GDPR Notice

This addendum applies to residents of the European Economic Area (EEA), the United Kingdom, and Switzerland — and to anyone whose personal data is processed in the context of a Prosigns engagement governed by the GDPR or UK GDPR. It supplements our Privacy Policy with GDPR-specific rights, lawful bases, and contact paths.

For the purposes of GDPR / UK GDPR, Prosigns is the controller of personal data collected through prosigns.io and our marketing processes. Where we process personal data on behalf of a client as part of an engagement, we act as a processor; the client is the controller, and the relevant Data Processing Agreement (DPA) governs that processing.

We rely on the following lawful bases for processing personal data, depending on the activity:

• Legitimate interests (Art. 6(1)(f)). For B2B outreach to professional contacts, security and fraud prevention, and product analytics with privacy-respecting providers. We assess and document the balancing test for each legitimate-interests use.
• Consent (Art. 6(1)(a)). For non-essential cookies, marketing communications, and any processing where consent is the most appropriate basis. Consent can be withdrawn at any time.
• Contract (Art. 6(1)(b)). To respond to your inquiry, deliver a service you requested, or perform a contract with you or your organization.
• Legal obligation (Art. 6(1)(c)). To comply with applicable law, regulator requests, or court orders.

We do not rely on profiling for automated individual decision-making with legal or similarly significant effects. Any use of analytics or AI in our marketing operates as decision support to humans, not as autonomous decision-making.

You have the following rights under GDPR / UK GDPR:

• Access. Receive a copy of the personal data we hold about you.
• Rectification. Correct inaccurate or incomplete personal data.
• Erasure. Request deletion of personal data where we no longer have a lawful basis to process it.
• Restriction. Limit processing in specific circumstances (e.g., contested accuracy, processing without a lawful basis).
• Portability. Receive personal data you provided in a structured, commonly used, machine-readable format.
• Objection. Object to processing based on legitimate interests, including for direct marketing.
• Withdraw consent. Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Lodge a complaint. File a complaint with your local supervisory authority. We’d appreciate hearing from you first so we can address it directly.

Email [email protected] with:

• The right you wish to exercise.
• Enough information for us to verify your identity (we will request the minimum necessary).
• The email address or other identifier the data is linked to.

We respond within one month. For complex requests, the response period may be extended by up to two additional months; we will notify you within the first month if an extension is required. There is no charge for legitimate requests.

Personal data may be transferred to, processed in, and stored in countries outside the EEA, UK, or Switzerland — including the United States, where Prosigns is headquartered. Where we transfer personal data internationally, we rely on appropriate safeguards under Articles 44–49 GDPR / Chapter V UK GDPR, including the Standard Contractual Clauses (with the UK International Data Transfer Addendum where applicable), supplementary measures aligned to Schrems II guidance, and adequacy decisions where applicable. The current set of safeguards used per subprocessor is available on request.

We retain personal data only as long as necessary for the purposes for which it was collected, plus a reasonable period required by applicable legal, accounting, or reporting obligations. Marketing contacts who do not engage for 24 months are removed from active outreach and either retained in suppression-only state (to honor opt-outs) or deleted, depending on your preference.

Prosigns is not required to appoint a Data Protection Officer under Art. 37 GDPR. We have a dedicated privacy contact who acts as the point of contact for data subjects and supervisory authorities.

Email [email protected] or write to: Prosigns, Attn: Privacy, Dallas, Texas, United States.

If you are in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is maintained by the European Data Protection Board (edpb.europa.eu); the UK regulator is the Information Commissioner’s Office (ico.org.uk); the Swiss regulator is the Federal Data Protection and Information Commissioner (edoeb.admin.ch).