Effective June 5, 2026 · Last updated June 5, 2026 · Armorstack, LLC · Waukesha, Wisconsin
This Privacy Policy explains how Armorstack, LLC ("Armorstack," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with ArmorSign, our self-serve electronic-signature platform (the "Service"). Armorstack is a Wisconsin limited liability company headquartered in Waukesha, Wisconsin. We serve users in the United States and may serve users located in the European Economic Area ("EEA") and the United Kingdom ("UK").
The Service has two distinct audiences, and how we handle your information depends on which one applies to you. Customers are account holders who subscribe to and use ArmorSign to prepare, send, and manage documents for signature. Signers are individuals invited by a Customer to review and sign a document. Where this Policy treats the two differently, we say so expressly.
For information that a Customer uploads or generates through the Service — including the documents themselves and the information of the Signers a Customer invites — Armorstack acts on the Customer's behalf and on the Customer's instructions. In those situations the Customer is responsible for its own privacy practices, and the Customer's own privacy notice (not this Policy) governs why that personal information is collected and how it is used. This Policy describes Armorstack's practices as the provider of the Service. By using the Service, you acknowledge the practices described here. If you do not agree, please do not use the Service. This Policy works alongside our Terms of Service, our Refund Policy, and our Electronic Records and Signatures Consent.
Privacy laws distinguish between the party that decides why and how personal information is processed (a "controller" under the GDPR, or a "business" under U.S. state law) and the party that processes personal information on another's behalf (a "processor" or "service provider"). Armorstack plays both roles, depending on the data.
When a Customer creates an account, we collect identifying and account-management information: name, email address, a one-way hashed version of the password (we never store passwords in plain text), organization or company name, and subscription status and plan.
Customers upload and create content through the Service, which may include documents and files, the signature and data fields placed on those documents, and the values entered into those fields. We refer to this collectively as "Customer Content." Customer Content may contain personal information about the Customer, its Signers, or third parties. We process Customer Content solely to provide the Service and on the Customer's instructions; we do not control what a Customer chooses to include in it.
When a Customer invites a Signer, we process the Signer's name and email address, the typed (or otherwise applied) signature, and the Signer's consent to use electronic records and signatures. To create reliable legal evidence that a signature occurred — and to maintain the integrity of the signed record — we also capture the Signer's IP address, browser user-agent string, and event timestamps at key points in the signing workflow (for example, when a document is opened, consented to, and signed). This evidentiary metadata is recorded in the audit trail described below.
Subscriptions are billed through our payment processor, Stripe. Stripe collects and processes the payment-card and billing details you provide directly to it. Armorstack does not receive or store your full card number. We store only a Stripe customer identifier, a subscription identifier, and the resulting subscription status, which we use to manage your plan and billing. Stripe's handling of your payment information is governed by Stripe's own privacy policy.
When you use the Service, our systems automatically record technical and diagnostic information — such as IP address, device and browser type, pages and features accessed, actions taken, request timestamps, and error or performance logs. We use this information to operate, secure, troubleshoot, and improve the Service.
The Service uses only essential, first-party browser storage required to make it work — for example, an authentication token stored in your browser's local storage so you stay signed in. We do not use advertising cookies or third-party tracking cookies. See Section 6 for details.
We use the information described above for the following purposes:
If you are located in the EEA or the UK, we rely on the following legal bases under the GDPR and UK GDPR to process your personal information, mapped to the purposes above:
We do not sell your personal information. We share personal information only as described here:
We engage a limited set of vetted service providers ("subprocessors") to deliver the Service. Each is bound by contractual confidentiality and data-protection obligations and may use the information only to perform services for us:
Information necessary to complete a signing transaction — such as the document, the applied signatures, and the Certificate of Completion — is shared among the parties to that transaction (the sending Customer and the Signers) as inherent to the e-signature process.
We may disclose information where we reasonably believe it is required to comply with law, legal process, or an enforceable governmental or regulatory request, or to protect the rights, property, safety, or security of Armorstack, our users, or the public.
If Armorstack is involved in a merger, acquisition, financing, reorganization, or sale of all or part of its assets, personal information may be transferred to a successor or acquirer as part of that transaction, subject to this Policy or a successor policy with comparable protections.
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We do not use advertising cookies and we do not disclose personal information to third parties for their own marketing.
The Service relies only on essential, first-party browser storage. The primary example is an authentication token kept in your browser's local storage so that you remain signed in between requests. We do not use advertising, analytics-for-advertising, or third-party tracking cookies, and we do not build advertising profiles.
Because we do not track users across third-party sites or for advertising, we do not engage in activities that "Do Not Track" (DNT) or Global Privacy Control (GPC) signals are designed to limit. Where a recognized opt-out preference signal such as GPC applies to a "sale" or "share" of personal information, we honor it — though, as noted, we do not sell or share personal information for those purposes.
