Privacy Policy

1. About Crystal Sign

Crystal Sign is an electronic signature and digital document workflow platform that enables individuals, enterprises, financial institutions, and government entities to prepare, send, approve, sign, verify, and manage documents securely.

If you have questions about this Privacy Policy, you may contact us at: privacy@crystalsign.com

2. Definitions

For the purposes of this Privacy Policy:

• Personal Data means any information relating to an identified or identifiable natural person.
• Processing means any operation performed on personal data, including collection, storage, use, transmission, or deletion.
• Data Subject means the person to whom personal data relates.
• Controller and Processor have the meanings assigned under applicable data protection laws, including the Kenya Data Protection Act, 2019.

3. Information We Collect

We collect only information necessary to deliver secure signing, identity verification, compliance evidence, and document workflow services.

3.1 Information You Provide

• Full name and user profile details
• Email address and phone number
• Organisation name, tenant name, department, or workspace details
• User roles, permissions, and access configuration
• Uploaded documents, annexes, attachments, and associated metadata
• Signatory details provided by senders (name, email, phone)
• Comments, approvals, rejection notes, and workflow messages
• Signature assets (signature image, initials, typed signature style)
• Requests submitted through support channels

3.2 Authentication and Verification Data

• One-Time Password (OTP) requests and verification logs
• OTP delivery channel (SMS, email, WhatsApp, Telegram)
• OTP attempt count, timestamps, and verification status
• Identity Verification (IDV/KYC) results where enabled (e.g., ID number validation, selfie checks, liveness checks, match score)

3.3 Technical and Usage Data

• IP address and approximate location (derived from IP)
• Device type, browser type, OS version
• Session identifiers and login history
• Timestamps, clickstream, and usage patterns
• System error logs and performance data
• API usage logs and integration metadata

3.4 Messaging Platform Data (WhatsApp/Telegram)

Where signing or notifications occur through messaging platforms, we may process:

• WhatsApp or Telegram identifier/phone number
• message delivery status
• message timestamps and workflow triggers

Crystal Sign does not request sensitive personal information via WhatsApp or Telegram beyond what is required for authentication and signing workflows.

4. How We Use Your Information

Crystal Sign processes personal data only for legitimate purposes consistent with secure document execution and compliance.

4.1 Provision of Services

• Create and manage user accounts and tenant environments
• Enable secure document upload, storage, and retrieval
• Generate signing envelopes and signature workflows
• Manage multi-signer and approval-based signing processes
• Apply electronic signatures, initials, and sealing mechanisms
• Generate and preserve audit trails and evidence packs
• Verify signed documents through authenticity checks and QR verification links

4.2 Security, Fraud Prevention, and Integrity

• Authenticate users and signers
• Prevent unauthorised access, impersonation, or document tampering
• Monitor suspicious activity and enforce security controls
• Ensure integrity through hashing, sealing, and verification services

4.3 Compliance and Legal Validity

• Maintain tamper-evident audit trails
• Generate compliance reports and system evidence packs
• Support legal admissibility and regulatory requirements
• Preserve records for legally required retention periods

4.4 Communications and Notifications

• Send signing invitations and reminders
• Send OTP verification codes
• Provide workflow updates (signed, declined, pending, completed)
• Provide administrative notifications and service announcements

4.5 Analytics and Service Improvement

• Analyse service performance and user experience
• Improve product features and reliability
• Identify adoption trends and system load patterns

5. Legal Basis for Processing

Where applicable, Crystal Sign processes personal data based on:

• Contractual necessity (to provide signing and workflow services)
• Consent (where required, such as OTP delivery and optional communications)
• Legitimate interests (fraud prevention, system security, service continuity)
• Legal obligations (audit evidence retention and compliance requirements)

6. Compliance with the Kenya Data Protection Act (2019)

Crystal Sign processes personal data in accordance with the Kenya Data Protection Act, 2019 (No. 24 of 2019). We apply privacy safeguards to ensure processing is lawful, fair, transparent, and secure.

In particular, Crystal Sign is committed to applying the principles of data protection, including:

• lawful and fair processing
• purpose limitation
• data minimisation
• accuracy
• storage limitation
• integrity and confidentiality
• accountability

Crystal Sign also supports the rights of data subjects, including the right to be informed, access, objection, correction, and deletion of false or misleading data, subject to applicable legal and compliance obligations.

