Privacy Policy

Who we are

NotaryX is a trade name of Yepyr B.V., a company registered in the Netherlands. We provide an electronic signing platform designed to help individuals and organisations sign documents securely while maintaining comprehensive evidence records.

Address:
Stadionstraat 11 C11, 4815 NC Breda, Noord-Brabant, The Netherlands

Contact and Data Protection Officer

For questions about this privacy notice or how we handle your personal data, you may contact our Data Protection Officer.

DPO contact: dpo@notaryx.eu

What data we process

We process the following categories of personal data:

Account and organisation data

Name and email address
Organisation name (if applicable)
Password (stored in hashed form)
Role and membership information

Signing and document data

Documents you upload for signing
Names and email addresses of signers you invite
Signature images and field values captured during signing
Completed and countersigned documents

Evidence and audit data

IP addresses and user agent strings (for signing events)
Timestamps of actions taken during the signing process
Cryptographic hashes of documents

Technical and operational data

Browser type and device information
Log data for troubleshooting and security
First-party usage analytics events (page path, timestamp, referrer domain, masked IP prefix)

Payment data

Billing contact information
Payment method and mandate details processed by Mollie (we do not store full card numbers)
Transaction and subscription history

Why we process your data

We process personal data for the following purposes:

To provide and operate the signing service
To create and maintain your account
To send signing invitations and notifications to signers
To generate evidence packages that demonstrate signing integrity
To process payments and manage subscriptions
To communicate with you about your account and our services
To understand website usage in aggregate and improve product usability
To ensure the security and integrity of our platform
To comply with legal obligations

Legal bases

We rely on the following legal bases under the GDPR:

Performance of a contract

Processing necessary to provide our signing services to you and to fulfil our contractual obligations.

Legitimate interests

Processing for security purposes, fraud prevention, and improving our services, where these interests are not overridden by your rights.

Legal obligation

Processing required to comply with applicable laws, such as tax and accounting requirements.

Consent

Where required, we obtain your consent for specific processing activities. You may withdraw consent at any time.

With whom we share data

We work with the following categories of service providers (processors) to deliver our services:

Infrastructure and hosting

UpCloud (Finland) — Application hosting in the Amsterdam region and object storage in Germany. Both within the EU.

Payment processing

Mollie B.V. (Netherlands) — Handles payment transactions, recurring payment mandates, and payment status callbacks. Depending on the payment method chosen, processing may involve banks and payment networks required to execute the transaction.

Email delivery

Email delivery is handled by mail infrastructure operated by Yepyr B.V. in the Netherlands.

Administrative tooling

Microsoft 365 — Used for administrative and business operations.

We do not sell your personal data. We do not use third-party analytics tracking services such as Google Analytics.

Where data is stored

We design for EU data sovereignty and aim to keep your data within the European Economic Area (EEA).

Our application is hosted by UpCloud in the Amsterdam region (Netherlands).
Document and file storage uses UpCloud Object Storage located in Germany.
We do not intentionally use US cloud providers for the application stack.

For payment processing, banks or payment networks in the selected payment method chain may process limited data outside the EEA. Where transfers occur, they are handled in compliance with applicable data protection law and with appropriate safeguards where required.

Retention

We retain personal data only for as long as necessary for the purposes described in this notice.

Active accounts

While your account is active, we retain your account data, documents, and evidence records to provide the service.

After account termination

When you close your account or your subscription ends, we retain your data for a grace period (generally 30 days) to allow for recovery from accidental cancellation. After the grace period, your data is deleted.

Backups

Backups are retained for operational recovery purposes. Daily backups are generally retained for 14 days; weekly backups for up to 8 weeks. Deleted data may persist in backups until they expire.

Legal requirements

We may retain certain data longer if required by law or to establish, exercise, or defend legal claims.

Security measures

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data in transit using TLS
Encryption of stored data where supported by the platform
Access controls and role-based permissions
Regular security reviews and updates
Secure handling of authentication credentials

While we take reasonable steps to protect your data, no system is completely secure. We aim to maintain security practices appropriate to the nature of the data we process.

Cookies and similar technologies

We use only essential cookies necessary for the functioning of our website and application.

Session cookies to maintain your login state
Security cookies to protect against cross-site request forgery

We do not use third-party analytics cookies or tracking pixels. Our first-party analytics is configured without analytics cookies and respects browser Do Not Track signals.

Your rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access

You may request a copy of the personal data we hold about you.

Right to rectification

You may request correction of inaccurate personal data.

Right to erasure

You may request deletion of your personal data, subject to legal retention requirements.

Right to restriction

You may request that we restrict processing of your data in certain circumstances.

Right to data portability

You may request your data in a structured, commonly used format.

Right to object

You may object to processing based on legitimate interests.

Right to withdraw consent

Where processing is based on consent, you may withdraw it at any time.

To exercise your rights, please contact us at dpo@notaryx.eu. We will respond within the timeframes required by applicable law.

Complaints

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority.

In the Netherlands, the supervisory authority is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).
https://autoriteitpersoonsgegevens.nl