Completed signed records, the consent ledger, and the append-only audit trail are stored as legal-evidence records on a write-once, object-locked, immutable basis for up to seven (7) years. Because these records exist to evidence the validity and integrity of executed documents and to satisfy legal and evidentiary obligations, they may be exempt from deletion requests for the duration of that retention period; deleting them would defeat their evidentiary purpose and may itself be unlawful. After the retention period ends, these records are deleted or de-identified in the ordinary course.
Other account and operational data — such as draft documents, unsent or incomplete transactions, and general account information — is retained for as long as your account is active and deleted within a reasonable period after Account closure, except where we must retain it to comply with law, resolve disputes, or enforce our agreements.
We employ administrative, technical, and physical safeguards designed to protect personal information, including:
If we become aware of a security incident affecting personal information, we will investigate and provide notification to affected parties and authorities as and where required by applicable law. No method of transmission or storage is perfectly secure, however, and we cannot guarantee absolute security. You are responsible for safeguarding your account credentials and for notifying us promptly of any suspected unauthorized use.
Armorstack is based in the United States, and our subprocessors store and process data in the United States. If you access the Service from outside the United States, your personal information will be transferred to, stored in, and processed in the United States and other jurisdictions that may have data-protection laws different from those in your location. Where such transfers involve personal information of individuals in the EEA or the UK, we rely on appropriate safeguards recognized under applicable law — such as the European Commission's Standard Contractual Clauses (and the UK Addendum / International Data Transfer Agreement, where applicable) — to provide an adequate level of protection.
Depending on your state of residence, you may have specific rights regarding your personal information. This section applies to information for which Armorstack acts as a business / controller. Where Armorstack acts as a service provider / processor on a Customer's behalf, please direct your request to that Customer.
If you are a California resident, you have the right to:
Categories of personal information we collect include identifiers (name, email, IP address), commercial information (subscription and billing status), internet and network activity (usage and log data), and the contents of documents and signatures a Customer chooses to process. Sources include you, the Customer who invited you, and our systems. Purposes are described in Section 3. We do not sell or share personal information and have not done so in the preceding twelve months.
Residents of Virginia, Colorado, Connecticut, Utah, and other states with comparable consumer-privacy laws have similar rights — generally including the right to access, correct, delete, and obtain a portable copy of their personal information, to opt out of targeted advertising, sale, and certain profiling (none of which we engage in), and, in some states, to appeal our decision on a request. We extend these rights to residents of those states as their laws require.
To exercise any of these rights, email us at solutions@armorstack.ai. To protect your information, we will take reasonable steps to verify your identity — typically by confirming control of the email address associated with the relevant data — before acting on a request. Authorized agents must provide proof of authorization. We will not discriminate against you for exercising your rights.
If you are located in the EEA or the UK, you have the following rights with respect to personal information for which we are the controller: the right of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection to processing (including processing based on legitimate interests). Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing. You also have the right to lodge a complaint with your local data protection supervisory authority.
For Signer data and other Customer Content where Armorstack acts as a processor, the Customer is the controller. In those cases, please direct your request to the Customer who sent you the document; we will assist that Customer in responding as required and will route your request accordingly.
If you received a document to sign through ArmorSign, the Customer who sent it to you decided to use our Service and is the controller of your information. We process your name, email, signature, consent, and the evidentiary metadata described in Section 2.3 on that Customer's behalf and on their instructions, solely to complete the signing transaction and to create and preserve the resulting signed record and audit trail.
To exercise rights over your information, you can contact the Customer (the sender) directly, as they control how and why your data is used. You may also contact us at solutions@armorstack.ai, and we will assist or forward your request to the appropriate Customer. Please note that completed signed records, consent, and the audit trail are retained as legal evidence as described in Section 7 and may be exempt from deletion.
The Service is intended for business use and is not directed to anyone under 18 years of age. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us at solutions@armorstack.ai and we will take appropriate steps to delete it.
We may update this Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will revise the "Last updated" date above and, where appropriate, provide additional notice (such as by email or an in-product notice). Your continued use of the Service after the effective date of a revised Policy constitutes acceptance of the changes.
Armorstack, LLC is the entity responsible for the information practices described in this Policy. To ask a question, exercise a privacy right, or raise a concern, contact us at:
We will respond to verifiable rights requests within the timeframes required by applicable law — generally within 45 days under U.S. state privacy laws (extendable where permitted) and within one month under the GDPR / UK GDPR (extendable by up to two further months for complex requests, with notice). If we act as a processor / service provider for the data at issue, we will direct your request to, or coordinate with, the relevant Customer who controls that data.