Privacy Policy

What we collect

• The text you choose to sign for hosted receipts.
• A strict hash and a normalized hash of that text so receipts can be verified even if formatting changes.
• Receipt metadata such as signature type, verification methods, confidence score, timestamps, expiration date, and the signed statement used to verify the receipt.
• A salted hash of your IP address for abuse prevention and rate limiting.

Optional verification data

• Captcha: Cloudflare Turnstile may process technical and browser information to help distinguish people from bots.
• OAuth: If you connect Google or Apple, we store the provider name and a salted hash of the provider account identifier. We only store your email address or profile picture if you ask us to disclose them and the provider returns them.
• Proof of payment: If you use Stripe checkout, we store payment proof records such as the tier, amount, currency, status, checkout references, and checkout link. This app does not store full card numbers.
• SMS verification: If you verify a phone number, Twilio Verify sends and checks the code. We store a hash of the phone number and the proof status. Your full phone number is only stored on the final receipt if you choose to disclose it after successful verification.
• Passkeys: If you use a passkey, we store passkey proof data such as a hash of the credential ID, the public key, authenticator or device label, timestamps, and status.

What becomes public

• The signed text for hosted receipts.
• The receipt ID, signed date, expiration date, signature type, verification methods, and verification strength data.
• The identity provider name if you use OAuth.
• Your email address, profile picture, or phone number only if you explicitly choose to disclose them.
• Payment metadata connected to a proof-of-payment signature.

How we use information

• To create, store, and verify signature receipts.
• To support optional identity, payment, SMS, and passkey verification features.
• To prevent abuse, spam, fraud, and automated signing.
• To keep the service running securely.

Browser storage and cookies

• SignedByAHuman uses browser localStorage to remember temporary OAuth, payment, SMS, and passkey proof IDs, plus some draft settings, during the signing flow.
• The current product does not include first-party analytics or advertising cookies.
• Third-party services such as Stripe Checkout, Google or Apple sign-in pages, Cloudflare Turnstile, or Google Fonts may use their own cookies or similar technologies when your browser connects to them.

Retention

• Final signature receipts are stored for 365 days.
• OAuth state records are stored for up to 10 minutes.
• OAuth proof records are stored for up to 5 minutes unless used sooner.
• Payment proof records are stored for up to 24 hours unless used sooner.
• SMS proof records are stored for up to 10 minutes unless used sooner.
• Passkey challenges are stored for up to 5 minutes.
• Passkey proof records are stored for up to 10 minutes unless used sooner.
• Rate-limit records are stored only as long as needed to operate abuse protections.
• Local browser storage remains on your device until the app clears it, it expires, or you clear site storage yourself.

Third-party services

SignedByAHuman currently depends on third-party services for hosting, bot checks, payment processing, SMS verification, and optional sign-in. Their privacy terms also apply when you use those parts of the product.

• Cloudflare for hosting, infrastructure, and database services, plus the Cloudflare Turnstile Privacy Addendum for bot checks.
• Stripe for proof-of-payment checkout.
• Twilio for SMS verification.
• Google for Google sign-in and Google-hosted fonts, plus the Google Fonts privacy FAQ.
• Apple if Apple sign-in is used.

Your choices

• Do not sign private, confidential, or sensitive text.
• Use only the verification methods you want. Payment, OAuth, SMS, and passkeys are optional.
• Do not enable public disclosure of your email address, profile picture, or phone number unless you want those details shown on the public receipt.
• Clear your browser storage if you want to remove local draft or proof data from your device.