Back to Home

Privacy Policy

Last Updated: May 4, 2026

This Privacy Policy describes how Kovasign ("we," "us," or "our") collects, uses, and shares information when you use our website, applications, and services (collectively, the "Services").

Kovasign is a product of Low Latency Labs, the trading name of Quantum Infinity Pte. Ltd. (a company incorporated in Singapore). References to "Kovasign," "we," "us," or "our" in this Policy refer to Quantum Infinity Pte. Ltd. trading as Low Latency Labs, which is the data controller of personal data processed in connection with the Services.

By using our Services, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Information You Provide

  • Account Information: Name, email address, password, and other registration details
  • Business Information: Company name, job title, and contact details you choose to provide
  • Payment Information: Billing details processed by our third-party payment providers
  • Documents and Content: Files you upload, create, or share through our Services
  • Signature Data: Electronic signatures and related verification information
  • Communications: Messages you send to us or through our Services

Information Collected Automatically

  • Device Information: Browser type, operating system, and device identifiers
  • Usage Information: How you interact with our Services, features used, and actions taken
  • Location Information: Approximate location derived from your IP address
  • Log Data: Access times, pages viewed, and referring URLs

Information from Other Sources

We may receive information about you from other sources, including business partners and publicly available sources, to supplement the information we collect.

2. How We Use Your Information

We use the information we collect to:

  • Provide Services: Deliver, maintain, and improve our Services
  • Process Transactions: Handle payments, signatures, and document processing
  • Communicate: Send service-related notices, respond to inquiries, and provide support
  • Personalize: Customize your experience and provide relevant content
  • Analyze: Understand how our Services are used and improve performance
  • Market: Send promotional communications (you can opt out anytime)
  • Display Advertisements: Show relevant ads on our free services
  • Protect: Detect and prevent fraud, abuse, and security threats
  • Comply: Meet legal obligations and enforce our terms

AI and Document Processing

Our Services use artificial intelligence to help generate documents and content. We do not use your documents to train AI models. AI-generated content may contain errors and should be reviewed before use.

3. How We Share Your Information

We may share your information with:

Service Providers

Third-party companies that help us operate our Services, including hosting and infrastructure providers, payment processors, analytics providers, technology providers, and customer support platforms.

Document Recipients

When you send documents for signature, recipients will see your name, email, and document content as necessary to complete the transaction.

Business Partners

We may share information with business partners for marketing purposes. You can opt out of marketing communications at any time.

Legal Requirements

We may disclose information when required by law, legal process, or government request, or to protect our rights, privacy, safety, or property.

Business Transfers

In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

With Your Consent

We may share information for other purposes with your consent.

Google Workspace Directory (optional integration)

Kovasign offers an optional Google Workspace directory integration that a workspace administrator can enable to populate their tenant's member list. This integration is strictly opt-in — Kovasign does not access any Google account, profile, or directory information unless and until a workspace administrator inside the customer's tenant explicitly clicks "Connect Google Workspace" in Kovasign Settings, completes the Google OAuth flow, and grants consent on Google's consent screen. Users who do not enable this integration are never subject to any Google Workspace data collection by Kovasign.

When (and only when) an administrator connects their Workspace, Kovasign requests the following Google API scope:

  • https://www.googleapis.com/auth/admin.directory.user.readonly — read-only access to the directory of users in the connecting administrator's Google Workspace

Using that scope, Kovasign calls admin.directory.users.list with projection: "basic" and reads four fields per Workspace user:

  • primaryEmail
  • name (full name)
  • id (Google's internal user ID)
  • suspended (whether the user is suspended in Workspace)

We do not request and do not store any other directory data — no group memberships, no organizational units, no custom-schema attributes, no profile photos, no phone numbers, and no addresses. We never call any write or delete endpoint on the Google Admin SDK, and we do not access any other Google service (Gmail, Drive, Calendar, Photos, etc.).

How we use this data. The four fields are written into Kovasign's tenant member directory so the connecting administrator can one-click invite Workspace colleagues to become Kovasign tenant members instead of typing each colleague's email address by hand. This is the sole purpose for which Workspace directory data is used.

Storage and security. Workspace directory data is stored encrypted at rest in Kovasign's database (Supabase Postgres) and is accessible only to the tenant whose administrator initiated the connection, enforced by Postgres Row Level Security policies. We do not transfer Workspace directory data to any third party, and we do not use it for advertising. Kovasign does not use Workspace directory data, or any other Google user data, to develop, improve, or train artificial-intelligence or machine-learning models.