7. Data Sharing and Disclosure

Crystal Sign does not sell personal data. We may share personal data only under the following circumstances:

7.1 With Service Providers

We may share data with trusted third-party service providers necessary to operate Crystal Sign, including:

• cloud hosting and infrastructure providers
• object storage providers (for documents and evidence packs)
• email delivery services
• SMS gateway services
• WhatsApp Business API providers
• Telegram bot infrastructure providers
• identity verification (IDV/KYC) providers
• monitoring and analytics providers (security and reliability)

These service providers process data under contractual safeguards and only for authorised purposes.

7.2 With Tenant Organisations

If you sign or interact with a document under a tenant organisation (e.g., a bank, ministry, or company), that organisation may access workflow logs and evidence related to the transaction.

7.3 For Legal Requirements

We may disclose personal data if required by law, regulation, court order, or lawful request by competent authorities, or where disclosure is necessary to:

• prevent fraud or misuse
• protect the rights, property, and safety of Crystal Sign or users
• enforce contractual obligations

7.4 Business Transfers

If Crystal Sign undergoes a merger, acquisition, restructuring, or asset transfer, personal data may be transferred as part of the transaction subject to confidentiality and legal safeguards.

8. Multi-Tenant Security and Access Control

Crystal Sign operates as a multi-tenant platform. This means:

• tenant data is logically isolated
• users can only access documents they created, are assigned to, or are authorised to view
• access is governed through role-based permissions and tenant security policies
• administrative access is restricted and audited

Crystal Sign implements strict isolation controls to prevent unauthorised cross-tenant access.

9. Document Storage, Integrity and Evidence

Crystal Sign stores documents and signing records securely. The platform maintains:

• document hashing and integrity verification
• audit logs capturing user and signer actions
• timestamps and workflow state transitions
• evidence packs suitable for compliance and legal review

Documents may be sealed using cryptographic mechanisms to support non-repudiation and authenticity.

10. Data Retention

Crystal Sign retains personal data only as long as necessary to:

• provide the Service
• comply with contractual requirements
• meet legal and regulatory obligations
• preserve audit trails and evidence for enforceability

Retention periods may vary depending on tenant policies and document categories.

Some audit logs and signing evidence may be retained for extended periods due to compliance or legal requirements.

11. Cross-Border Transfers

Crystal Sign may store or process personal data in jurisdictions outside Kenya depending on hosting configuration and tenant settings.

Crystal Sign will only transfer personal data outside Kenya where appropriate safeguards are in place or where permitted under applicable law, including requirements under the Kenya Data Protection Act.

12. Security Measures

Crystal Sign applies appropriate technical and organisational safeguards to protect personal data, including:

• encryption in transit (TLS)
• encryption at rest for databases and document storage
• role-based access controls and least privilege principles
• audit logging and monitoring
• secure session and authentication controls
• integrity protection mechanisms (hashing, sealing, anchoring)

While no system is completely risk-free, Crystal Sign continuously improves its security controls and risk management processes.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in risk to the rights and freedoms of individuals, Crystal Sign will take appropriate measures, including notification to relevant authorities and affected parties where required by law, including the Kenya Data Protection Act.

14. Cookies and Tracking Technologies

Crystal Sign may use cookies or similar technologies to:

• maintain secure login sessions
• support system functionality and preferences
• improve user experience and performance monitoring

You may disable cookies in your browser settings; however, certain features of the Service may not function properly.

15. WhatsApp and Messaging Privacy

Crystal Sign may use WhatsApp Business messaging to deliver:

• OTP verification codes
• signing invitations and reminders
• secure signing links
• document status notifications

Message delivery is subject to Meta/WhatsApp platform policies. Crystal Sign does not request sensitive personal information via WhatsApp beyond what is required for authentication and signing workflows.

16. Your Rights

Subject to applicable law, you may have the right to:

• request access to your personal data
• request correction of inaccurate data
• request deletion of personal data (where legally permissible)
• object to processing
• request restriction of processing
• request portability of your data

Requests can be submitted to: privacy@crystalsign.com

Please note that deletion requests may be limited where retention is required for compliance, audit integrity, or legal enforceability.

17. Children's Privacy

Crystal Sign is not intended for use by children. We do not knowingly collect personal data from minors.

18. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Updates will be published on this page with a revised “Last Updated” date.

If changes are significant, Crystal Sign may notify users through the Service or other appropriate communication channels.

19. Contact Information

For privacy-related inquiries, requests, or complaints, contact: