This Privacy Policy explains how Esigen collects, uses, discloses, stores, and protects personal data in connection with the Esigen platform, including the website, desktop application, signature generator functionality, and hosted viewer pages (collectively, the “Service”). It is written primarily for compliance with Turkiye’s Law No. 6698 on the Protection of Personal Data (KVKK) and also addresses other privacy laws that may apply depending on your location and relationship to the Service.

Where you access or purchase the Service through the Apple App Store or the Microsoft Store, Apple Inc. or Microsoft Corporation (as applicable) may process certain personal data as independent data controllers (for example, for application distribution, billing, fraud prevention, and device or account security). Such processing is governed by the applicable Marketplace’s own terms and privacy practices, and Esigen does not control that processing.

1. Scope and Who This Policy Applies To

This Policy applies to personal data processed in connection with:

  • Company Administrators and other Authorized Users who access the admin/generator area;
  • Employee/Personnel data uploaded by companies for signature creation and hosting;
  • Public Viewers who access hosted viewer pages to view/copy/download signatures;
  • Visitors to www.esigen.com and users of our desktop application and related support channels.

2. Key Roles and Terminology

For clarity:

  • “Customer” means the company (or entity) operating a Company Account under a paid subscription.
  • “Company Administrator” means an Authorized User with administrative controls.
  • “Public Viewer” means a person accessing a signature viewer page.
  • “Customer Data” includes employee details, signature configurations, and media assets uploaded by the Customer.
  • “Employee Data” means personal data about employees/personnel uploaded by a Customer.

3. High-Importance Notice About Viewer Pages

The Service enables Customers to host signature content and related assets on viewer pages that may be public or password-protected, at the Customer’s choice.

  • If a Customer configures viewer pages as public, personal data displayed on those pages (e.g., name, email, phone, title, links, QR/vCard) may be accessible to anyone who has the link and may be forwarded by recipients.
  • Esigen provides technical controls (including password protection), but the Customer decides what is displayed and whether access is restricted.

4. Data Controller vs Data Processor (Critical Allocation)

4.1 When Esigen is Data Controller.

Esigen acts as a data controller for:

  • Account registration and authentication data for Admin users;
  • Billing and subscription administration (including invoices, transaction references);
  • Security logs, abuse prevention records, and operational diagnostics;
  • Customer support communications.

4.2 When Esigen is Data Processor.

For Employee Data uploaded by Customers to generate and host signatures, Esigen generally acts as the Customer’s data processor (the Customer remains the data controller ).

In that case:

  • Esigen processes Employee Data only to provide the Service under the Customer’s instructions (as expressed through platform configuration and administrator actions).
  • if you are an employee whose data appears in a signature, your primary contact for rights/requests is typically your employer (the Customer). We address this in Section 19.

5. Categories of Personal Data We Process

Depending on your role and how the Service is used, we may process:

5.1 Admin / Authorized User Data

  • Name, email, login credentials (hashed), role/permissions, company association
  • Account settings, security events, audit-like events (e.g., logins, IP, timestamps)

5.2 Employee Data (Provided by Customers)

  • Name, job title, department, phone number, email address
  • Office address, website, social links
  • Any other fields the Customer chooses to include in a signature profile

5.3 Media and Brand Assets

  • Headshots, logos, banners, icons, images uploaded by Customers
  • Signature layout selections, fonts, colors, and design configurations

5.4 Signature-Related Technical Data

  • Signature HTML, image exports (PNG/JPEG), generated QR codes and vCard data
  • Viewer page configuration (public vs password-protected)

5.5 Billing and Administrative Data

  • Billing contact emails, billing details, subscription plan/status
  • Payment metadata/transaction references via payment provider
  • We do not store payment card numbers.

5.6 Usage, Device, and Log Data

  • IP addresses, browser/device metadata, access timestamps
  • Error logs, performance metrics, security events

6. Sources of Personal Data

We collect personal data from:

  • You (e.g., account registration, support messages);
  • Customers (e.g., employee profiles, assets uploaded by Company Administrators);
  • Automatic collection from devices and systems when you use the Service (logs, analytics);
  • Payment provider / marketplace signals (transaction references and status, not card numbers).

If you purchase subscriptions through the Apple App Store or the Microsoft Store, payment is processed by the applicable Marketplace. Esigen does not receive payment card numbers for Marketplace purchases and typically receives only purchase status, entitlement information, transaction identifiers, and related metadata necessary to activate and manage subscriptions.

