Privacy Policy for Digital Signature Users

1. Confirmation of Global Applicability

This Privacy Policy for Digital Signature Users (the "Policy") is intended to apply globally to all individuals whose personal data is processed in connection with electronic signature transactions performed using Doctavian and/or Maven Mule’s electronic signature services ("Services"), regardless of their country of residence or location at the time of signing.

This Policy is drafted primarily to comply with:

• Regulation (EU) No 910/2014 (eIDAS)
• Regulation (EU) 2016/679 (GDPR)
• Comparable electronic signature, data protection, and record-retention laws in other jurisdictions.

Where local mandatory laws grant additional rights or impose stricter obligations (e.g., certain U.S. state laws, California CPRA, or similar), those local requirements will apply in addition to this Policy. Nothing in this Policy is intended to limit non-waivable statutory rights.

2. Controller Identity

Maven Mule Ltd ("Maven Mule", "we", "us", "our") acts as a Data Controller for personal data processed in connection with the provision of the Services.

Where Maven Mule processes personal data strictly on behalf of a customer (e.g., enterprise sender of documents), Maven Mule may act as a data processor, and the customer acts as the data controller.

Maven Mule Ltd

Registered address: Borovci 15, Zagreb, Croatia

Contact email (privacy): security@mavenmule.com

3. Scope and Data Subjects

This Policy applies to all individuals whose personal data is processed by Maven Mule in connection with the use of its electronic signature Services, regardless of their relationship with Maven Mule.

This includes, without limitation, individuals participating in an electronic signature transaction, such as:

• document signers
• document senders
• witnesses or observers
• approvers or reviewers
• other transaction participants identified in a signing workflow.

This Policy applies only to the processing of personal data in the context of electronic signature transactions. It does not apply to the processing of personal data by Maven Mule in other contexts, including:

• employment, student, or contractor relationships
• visits to Maven Mule’s physical offices
• general use of Maven Mule’s websites outside the context of a signing transaction.

4. Categories of Personal Data Processed

Depending on the configuration of the signing workflow, we may process the following categories of personal data:

4.1 Identity and contact data

• full name
• email address
• phone number
• user or account identifiers

4.2 Authentication and verification data

• authentication method used (e.g., email verification, SMS/OTP, identity provider login, certificate-based authentication)
• government-issued electronic identity identifiers (where applicable)
• certificate identifiers and issuing authority (for certificate-based signatures, where applicable)

4.3 Transaction and audit data

• document identifiers and versions
• timestamps (UTC)
• IP address
• device and browser metadata
• geolocation derived from IP (where enabled)
• audit trail entries describing signing actions.

4.4 Cryptographic and signature data

• electronic signature values and related cryptographic data

We do not intentionally process special categories of personal data unless such data is included in a document uploaded by a customer.

5. Purposes of Processing

We process personal data for the following purposes:

• enabling electronic signature transactions and electronic records
• verifying identity and intent of signers
• generating legally binding signatures under applicable law
• creating and maintaining an audit trail for evidentiary purposes
• ensuring integrity, authenticity, and non-repudiation of signed records
• complying with legal, regulatory, and contractual obligations
• preventing fraud, misuse, or security incidents
• providing customer support and dispute resolution.

6. Legal Bases for Processing (GDPR)

Where GDPR applies, personal data is processed based on one or more of the following legal grounds:

• Performance of a contract - providing the requested electronic signature services 
• Legitimate interests - security, fraud prevention, auditability, and evidentiary integrity
• Legal obligation - retention of records where required by applicable law
• Consent - where explicitly required for a specific authentication method or by applicable local law.

7. Recipients of Personal Data

Personal data may be disclosed to:

• the sender of the document and other transaction participants
• trust service providers such as certificate authorities or timestamp authorities, where applicable,
• identity verification providers (where enabled)
• hosting and infrastructure providers
• professional advisers or authorities where legally required.

All recipients are bound by contractual confidentiality and data protection obligations.

8. International Data Transfers

Personal data may be processed or stored outside the country of the data subject.

Where personal data of EU/EEA data subjects is transferred outside the EU/EEA, we rely on appropriate safeguards, such as:

• adequacy decisions;
• standard contractual clauses;
• equivalent lawful transfer mechanisms.

9. Data Retention

Signed documents, audit trails, and related metadata are retained:

• for the duration required to fulfil contractual purposes
• for statutory retention periods applicable to electronic signatures and records
• or until a valid deletion request is received, unless retention is legally required.

Retention periods may vary depending on document type, jurisdiction, and customer configuration.

Retention schedules are defined internally and may be aligned with industry standards and evidentiary best practices.

10. Security Measures

We implement technical and organizational measures designed to protect personal data, including:

• cryptographic protection of signed records
• secure transmission (TLS)
• access controls and logging
• key management practices
• regular security monitoring.

No electronic system is completely secure; therefore, residual risks cannot be entirely eliminated.

11. Data Subject Rights

Subject to applicable law, data subjects may have the right to:

• access their personal data
• rectification
• erasure
• restriction of processing
• data portability
• object to processing
• complain to a supervisory authority.

Certain rights may be limited where retention is required for legal or evidentiary purposes.

12. Exercising Your Rights

Requests may be submitted to: security@mavenmule.com

We may require reasonable verification of identity before responding.

13. Changes to This Policy

We may update this Policy from time to time. The effective date will be indicated above. Continued use of the Services after an update constitutes acknowledgment of the revised Policy.