Inkless Privacy Policy

Last updated: 12/11/2025

This Privacy Policy explains how Inkless Ltd (“Inkless”, “we”, “us”, or “our”) collects, uses, shares, and protects your personal data when you:

visit our website at https://inkless.co.uk or related pages (the “Site”);
use our e-signature and document workflow services (the “Services”); or
interact with us in other ways (for example, by contacting support or receiving emails from us).

We are committed to protecting your privacy and handling your personal data fairly, lawfully, and transparently.

Important: This Policy is a general information notice and does not constitute legal advice. If you are using Inkless in a professional or regulated context, you should seek your own independent legal advice.

1. Who we are and how to contact us

Controller (for most activities described in this Policy):

Inkless Ltd
128 City Road
London
EC1V 2NX
United Kingdom

Email: legal@inkless.co.uk

When we decide why and how your personal data is processed (for example, for your account, billing, security logging, and our own analytics), we are the “controller” under UK data protection law.

When we process documents and signer data on behalf of our customers (for example, when one of our customers uploads a contract and sends it to you for signature), we usually act as a “processor” and our customer is the controller. See section 4 below.

If you have questions about this Policy or our data practices, you can contact us at legal@inkless.co.uk.

2. The personal data we collect

The personal data we collect depends on how you interact with Inkless. We may collect and process the following categories:

2.1 Data you provide directly

Account and profile data
Name, email address, password (hashed), job title, organisation name (if any), contact details such as phone numbers and billing address.
Billing and transaction data
Billing address, company details (where applicable), VAT number (if applicable), transaction records, and limited payment details handled via our payment processor (we do not store full card numbers).
Document and signing data
Names, email addresses, phone numbers and any other details you enter for recipients/signers; signatures, initials, ticked checkboxes, typed text, dates and other form fields you or signers complete.
Support and communications
Messages you send to us (for example, via support tickets or email), and information you provide when you respond to surveys or feedback forms.
Marketing preferences
Your choices about receiving product updates, newsletters, and marketing communications.

2.2 Data we collect automatically

When you use the Site or Services, we automatically collect certain technical information, such as:

IP address and approximate location (based on IP);
browser type and version, device type, operating system;
pages or screens you view, actions you take, and time spent;
timestamps for key events (login, sending an envelope, opening a signing link, signing a document, etc.).

This technical and event data is also used to generate audit trails for e-signing and to secure the Services.

2.3 Data we receive from others

Our customers – if you are a signer or contact added by one of our customers, they may provide us with your name, email, phone number, and other details relevant to the documents they send you.
Service providers – for example, delivery status information from email or SMS providers (e.g. “delivered”, “bounced”, “opened”, “clicked”).
Public sources and regulators – where necessary for compliance checks, sanctions screening, or fraud prevention (generally for business customers).

3. How and why we use personal data

Under UK GDPR we must have a lawful basis for each use of your personal data. The sections below summarise our main purposes and bases.

3.1 Providing and administering the Services

Data used: Account data, contact details, document/signer data, usage data.

Lawful basis:

Performance of a contract – where we provide the Services to you or your organisation.
Legitimate interests – for example, to ensure the Service functions as expected, to prevent abuse, and to manage business relationships.

3.2 Creating and maintaining audit trails and signatures

Data used: Signing events, timestamps, IP addresses, device/browser information, document identifiers, signatures/initials, OTP or verification events (where used).

Lawful basis:

Performance of a contract – to provide an evidential record of signing.
Legitimate interests – to help our customers evidence electronic signing and to protect both you and our customers in case of disputes.

3.3 Security, fraud prevention and abuse detection

Data used: IP, logs, usage patterns, account identifiers, limited device data.

Lawful basis:

Legitimate interests – to keep our systems and users secure, detect misuse, and protect our business.
Legal obligations – where we are required to keep logs or share data with authorities.

3.4 Billing, accounting, and tax

Data used: Billing details, transaction records, account identifiers.