For direct purchases made through the website or other direct sales channels, Esigen processes billing directly and may receive billing contact details and transaction information, but does not store full payment card numbers.

7. Purposes of Processing

We process personal data to:

  • Provide the Service (signature generation, configuration, exports, hosting/viewer pages)
  • Operate subscriptions, billing, and account administration
  • Authenticate users and manage access permissions
  • Secure the Service, prevent abuse, and investigate suspicious activity
  • Maintain reliability (debugging, performance monitoring, error diagnosis)
  • Provide customer support and communicate service-critical updates
  • Meet legal obligations (accounting/tax recordkeeping, lawful requests)

We do not sell personal data and do not use it for behavioral advertising.

8. Legal Bases for Processing (KVKK-Oriented)

Under KVKK, our processing relies on applicable conditions, including where relevant:

  • Explicit consent (where required, particularly for certain transfers/technologies)
  • Necessity for performance of a contract (e.g., operating the subscription and providing the Service)
  • Compliance with a legal obligation (e.g., tax/accounting requirements)
  • Establishment, exercise, or protection of a right (e.g., dispute handling)
  • Legitimate interests of Esigen (e.g., security, fraud prevention, service reliability), provided fundamental rights and freedoms are not harmed
  • For data that a person has made public, to the extent permitted under KVKK

Where other laws apply (e.g., GDPR), we generally rely on analogous bases (contract, legitimate interests, legal obligation, consent where required).

9. Special Categories of Personal Data

The Service is not designed to require or encourage Customers to upload special categories of data (e.g., health, religion, biometrics) except insofar as a headshot image may, in some jurisdictions, be treated as sensitive in context.

  • Customers should not upload special categories unless legally permitted and strictly necessary.
  • Where such data is processed, it must be handled under the stricter conditions required by applicable law (including KVKK Article 6 where applicable).

10. Public Viewers and Viewer Page Access Data

When a person accesses a Viewer Page, we may process:

  • IP address, device/browser metadata, access timestamps
  • Basic page interaction events (e.g., load performance, error events) This data is used for security, operational integrity, and performance monitoring—not for advertising.

11. Cookies, SDKs, and Analytics (Google Analytics)

11.1 Website Analytics.

We use Google Analytics to understand usage trends, identify errors, and improve performance. Analytics are not used by Esigen for advertising targeting.

11.2 Cookies/Similar Technologies.

The Service may use cookies or similar technologies for:

  • Authentication and session security
  • Preferences and basic functionality
  • Analytics/performance measurement

Where consent is required by applicable law, we implement appropriate consent controls for the web experience.

11.3 Desktop Application Permissions and Diagnostics.

The desktop application may request limited system permissions strictly necessary to provide user-requested functionality, such as accessing files or images selected by the user for signature creation. Permission handling is governed by the operating system (macOS or Windows), and users may manage permissions through their device settings.

Esigen does not engage in cross-application tracking, advertising-based profiling, or mobile app tracking technologies.

12. Sharing and Disclosure of Personal Data

We may disclose personal data only as necessary for the purposes described above, including:

12.1 Service Providers (Sub-Processors / Vendors)

  • Hosting/Infrastructure: Contabo (VPS hosting provider)
  • Analytics: Google Analytics
  • Payments: Param

In addition to the vendors listed above, we may use crash diagnostics or performance monitoring tools to identify and fix app errors. Where used, such tools are configured for reliability and security purposes and not for advertising.

These providers process data under contractual and technical controls aligned to their role.

12.2 Legal and Safety Disclosures

We may disclose data if required by law, court order, or lawful governmental request, or to protect rights, safety, and integrity (e.g., investigating phishing/impersonation attempts).

12.3 Corporate Transactions

If Esigen is involved in a merger, acquisition, restructuring, or sale of assets, data may be transferred as part of that transaction subject to confidentiality and lawful safeguards.

13. International Data Transfers

Depending on infrastructure configuration and third-party providers, personal data may be transferred or accessed from outside Turkiye.

  • Where cross-border transfers occur, we will take steps intended to ensure transfers are handled in accordance with KVKK requirements (including mechanisms recognized under applicable rules, and obtaining explicit consent where required).
  • Customers should consider cross-border aspects when deciding what Employee Data to upload and whether to publish viewer pages publicly.