Retention and deletion. Kovasign retains the directory data only for the lifetime of the active integration. The data is deleted when (a) the connecting administrator disconnects the integration in Kovasign Settings, (b) the user revokes Kovasign's access via https://myaccount.google.com/permissions, or (c) the tenant account is closed.

Limited Use compliance. Kovasign's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Sign with Singpass (Singapore)

If you or a recipient choose to sign a document using Sign with Singpass, Kovasign uses Singpass as a sub-processor solely to carry out that signature. Singpass is operated by the Government Technology Agency of Singapore ("GovTech"). This sharing only happens when a sender marks a signature field as requiring Singpass and a signer voluntarily authenticates with their Singpass app to sign — it does not happen for any other signing method.

To complete a Sign with Singpass signature, Kovasign transmits the following to Singpass:

  • The full PDF document to be signed (Singpass receives the entire document body, not just a hash, because Singpass — not Kovasign — applies the signature to the file)
  • The recipient's name and email address, so Singpass can match the request to the signer's identity
  • The placement coordinates (page and position) where the signature should appear

Once the signer authenticates and approves, Singpass returns the following to Kovasign:

  • The signed PDF
  • The signer's name as recorded with Singpass
  • A partial UINFIN/NRIC (for example, "S****567A") — Singpass does not disclose the full identification number to Kovasign
  • The timestamp of the signature and signing certificate metadata

Kovasign retains the signer-information artefacts (signer name, partial UINFIN/NRIC, signing timestamp, and signing certificate metadata) as part of the signing audit trail for the lifetime of the document, so that the signature can later be verified or produced as evidence. Singpass's own retention of personal data it processes is governed by GovTech's policies, available at https://www.singpass.gov.sg/main/privacy-statement.

PDPA and cross-border transfers. For Singapore signers, Singpass's processing is governed by Singapore's Personal Data Protection Act (PDPA) and the Public Sector (Governance) Act. If you are a sender located outside Singapore and you send a document to a Singapore signer who chooses Sign with Singpass, you are responsible for ensuring that transferring the document and the recipient's contact details to Singpass is permitted under the data protection laws applicable to you.

Choice and alternatives. Sign with Singpass is opt-in on a per-field basis. Senders choose which signature fields require Singpass; signers always have the choice of whether to authenticate with Singpass when they encounter such a field. Signing with Singpass requires the signer's consent in the Singpass app — Kovasign cannot complete a Sign with Singpass signature on a signer's behalf. Where Singpass is not required by the sender, signers may use Kovasign's standard electronic signing options instead.

WhatsApp signing notifications (optional channel)

If a sender chooses to deliver a signing request via WhatsApp — instead of, or in addition to, email — Kovasign uses the WhatsApp Business Platform (Cloud API), operated by WhatsApp LLC and its affiliates within the Meta Platforms, Inc. group of companies ("Meta"), as a sub-processor to deliver that notification. This sharing only happens when a sender explicitly selects the WhatsApp channel for a recipient on a specific document — it does not happen for recipients delivered by email only.

WhatsApp signing notifications are transactional messages sent within an existing business or professional relationship between the sender and the recipient — for example, a lawyer sending a contract to a client they already represent, or a service provider sending a signing request to a customer they are already working with. The recipient's phone number is supplied to Kovasign by the sender, who obtained it from the recipient in the ordinary course of that relationship. Kovasign does not collect phone numbers directly from recipients and does not maintain a recipient-facing subscription or opt-in flow; Kovasign acts as a service provider that delivers the sender's transactional message on the sender's behalf.

Before a signing request is sent via WhatsApp, Kovasign requires the sender to confirm in-product that they are authorised to contact each recipient regarding the document. By "authorised," Kovasign means that the sender has a lawful basis to message the recipient at that phone number — typically because the recipient provided the number to the sender in the ordinary course of an existing business or professional relationship and would reasonably expect to receive transactional communications from the sender at that number, consistent with WhatsApp's Business Messaging Policy and any laws applicable to the sender. The sender, not Kovasign, holds the underlying relationship with the recipient and is responsible for ensuring this confirmation is accurate. Kovasign relies on this confirmation as the basis for transmitting the recipient's phone number to Meta for delivery, and records the confirmation (date, time, IP address, and the user who confirmed) as part of the document's audit trail.

To deliver a WhatsApp signing notification, Kovasign transmits the following to Meta:

  • The recipient's WhatsApp phone number in international (E.164) format
  • The recipient's display name, the sender's display name, the document title, the document expiry date, and a unique signing link — populated as variables in a pre-approved WhatsApp message template (template category: UTILITY)
  • The information necessary for Meta to address, deliver, and report on the message (template name, language, account identifiers)

Kovasign does not transmit the body of the document, signature images, or other signed-document content to Meta over WhatsApp. The recipient signs the document on Kovasign's web application after they click the signing link in the WhatsApp message.

