Privacy Policy
Last updated: 12 March 2026
1. Who we are
CounterSign is a document signing service operated by OpenKit Ltd, a company registered in England and Wales.
- Registered address: Portland House, Belmont Business Park, Belmont, Durham, England, DH1 1TW
- Company number: 13030838
- Website: openkit.co.uk
- Contact: hello@openkit.ai
For the purposes of UK data protection law, OpenKit Ltd is the data controller for the personal data we collect through the CounterSign platform, and a data processor when processing document content on behalf of our users.
2. What data we collect
2.1 Data provided by proposal creators
- Proposal title, sender name, and company
- Participant details: name, email address, company, and role
- PDF documents and supporting attachments
- Messages and comments on proposals
2.2 Data collected from signers and participants
- Signature data: drawn, typed, or uploaded signatures
- Form field values: any data entered into document fields
- IP address: collected automatically when you view or sign a document
- User agent: browser and device information
- Timestamps: when you viewed, signed, or interacted with a document
- Messages: any comments or messages you post
2.3 Data we generate
- Unique access tokens for secure document links
- Audit trail events (viewing, signing, delegating, commenting)
- Signed PDF documents with an embedded audit page
3. Why we collect this data
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Providing the signing service | Contract performance (Art. 6(1)(b)) |
| Sending email notifications and signed copies | Contract performance |
| Recording IP addresses and timestamps in audit trails | Legitimate interests (Art. 6(1)(f)) — legal validity and fraud prevention |
| Maintaining security and preventing abuse | Legitimate interests |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not use your data for advertising, profiling, automated decision-making, or any purpose other than providing the signing service and maintaining its legal integrity.
4. Who we share data with
We share personal data only with the following sub-processors, strictly for the purposes described:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Application hosting, database (D1), file storage (R2), admin authentication (Access) | Global edge network (US & EU data centres) |
| Resend, Inc. | Email delivery (invitations, notifications, signed document copies) | United States (AWS infrastructure) |
We do not sell, rent, or trade your personal data. We do not share data with advertisers or marketing platforms.
5. International data transfers
Your data may be processed in the United States and European Union through our infrastructure providers. These transfers are protected by:
- Cloudflare: Data Processing Addendum incorporating EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA)
- Resend: Standard Contractual Clauses for EU/UK data transfers
Cloudflare maintains ISO 27001, ISO 27701, ISO 27018, and SOC 2 Type II certifications, and is certified under the European Cloud Code of Conduct.
6. How long we keep your data
| Data type | Retention period |
|---|---|
| Signed documents and audit trails | Duration of the agreement plus 7 years (to cover limitation periods for contract claims under the Limitation Act 1980) |
| Unsigned or expired proposals | 90 days after expiry, then deleted |
| IP addresses and user agent data | Same as the associated document (part of the audit trail) |
| Email notification logs | Retained by Resend per their retention policy |
7. Your rights
Under UK GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data (subject to our legal retention obligations)
- Restrict processing
- Port your data to another service
- Object to processing based on legitimate interests
To exercise any of these rights, contact us at hello@openkit.ai. We will respond within 30 days.
Note for signers: If you received a document to sign through CounterSign, the proposal creator is the data controller for that document's content. For questions about why you received a document or how your data is used within it, please contact the person or organisation who sent it to you. For questions about CounterSign's platform processing, contact us directly.
8. Security
- All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Documents accessible only via unique, unguessable tokens
- Admin dashboard protected by Cloudflare Access (zero-trust authentication)
- No passwords stored — authentication via identity provider
- Infrastructure protected by Cloudflare's DDoS mitigation and WAF
9. Cookies
CounterSign does not use cookies for tracking, analytics, or advertising. The only cookies that may be set are essential technical cookies required by Cloudflare for security and performance (such as the __cf_bm bot management cookie). These are strictly necessary and do not require consent under the Privacy and Electronic Communications Regulations (PECR).
10. Children
CounterSign is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children.
11. Changes to this policy
We may update this privacy policy from time to time. Material changes will be indicated by updating the "Last updated" date above. Continued use of CounterSign after changes constitutes acceptance of the updated policy.
12. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
We encourage you to contact us first at hello@openkit.ai so we can try to resolve your concern.