Privacy Policy

Last updated: April 2026

This policy applies to all users of DZ Sign and is compliant with Algerian Law n° 18-07 of June 10, 2018 on the protection of personal data.

1. Data Controller

The data controller is DZ Sign SaaS, a company incorporated under Algerian law, operating the platform accessible at signdz.com. Contact for data matters: [email protected]

2. Data We Collect

We collect the following categories of personal data:

Account data

Full name, email address, phone number
Company name, country
Hashed password (bcrypt — never stored in plaintext)
Account creation date

Signature & document data

PDF documents uploaded by users
Signatory names and email addresses
Signature images (stored encrypted)
OTP validation logs (hash only, not the OTP itself)
SHA-256 document hashes
Timestamp Authority (TSA) tokens

Technical & audit data

IP addresses (at login and at signing)
Browser user-agent strings
Session tokens (stored in memory only)
Audit event logs (timestamps, action types)

Billing data

Subscription plan and status
Invoice records (amount, date, payment method)
Stripe customer ID (if applicable — no card data stored by DZ Sign)

3. Purpose and Legal Basis

Purpose	Legal basis
Providing the electronic signature service	Performance of contract
Authenticating signatories (OTP)	Legitimate interest — legal validity
Generating and preserving audit trails	Legal obligation (Law 15-04)
Document retention (10 years)	Legal obligation
Sending transactional emails (OTP, notifications)	Performance of contract
Billing and invoicing	Performance of contract
Fraud detection and security	Legitimate interest
Platform analytics (anonymous)	Legitimate interest

4. Data Storage and Security

All data is stored on servers located in Algeria. We apply the following security measures:

Passwords hashed with bcrypt (cost factor 12)
All data in transit encrypted with TLS 1.2+
Documents stored in an encrypted object store (MinIO)
Database access restricted to authenticated application users
OTPs stored as HMAC-SHA256 hashes, never in plaintext
JWT session tokens with short expiry (60 minutes)
Daily automated backups retained for 7 days

5. Data Sharing

We do not sell or rent your personal data. Data may be shared only in these circumstances:

Between parties to a signature request — signatories receive the initiator's name and document title
Email delivery providers — for OTP and notification emails (email content only, no document data)
Stripe — for international payment processing (if applicable); DZ Sign does not store card numbers
Legal obligations — if required by Algerian judicial or administrative authorities

6. Data Retention Periods

Data type	Retention period
Account data	Duration of account + 3 years after deletion
Signed documents & audit trails	10 years minimum (Law 15-04)
OTP logs	30 days
IP / session logs	12 months
Billing invoices	10 years (accounting obligation)
Deleted documents	Immediately purged from storage

7. Your Rights

Under Algerian Law n° 18-07, you have the following rights regarding your personal data:

Right of access — obtain a copy of your personal data
Right of rectification — correct inaccurate data
Right of erasure — request deletion of your account and data (subject to legal retention obligations)
Right to data portability — export your documents and audit logs
Right to object — object to processing based on legitimate interest

To exercise these rights, contact: [email protected]. We will respond within 30 days.

8. Cookies

DZ Sign uses only strictly necessary cookies and local storage for session management and authentication tokens. No advertising or third-party tracking cookies are used.

9. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or a banner on the platform. The "Last updated" date at the top of this page reflects the most recent revision.

10. Contact

Data Protection Officer (DPO): [email protected]
General inquiries: [email protected]