14. Data Security and Integrity Measures

We maintain administrative, technical, and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or alteration, including (as appropriate):

  • Access controls and role-based permissions (Company Administrator controls)
  • Authentication safeguards and credential protection expectations
  • Monitoring for abuse and suspicious activity
  • System logging and error monitoring for reliability and incident response

No system can be guaranteed 100% secure; however, we aim to maintain security proportional to the nature of the Service and the risks involved.

15. Customer Responsibilities (Especially for Employee Data)

Because Customers decide what information appears in signatures and Viewer Pages, Customers are responsible for:

  • Providing legally compliant employee notices and obtaining required consents/authorizations
  • Ensuring employee details are accurate and not excessive for the intended purpose
  • Choosing whether Viewer Pages are public or password-protected
  • Managing administrator credentials and revoking access promptly for departed personnel

16. Data Retention (General Rule)

We retain personal data only for as long as reasonably necessary to fulfill the purposes described in this Policy, unless a longer period is required or permitted by law.

17. Deletion on Cancellation/Expiry and Residual Data

17.1 Customer-Controlled Deletion.

Company Administrators may delete employee records, signature projects, and assets within the Service.

17.2 Subscription Expiry/Cancellation.

When a Customer’s subscription expires or is cancelled, access to the desktop application designer screens and file manager functionality, as well as viewer hosting, may be disabled, and Customer Data is intended to be deleted as part of the Service shutdown process, subject to Section 17.3.

17.3 Residual and Mandatory Retention.

Limited residual copies may persist temporarily in technical systems (e.g., logs, security records, and continuity mechanisms) and will be overwritten or removed in the ordinary course, except where retention is legally required (e.g., invoices/transaction records for tax/accounting).

18. Data Subject Rights (KVKK)

Subject to conditions and exceptions under KVKK, individuals may have rights to:

  • Learn whether personal data is processed
  • Request information about processing
  • Learn the purpose of processing and whether used accordingly
  • Know third parties to whom personal data is transferred (domestic/abroad)
  • Request correction of incomplete/incorrect data
  • Request deletion/destroying/anonymization where conditions are met
  • Request notification of correction/deletion to third parties to whom data was transferred
  • Object to outcomes against the person arising from analysis by exclusively automated systems (where applicable)
  • Request compensation for damages arising from unlawful processing

19. How to Exercise Rights (Employees vs Admin Users)

19.1 Admin Users / Direct Esigen Relationship.

If you are an admin/authorized user, you may submit requests to the contact email above. We may need to verify identity and authority before fulfilling a request.

19.2 Employees Whose Data Was Uploaded by a Company.

If your employer (or another Customer) uploaded your Employee Data into the Service, that Customer is typically the data controller. In most cases, your request should be directed to your employer first. Where we are able to assist as processor, we will do so upon the controller’s instructions and within technical limits.

19.3 Public Viewers.

Public Viewers can generally control their exposure by not sharing viewer links and by contacting the relevant Customer (the company) if they believe a signature page displays personal data unlawfully. We may also act on credible abuse reports (e.g., impersonation/phishing).

19.4 Account deletion requests.

Authorized Users may request deletion of their account by contacting us at the email above. Company accounts and Employee Data are controlled by the Customer (your employer/company) and deletion is typically handled by a Company Administrator or by the Customer instructing us.

20. Identity Verification and Authorized Requests

To protect personal data, we may:

  • Ask for information needed to verify identity (and, for company requests, authority)
  • Decline requests that are manifestly unfounded, excessive, or not legally required
  • Provide responses within legally required timelines or otherwise within a reasonable period

21. Children and Age Limitation

The Service is designed for business use. It is not intended for children, and we do not knowingly collect personal data from children without appropriate authorization. If you believe a child has provided personal data, contact us so we can take appropriate steps.

22. Changes to This Privacy Policy

We may update this Policy from time to time. The “Effective Date” indicates when the current version applies. If changes materially affect how we process personal data, we will use reasonable efforts to provide notice via the Service or email to administrative contacts.

23. Contact, Complaints, and Regulator

For privacy questions or KVKK requests, contact:
Esigen (Yunus OZTURK)
Address: Kazim Karabekir Mah. Varinlioglu Cad. Cilem Ap. No 39A / 7 Melikgazi / Kayseri 38070 Turkiye
Email: support@esigen.com

If you believe your personal data has been processed unlawfully, you may also have the right to lodge a complaint with the competent authority in Turkiye (including the Personal Data Protection Authority / Kurumu) subject to applicable procedures and timelines.