Lawful basis:

Performance of a contract – to process payments and manage PAYG credits or subscriptions.
Legal obligations – to comply with tax and accounting rules (e.g. retaining invoices).

3.5 Support, troubleshooting and customer success

Data used: Contact details, account data, usage and error logs, support communications.

Lawful basis:

Performance of a contract – to respond to your enquiries and resolve issues.
Legitimate interests – to maintain and improve the Services.

3.6 Service improvement and analytics

Data used: Aggregated and pseudonymised usage data, device/browser details, feature usage.

Lawful basis:

Legitimate interests – to understand how the Services are used, improve reliability and user experience, and develop new features.

Where possible, we use aggregated or anonymised data that no longer identifies individuals.

3.7 Marketing and communications

Data used: Name, email address, organisation, marketing preferences, interaction with emails.

Lawful basis:

Legitimate interests – sending product updates and relevant information to business contacts, where permitted and with an easy opt-out.
Consent – where required (e.g. for certain electronic marketing to individuals/consumers).

You can opt out of marketing emails at any time by clicking the unsubscribe link in the email or by contacting us. We will still send transactional or service-related messages (for example, password resets, notices about your account, or signing invitations).

4. Our role as controller vs processor

4.1 When we are a controller

We act as a controller when we decide why and how personal data is processed, including for:

your Inkless account and login details;
our own billing, credit, and subscription records;
our logs, security systems, and analytics;
marketing and service communications.

For these activities, this Privacy Policy applies in full.

4.2 When we are a processor

When you upload documents, add recipients, and send envelopes for signature, we usually process the personal data in those documents on your behalf (or on behalf of your organisation). In that context:

You (or your organisation) are the controller; and
Inkless is a processor.

Your use of personal data in documents is governed by your own privacy notices and legal obligations, and by the Data Processing Agreement (DPA) or equivalent terms between you and us.

If you are a signer or recipient and have questions about a document you received via Inkless (e.g. access, correction, or deletion of your data in that document), you should normally contact the organisation or person who sent you the document, as they are the controller for that processing.

5. Sharing your personal data

We do not sell your personal data. We may share personal data with:

5.1 Service providers (processors)

Trusted third-party providers who help us deliver the Services, for example:

Hosting and infrastructure providers;
Email delivery providers (for example, Mandrill/Mailchimp Transactional, or similar services);
SMS and telephony providers (for one-time passcodes or notifications);
Payment processors (e.g. PCI-DSS compliant providers);
Analytics, logging, and monitoring services;
Professional advisers (accountants, lawyers, auditors) where necessary.

These providers are only allowed to process your personal data under our instructions and are subject to appropriate contractual and security obligations.

5.2 Other recipients

We may also share personal data where:

it is required by law or regulation, or in response to valid requests by public authorities (e.g. a court, regulator, or law enforcement agency);
it is necessary to protect rights and safety, for example to investigate fraud, security incidents, or potential abuse;
it occurs in connection with a business transaction, such as a merger, acquisition, or sale of all or part of our business (we will take steps to ensure your data remains protected and that you are informed of any material changes).

When documents are sent for signature, signers and recipients may see information necessary to complete the transaction, such as other parties’ names, email addresses, and document fields, depending on how the sender configures the workflow.

6. International transfers

Many of our core systems are hosted in the UK or EEA. However, some of our service providers may be located or may process data outside the UK and EEA, including in countries that do not have the same level of data protection laws.

Where personal data is transferred outside the UK/EEA, we will ensure that one of the following safeguards is in place:

the destination country has been recognised as providing an adequate level of protection; or
we have entered into appropriate standard contractual clauses or the UK International Data Transfer Agreement/Addendum with the recipient; or
another appropriate safeguard under UK data protection law is in place.

You can contact us at legal@inkless.co.uk for more information about the specific safeguards used for international transfers.