From Meta, Kovasign receives the following:

  • Message delivery status events (sent, delivered, read, failed) and the associated failure reason where applicable
  • Inbound replies from the recipient, including any "STOP", "UNSUBSCRIBE", or equivalent opt-out message the recipient sends to the sender's WhatsApp business number

Opt-out. A recipient may opt out of further WhatsApp signing notifications at any time by replying STOP, UNSUBSCRIBE, or "opt out" to the WhatsApp message they received from Kovasign's business number. Kovasign records the opt-out against the recipient's phone number and will not send further WhatsApp signing notifications to that number on behalf of any sender on the platform. A recipient may also ask the sender directly to be removed; if a sender notifies Kovasign of an opt-out request, Kovasign will record it against the recipient's phone number on the same basis. Opt-out from WhatsApp does not affect a recipient's ability to be reached by email if the document also has an email delivery channel.

Retention. Kovasign retains a per-message delivery record (recipient phone number, template name, send timestamp, Meta-issued message ID, and the latest delivery status) for the lifetime of the associated document, so the sender can see whether the signing request was successfully delivered and so opt-out and abuse-prevention controls can be enforced. Meta's own retention of WhatsApp messages and metadata is governed by Meta's policies — see WhatsApp Business Messaging Policy and WhatsApp Privacy Policy.

Cross-border transfers. WhatsApp delivery infrastructure is operated globally; transmitting a recipient's phone number and the template variables to Meta will, in the ordinary course, involve transfers outside Singapore and outside the recipient's country of residence. If you are a sender, you are responsible for ensuring that you have a lawful basis under the data protection laws applicable to you (including, where applicable, Singapore's PDPA, the EU/UK GDPR, and applicable US state laws) to transfer the recipient's phone number and identifying information to Meta for delivery.

Choice and alternatives. The WhatsApp channel is opt-in on a per-recipient basis. Senders choose whether each recipient is contacted by email, WhatsApp, or both. Recipients can sign documents using Kovasign's standard email-based flow without ever receiving a WhatsApp message.

We do not sell your personal information.

4. Data Retention

We retain your information for as long as your account is active or as needed to provide our Services.

  • Account Data: Retained while your account remains active
  • Signed Documents: Retained as long as needed to provide the service and comply with legal requirements
  • Temporary Files: Files processed through our PDF tools are deleted after processing

After account termination, we may retain certain information for a reasonable period to allow data export, comply with legal obligations, resolve disputes, and enforce our agreements.

5. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

  • Access: Request access to your personal information
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your information, subject to legal requirements
  • Portability: Request a copy of your data in a portable format
  • Objection: Object to certain processing of your information
  • Withdraw Consent: Withdraw consent where processing is based on consent

Marketing Communications

You can opt out of marketing emails by clicking the unsubscribe link in any promotional message or updating your account preferences.

Cookies

You can manage cookie preferences through your browser settings. See our Cookie Policy for more details.

To exercise your rights, contact us at [email protected].

6. Cookies and Tracking

We use cookies and similar technologies to operate our Services, remember your preferences, analyze usage, and display advertisements.

Types of Cookies

  • Essential: Necessary for the Services to function
  • Analytics: Help us understand how you use our Services
  • Advertising: Used to display relevant advertisements on our free services

Paid subscribers do not see advertisements within the Kovasign application.

You can manage cookie preferences through your browser settings or our cookie controls where available.

7. Security

We implement security measures designed to protect your information from unauthorized access, loss, or misuse. However, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

You are responsible for maintaining the confidentiality of your account credentials and for any activity under your account.

8. International Users

Our Services are operated from various locations. By using our Services, you consent to the transfer and processing of your information in locations where data protection laws may differ from your jurisdiction.

We respect applicable data protection laws and implement appropriate safeguards for international transfers.

9. Children's Privacy

Our Services are not intended for children under 18. We do not knowingly collect personal information from children under 18. If we learn we have collected such information, we will delete it promptly.

10. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Your continued use of our Services after changes constitutes acceptance of the updated policy.

For material changes, we may provide additional notice as appropriate.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Email: [email protected]

Region-Specific Information

For Users in the European Economic Area (EEA)

We process your personal data based on:

  • Performance of our contract with you
  • Your consent
  • Our legitimate business interests
  • Compliance with legal obligations

You have the right to lodge a complaint with your local data protection authority.

For Users in California

Under California law, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell personal information)
  • Non-discrimination for exercising your privacy rights

To submit a request, contact us at [email protected].

Privacy Policy - Kovasign | Kovasign