Privacy and trust

Privacy Policy

Policy Signoff is designed for policy compliance workflows where clear access, careful records, and accountable review history matter. This policy explains what information the application collects, how it is used, and how teams can manage it.

Last updated: June 26, 2026

Account information

Policy Signoff uses account information such as name, email address, sign-in details, account status, and last login activity to identify users and keep access tied to the right person.

Organization scope

Organization names, descriptions, memberships, roles, and invitations are used to separate each workspace and keep policies, people, and review activity connected to the correct organization.

Policy content

Administrators may create policy records, upload policy files, maintain versions, set review frequencies, and assign policies to users. Uploaded files may contain information supplied by the organization.

Policy review records

Assignments and acknowledgments are treated as compliance evidence. They may include the assigned user, policy version, due date, completion status, acknowledgment timestamp, IP address, and browser user agent.

Access controls

Application and organization roles are used to separate administrative work from employee review tasks, support organization-scoped access, and reduce unnecessary access to policy and user records.

Audit history

Created and modified timestamps, user identifiers, and audit entries help preserve accountability when records are added, changed, or removed.

Information Policy Signoff collects

Policy Signoff collects the information needed to run a policy review and attestation workspace. The information generally falls into the categories below.

  • Account details, including name, email address, username, account status, sign-in metadata, and authentication records.
  • Organization details, including organization name, description, membership, role, invitation email, invitation status, and acceptance history.
  • Policy records, including policy names, descriptions, review frequencies, uploaded files, file locations, version numbers, and current-version status.
  • Review records, including assignments, due dates, assigned users, acknowledgments, completion timestamps, IP address, and browser user agent.
  • Operational records, including email queue entries, audit logs, created-by and modified-by identifiers, timestamps, and background job activity.

How information is used

Policy Signoff uses collected information to operate the application, protect the workspace, and support compliance workflows. The application is intended to help administrators answer practical questions: which policy was assigned, who needed to review it, who acknowledged it, and what still needs follow-up.

  • Authenticate users, maintain sessions, protect forms, and enforce organization and role-based access.
  • Create and manage organizations, users, roles, invitations, policies, versions, assignments, and acknowledgments.
  • Send invitations, assignment notices, due-soon reminders, overdue notices, and administrative summaries.
  • Generate status views for pending, overdue, completed, and organization-wide review activity.
  • Maintain audit history, troubleshoot issues, prevent misuse, and support security and administrative reviews.

Policy files and submitted content

Policy files uploaded by administrators are stored so users can review the correct version and so acknowledgments can remain tied to the policy version that was assigned.

  • Files are stored in private blob storage and accessed through application-controlled workflows.
  • Temporary read links may be generated so authorized users can view policy documents.
  • The organization controls the content of uploaded policy files and should avoid placing unnecessary personal information in those documents.

Sharing and service providers

Policy Signoff does not sell personal information. Information may be processed by service providers that help deliver the application and by administrators inside the user's organization.

  • Authorized organization administrators may view user, policy, assignment, acknowledgment, and status information for their workspace.
  • Email providers may process recipient addresses, subjects, and message bodies for invitations and policy workflow notifications.
  • Storage and hosting providers may process application data, policy files, logs, and related operational metadata.
  • Billing providers may receive account and checkout information when a payment or subscription workflow is enabled.
  • Information may be disclosed when required to comply with law, protect rights and security, or investigate suspected abuse.

Retention and security

Policy Signoff keeps records for as long as they are needed to provide the application, preserve compliance evidence, support audits, resolve issues, and meet legal or contractual obligations.

  • Compliance records may be retained after an assignment is completed because acknowledgments and audit history can be needed as evidence.
  • Identity cookies are HTTP-only and marked essential; form protection and session cookies support sign-in security and organization context.
  • Access controls, private file storage, authentication, authorization checks, and audit history help protect data from unauthorized use.
  • No system can guarantee absolute security, so users should protect their credentials and administrators should assign roles carefully.

Choices and requests

Users can update profile names in Policy Signoff, and organization administrators can manage organization membership, invitations, roles, policies, and assignments. Requests to access, correct, export, deactivate, or delete information should be directed to the organization administrator or application owner responsible for the workspace.

  • Some records may not be removed immediately if they are needed for security, audit, legal, backup, or compliance purposes.
  • Deleting or changing policy records may affect the ability to prove past acknowledgments, so administrators should consider retention requirements before making changes.
  • Policy Signoff is intended for organizational use and is not directed to children.

Cookies

Policy Signoff uses necessary cookies for sign-in, security, antiforgery protection, session state, organization context, and cookie preference storage. Optional cookie categories can be accepted, rejected, or changed at any time.

Policy Signoff does not currently use advertising or analytics cookies. Cookie preference controls are available in case optional categories are added later.

Policy changes

Policy Signoff may update this privacy policy as the application, service providers, or legal requirements change. Material updates should be reflected by revising the last updated date and, when appropriate, notifying affected users or administrators.