Legal

Privacy Policy

How TQSign collects, uses, and protects your personal data. We are committed to transparency and compliance with UK GDPR.

Last updated: 1 June 2026

1. Who We Are

TQSign is a product of TQ Consult Ltd (“we”, “us”, “our”), a company registered in England and Wales. We are the data controller for personal data processed through the TQSign platform.

For any privacy-related queries, please contact us at hello@tqconsult.co.uk.

2. Data We Collect

We collect and process the following categories of personal data:

  • Account holders (administrators): full name, email address, firm name, password (hashed — never stored in plain text), and account preferences.
  • Signers: full name and email address provided by the account holder when creating a signing invitation.
  • Technical data: IP address, browser user agent, and device type — collected at the time a signing link is accessed, a document is signed, or a download is initiated. This data forms part of the legally required audit trail.
  • Document content: uploaded files, placed signature fields, and captured electronic signatures (drawn, typed, or uploaded images). Documents are stored securely and only accessible to the account holder and designated signers. Administrators may permanently delete any document at any time — deletion removes the file, all captured signatures, and associated signer data from our servers.
  • Audit events: timestamped records of every action taken on a document (created, sent, viewed, signed, downloaded, voided).

We do not collect payment card data. We do not use third-party analytics trackers. We do not place advertising cookies.

3. How We Use Your Data

We use personal data for the following purposes:

  • To provide and operate the TQSign electronic signature service.
  • To authenticate account holders and grant secure access to signers via tokenised links.
  • To deliver signing invitation emails and completion notifications.
  • To maintain tamper-evident audit trails appended to completed documents, as required by UK ECA 2000 and eIDAS.
  • To respond to support requests or enquiries.
  • To detect and prevent fraud or abuse of the platform.

Our legal basis for processing is contract performance (to deliver the service you have signed up for) and legitimate interests (security, fraud prevention, and maintaining audit logs required by law).

4. Data Sharing

We do not sell or rent your personal data. We share data only with the following categories of third parties, strictly to deliver the service:

  • Supabase (database and file storage): your documents and account data are stored in a Supabase PostgreSQL database and object storage, hosted on AWS infrastructure in the EU/UK region.
  • Resend (email delivery): we use Resend to send signing invitation and notification emails. Recipient email addresses are transmitted to Resend solely for this purpose.
  • Vercel (application hosting): the TQSign application is deployed on Vercel's edge network. Vercel processes request data as part of serving the platform.

All sub-processors are contractually bound to handle personal data in accordance with UK GDPR.

5. Data Retention

We retain personal data for as long as necessary to provide the service and comply with legal obligations:

  • Active documents: stored for the duration of your account or until you delete them.
  • Completed signed documents: retained to support any future legal dispute regarding the signature. We recommend downloading and archiving your own copies.
  • Audit logs: retained for a minimum of 7 years to meet e-signature legal compliance requirements.
  • Account data: deleted within 30 days of account closure upon request.

6. Your Rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Rectification of inaccurate data.
  • Erasure (“right to be forgotten”) — subject to legal retention obligations.
  • Restriction of processing in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object to processing based on legitimate interests.

To exercise any of these rights, email us at hello@tqconsult.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Cookies

TQSign uses only the cookies strictly necessary to operate the service:

  • Session cookie: stores your admin login session. Expires when you close your browser or after 30 days if “Remember me” is selected.
  • CSRF token: protects form submissions from cross-site request forgery. Session-scoped.

We do not use advertising, tracking, or analytics cookies.

8. Security

We take the security of your data seriously. Measures in place include:

  • All data transmitted over TLS 1.2+ (HTTPS).
  • Passwords hashed using bcrypt with a cost factor of 12 or higher.
  • Document files stored in private cloud storage — never publicly accessible.
  • SHA-256 integrity hash computed for every uploaded and signed document.
  • Signing links are single-use UUID tokens that expire after a configurable period.
  • Row-level security on the database preventing cross-account data access.
  • Encryption at rest: document files and all database records are encrypted at rest using AES-256. Signer names and email addresses receive additional application-level field encryption (AES-256-GCM), with the encryption key held separately from the database.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify account holders of material changes by email. The “Last updated” date at the top of this page always reflects the most recent revision. Continued use of TQSign after the effective date constitutes acceptance of the updated policy.