7. How long we keep your data (retention)

We keep personal data only for as long as necessary for the purposes set out in this Policy, including to meet legal, accounting, or reporting requirements. In general:

Account and billing data – kept while your Account is active and for up to 7 years after closure, to comply with tax and accounting obligations and to handle potential disputes.
Audit logs and signing records – retained for as long as reasonably necessary for evidential purposes, your contract with us, or as required by law or as agreed with you (for example, based on your configuration or your organisation’s retention policy).
Support communications – typically retained for the life of your account plus a limited period, to track and resolve issues and improve support.
Marketing data – kept until you opt out or we no longer need it, at which point we will delete or anonymise it.

Where your Account is inactive for 12 months, we may close and remove it in line with our Terms & Conditions. Even after account closure, we may retain limited personal data where necessary for:

legal obligations;
resolving disputes;
enforcing our agreements; or
maintaining appropriate business records.

When we no longer need personal data, we will delete or anonymise it.

8. Cookies and similar technologies

We use cookies and similar technologies on our Site and Services to:

provide core functionality (e.g. logging in, keeping your session active);
remember your preferences;
perform analytics and usage measurement;
enhance security.

Some cookies are strictly necessary for the Site or Services to work; others are optional (for example, analytics cookies). Where required by law, we ask for your consent before setting non-essential cookies.

For more detail on the cookies we use and your choices, please refer to our Cookie Policy (or equivalent page) when available.

9. Children

The Services are not intended for use by children under 18. We do not knowingly collect personal data from anyone under 18.

If you believe that a child under 18 has provided us with personal data, please contact us at legal@inkless.co.uk, and we will take appropriate steps to delete such information where required.

10. Your rights

If UK data protection law applies to you, you have certain rights over your personal data. Subject to some conditions and exceptions, these include:

Right of access – to obtain a copy of your personal data and information about how we process it.
Right to rectification – to have inaccurate or incomplete personal data corrected.
Right to erasure (“right to be forgotten”) – to request deletion of your personal data in certain circumstances.
Right to restriction – to request that we restrict processing in certain circumstances.
Right to data portability – to receive personal data you provided in a structured, commonly used, machine-readable format and to have it transmitted to another controller, where technically feasible and where the processing is based on consent or contract and carried out by automated means.
Right to object – to object to processing based on our legitimate interests, and to direct marketing at any time.
Right to withdraw consent – where we rely on your consent (for example, for certain marketing), you can withdraw that consent at any time.

To exercise these rights, please contact us at legal@inkless.co.uk and clearly state your request.

10.1 Requests relating to documents sent via Inkless

Where your personal data is contained in documents or workflows sent via Inkless by one of our customers (for example, you are a signer on a contract):

our customer is usually the controller for that data; and
we may need to redirect your request to them or act on their instructions.

We will let you know if this is the case.

11. Complaints

If you have concerns about how we use your personal data, we encourage you to contact us first at legal@inkless.co.uk, and we will do our best to resolve them.

You also have the right to lodge a complaint with a data protection supervisory authority. In the UK, this is:

Information Commissioner’s Office (ICO)
Website: https://ico.org.uk

12. Security

We take security seriously and implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These may include:

secure hosting environments and encryption in transit;
access controls and authentication;
logging and monitoring;
regular security reviews.

However, no system is completely secure. You are responsible for keeping your login credentials confidential, using strong, unique passwords, and ensuring the security of the devices and networks you use to access the Services.

If you believe your account has been compromised, please notify us immediately at legal@inkless.co.uk.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in the law, our Services, or our data practices.

When we make material changes, we will update the “Last updated” date at the top of this Policy and take reasonable steps to inform you, such as by email or by displaying a notice in the Services or on the Site.

Your continued use of the Services after an updated Privacy Policy becomes effective will mean that you accept the updated Policy.

14. How to contact us

If you have any questions about this Privacy Policy or how we handle your personal data, you can contact us at:

Email: legal@inkless.co.uk
Post: Inkless Ltd, 128 City Road, London, EC1V 2NX, United Kingdom