Privacy Policy

• Account data: name, work email, hashed password, organization, role.
• Workspace content: contract templates, agreement drafts, client records, signature images, executed PDFs.
• Signing evidence: typed signer name, drawn signature, IP address, user-agent, timestamps, consent flags. Captured server-side and stored as immutable audit events (ESIGN/UETA).
• Usage telemetry: pages viewed, features used, error logs. Aggregated and pseudonymized.
• We do NOT collect: SSN, payment card data, government IDs, biometrics, precise geolocation.

We process personal data under: (a) contract — to provide the service to workspace owners; (b) legitimate interests — securing the platform and preventing abuse; (c) legal obligation — recordkeeping for ESIGN/UETA, IRS, HIPAA, and state insurance/financial rules; (d) consent — for optional marketing communications (you can withdraw at any time).

• Operate the e-signature, audit, and approval workflows you initiate.
• Generate executed PDFs with embedded audit certificates.
• Send transactional emails (invites, signed copies, reminders) and security notices.
• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Comply with legal obligations and respond to lawful requests.

We do not sell or rent personal information. We do not use customer workspace content to train AI models.

A current list of sub-processors (cloud hosting, email delivery, error monitoring) is published at /trust and updated at least 30 days before any addition.

Default region: US (us-east-1). EU residency available on request (eu-west-1). Data does not cross regions without explicit customer authorization.

• Active agreements: retained for the life of the workspace.
• Completed agreements: 7 years by default to satisfy IRS, HIPAA, and most state insurance/financial recordkeeping rules. Configurable per workspace.
• Deleted records: soft-deleted for 30 days, then permanently purged.

Subject to applicable law (GDPR, CCPA/CPRA, others), you may request access, portability, correction, deletion, restriction, or objection. Email privacy@concordapp.ai from the address on file. We respond within statutory timeframes (typically 30 days). Identity verification is required before any data is released.

TLS 1.2+ in transit, AES-256 at rest, multi-tenant isolation via PostgreSQL Row-Level Security, immutable audit logs, HaveIBeenPwned password screening, and least-privilege role-based access. Full controls matrix at /trust.

Concord AI is not directed to children under 16 and we do not knowingly collect their data.

We will notify workspace owners by email at least 30 days before any material change. The "Last updated" date at the top reflects the current version.

• Privacy / DSR: privacy@concordapp.ai
• Security: security@concordapp.ai
• Compliance: compliance@concordapp.ai

This document is informational and does not constitute legal advice.