GDPR Compliance
Last updated: March 27, 2026
1. Our Commitment to GDPR
BreezyDoc is committed to complying with the General Data Protection Regulation (GDPR) (EU) 2016/679 and ensuring the protection of personal data for all individuals within the European Economic Area (EEA). This page outlines how BreezyDoc processes personal data in accordance with GDPR requirements, the rights available to data subjects, and the measures we take to safeguard your information.
2. Data Controller
BreezyDoc acts as the data controller for personal data collected through the Service. As the data controller, we determine the purposes and means of processing personal data. When you use BreezyDoc to send documents to recipients for signing, you act as the data controller for the personal data of those recipients, and BreezyDoc acts as a data processor on your behalf. For any inquiries regarding data processing, you may contact our Data Protection team at [email protected].
3. Lawful Basis for Processing
Under GDPR, we process personal data only when we have a valid lawful basis. BreezyDoc relies on the following legal bases for processing personal data:
| Lawful Basis | Purpose |
|---|---|
| Contractual Necessity | Processing required to provide the Service, including account management, document storage, electronic signature facilitation, and team collaboration features. |
| Legitimate Interest | Processing for service improvement, analytics, fraud prevention, security monitoring, and maintaining audit trails for document integrity. |
| Consent | Processing based on your explicit consent, such as marketing communications and non-essential cookies. You may withdraw consent at any time. |
| Legal Obligation | Processing necessary to comply with applicable laws, regulations, or legal proceedings. |
4. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights regarding your personal data. BreezyDoc is committed to facilitating the exercise of these rights in a timely manner, typically within 30 days of receiving a verified request.
| Right | Description |
|---|---|
| Right of Access | You may request a copy of the personal data we hold about you, along with information about how it is processed. |
| Right to Rectification | You may request correction of inaccurate or incomplete personal data. You can update most account information directly through your Settings page. |
| Right to Erasure | You may request deletion of your personal data, subject to legal retention requirements. Note that audit trail data for completed signatures may be retained for legal validity. |
| Right to Restrict Processing | You may request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data. |
| Right to Data Portability | You may request your personal data in a structured, commonly used, machine-readable format and have it transferred to another controller. |
| Right to Object | You may object to processing based on legitimate interests, including profiling. You may also object to processing for direct marketing purposes at any time. |
| Right Not to Be Subject to Automated Decisions | You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. |
To exercise any of these rights, please contact us at [email protected]. We may need to verify your identity before processing your request.
5. Data Processing Activities
BreezyDoc processes personal data for the following activities: account registration and authentication through our OAuth provider; document upload, storage, and management using encrypted cloud infrastructure; electronic signature creation, application, and verification; sending signature requests and notifications to document recipients via email; maintaining comprehensive audit trails for each document to ensure legal validity; team creation, member management, and role-based access control; analytics and reporting on document signing activity; and template creation and bulk document distribution.
6. Data Protection Measures
BreezyDoc implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing. These measures include encryption of data in transit using TLS/SSL protocols, encryption of data at rest in our cloud storage infrastructure, access controls and role-based permissions to limit data access, regular security assessments and vulnerability testing, comprehensive audit logging of all data access and modifications, secure session management with encrypted authentication tokens, and incident response procedures for potential data breaches. We regularly review and update these measures to address evolving security threats and maintain compliance with GDPR requirements.
7. International Data Transfers
When personal data is transferred outside the EEA, BreezyDoc ensures that appropriate safeguards are in place in accordance with GDPR Article 46. These safeguards may include Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions by the European Commission for the recipient country, binding corporate rules for transfers within our corporate group, or your explicit consent for specific transfers after being informed of the potential risks. We conduct transfer impact assessments to evaluate the level of data protection in recipient countries and implement supplementary measures where necessary.
8. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Account data is retained for the duration of your active account and deleted within 90 days of account closure. Document data and associated files are retained as long as the document owner maintains an active account, or as required by applicable law. Audit trail data for completed electronic signatures is retained for the legally required period to ensure the continued validity and enforceability of signed documents. Usage analytics data is anonymized after 24 months. You may request early deletion of your data by contacting our Data Protection team, subject to any legal retention obligations.
9. Data Breach Notification
In the event of a personal data breach, BreezyDoc will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify the affected data subjects without undue delay, as required by GDPR Article 34. Our breach notification will include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.
10. Data Protection Impact Assessments
BreezyDoc conducts Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals, as required by GDPR Article 35. This includes assessments for new features involving large-scale processing of personal data, changes to data processing that significantly alter the risk profile, and the introduction of new technologies that may impact data protection. The results of these assessments inform our data protection strategies and are available to supervisory authorities upon request.
11. Sub-Processors
BreezyDoc engages certain third-party sub-processors to assist in providing the Service. All sub-processors are bound by data processing agreements that require them to process personal data only as instructed by BreezyDoc and to implement appropriate security measures. We maintain an up-to-date list of our sub-processors, which includes cloud hosting and infrastructure providers, email delivery services for signature notifications, and analytics and monitoring services. We will notify users of any changes to our sub-processor list and provide an opportunity to object to new sub-processors.
12. Data Processing Agreements
When BreezyDoc acts as a data processor on behalf of our users (for example, when processing recipient data for document signing), we enter into Data Processing Agreements (DPAs) that comply with GDPR Article 28. These agreements define the scope and purpose of processing, the obligations of both parties, the technical and organizational measures in place, and the procedures for data subject requests and breach notifications. Enterprise customers may request a copy of our standard DPA by contacting [email protected].
13. Supervisory Authority
If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. While we encourage you to contact us first so we can address your concerns directly, we fully respect your right to escalate matters to the appropriate supervisory authority.
14. Contact Our Data Protection Team
For any questions, concerns, or requests related to GDPR compliance or data protection, please contact our Data Protection Officer at [email protected]. We aim to respond to all inquiries within 30 days.