dashboard access
- sigil_session_apikey — stores organization API key context for authenticated sessions
These are functional cookies essential to operating the Service. We do not use advertising or tracking cookies.
6. Data Retention
- Account data — retained for the duration of your account
- Documents and signed PDFs — retained indefinitely to preserve the legal validity of signatures, unless you request deletion
- Audit trail events — retained indefinitely; these are immutable records essential to signature validity and cannot be selectively deleted
- Signing tokens — expire after 7 days and are not reusable
- Session tokens — expire after 1 hour of inactivity
- API keys — retained until revoked by the organization owner or administrator
7. Data Security
We implement security measures to protect your data, including:
- SHA-256 hashing of API keys and signing tokens (plaintext not stored)
- Cryptographically chained audit trails (tamper detection via hash chains)
- HMAC-signed webhook payloads
- Scoped, time-limited sender tokens
- Role-based access control within organizations
No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
8. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your personal data, subject to our legal obligations to retain audit trail records
- Data portability — receive your data in a structured, machine-readable format
- Objection — object to certain types of processing
To exercise these rights, contact us at privacy@stage11.ai.
Important limitation: Audit trail records (timestamps, IP addresses, event logs) associated with completed signatures cannot be deleted, as they are essential to the legal integrity of signed documents. We can delete your account and documents, but the audit trail for completed signatures must be retained.
9. Children's Privacy
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.
10. International Data Transfers
Your data may be processed in the United States or other countries where our service providers operate. By using the Service, you consent to the transfer of your data to these jurisdictions, which may have different data protection laws than your country of residence.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
12. Contact Us
For questions or concerns about this Privacy Policy or our data practices, contact us at:
Stage 11 Agentics
Email: privacy@stage11.ai