Beezifi Inc. is committed to protecting the personal data of all individuals who interact with Agreement, including customers, their clients, and agreement signatories located in the European Economic Area (EEA), United Kingdom, and Switzerland. This page explains how Agreement complies with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).
1. Data Controller and Processor Roles
Under GDPR, "data controller" and "data processor" have specific meanings:
- When you use Agreement for your own business: Beezifi acts as a data processor on your behalf. You (the organization using Agreement) are the data controller responsible for the personal data you collect, upload, and process through the platform.
- When you register and manage your Agreement account: Beezifi acts as a data controller for the account information, billing details, and usage data it collects to operate the Service.
This distinction matters: as a controller, you decide the purposes and means of processing data within your agreements; Beezifi processes that data only on your documented instructions.
2. Lawful Basis for Processing
Beezifi relies on the following lawful bases under Article 6 GDPR:
- Contract (Art. 6(1)(b)): Processing your account information to fulfill our agreement with you and provide the Service
- Legitimate interests (Art. 6(1)(f)): Service security, fraud prevention, aggregate analytics, and improving the platform
- Legal obligation (Art. 6(1)(c)): Retaining billing records for tax and accounting compliance
- Consent (Art. 6(1)(a)): For optional communications such as product newsletters (you may withdraw consent at any time)
For special categories of personal data that may appear in documents you create (e.g., health data, financial data), you as the data controller are responsible for identifying and documenting the appropriate lawful basis, including explicit consent under Art. 9(2) GDPR where required.
3. Personal Data We Process
As Data Controller (your account)
- Name, email address, and organization details
- Billing and payment information (processed via Stripe)
- IP addresses and technical session data
- Account activity logs
As Data Processor (your agreements)
- Document content and agreement text you create or upload
- Recipient personal data (names, email addresses) you provide
- Signature data, initials, and handwritten inputs
- Signing audit trail data (IP addresses, timestamps, geolocation where enabled, device fingerprints)
- Communications between parties through the platform
We do not use agreement content or signatory data for any purpose other than delivering the Service to you.
4. Your Rights Under GDPR
As an EEA, UK, or Swiss data subject, you have the following rights under GDPR (Articles 15–22):
Art. 15
Right of Access
Request a copy of the personal data we hold about you and how we use it.
Art. 16
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Art. 17
Right to Erasure
Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Art. 18
Right to Restriction
Request that we restrict processing of your data in certain circumstances.
Art. 20
Right to Portability
Receive your data in a structured, machine-readable format and transfer it to another controller.
Art. 21
Right to Object
Object to processing based on legitimate interests, including profiling.
To exercise any of these rights, email privacy@beezifi.com with the subject line "GDPR Data Subject Request." We respond within 30 days. If you are dissatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national DPA within the EEA).
5. International Data Transfers
Beezifi Inc. is based in the United States. When we process personal data of EEA, UK, or Swiss residents, that data may be transferred to and stored in the US, which does not have an adequacy decision from the European Commission for all transfers.
We rely on the following safeguards for such transfers:
- Standard Contractual Clauses (SCCs): We incorporate the EU Commission's approved SCCs into our Data Processing Agreement. Customers may request a signed DPA at legal@beezifi.com.
- UK IDTA: For UK-based transfers, we use the UK International Data Transfer Agreement (IDTA) as the transfer mechanism.
- Sub-processor SCCs: We ensure all sub-processors who handle EEA personal data also use appropriate transfer safeguards.
6. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy:
- Active accounts: Data is retained for the duration of your subscription
- Post-cancellation: 30-day recovery window, then permanent and irreversible deletion
- Backup snapshots: Deleted within 90 days of account termination
- Billing records: Retained for up to 7 years for financial compliance (Art. 6(1)(c))
- Authentication and security logs: Up to 12 months
- Completed agreement audit trails: Retained for the life of the subscription and the 30-day grace period
You may request earlier deletion (subject to legal retention obligations) by contacting privacy@beezifi.com.
7. Sub-processors
We engage the following categories of sub-processors to help deliver the Service, all of whom are bound by data processing agreements and appropriate transfer safeguards:
- Cloud infrastructure (AWS): Server hosting, database storage, file storage
- Payment processing (Stripe): Billing and payment handling
- Transactional email (SendGrid): Signature request notifications, account emails
We will provide 30 days' notice of any new sub-processors that handle personal data, allowing you to object. Contact legal@beezifi.com to receive sub-processor change notifications.
8. Data Processing Agreement (DPA)
Organizations subject to GDPR that use Agreement to process personal data of EEA/UK individuals may request a signed Data Processing Agreement. The DPA documents the controller-processor relationship, incorporates Standard Contractual Clauses, and describes our technical and organizational security measures.
To request a DPA, email legal@beezifi.com with the subject line "DPA Request — Agreement."
9. Data Breach Notification
In the event of a personal data breach, Beezifi will:
- Notify affected data controllers within 72 hours of becoming aware of the breach, consistent with GDPR Article 33
- Provide details of the nature of the breach, data categories and approximate number of records affected, likely consequences, and measures taken or proposed
- Assist data controllers in fulfilling their own notification obligations to supervisory authorities and affected individuals
Notifications will be sent to the account owner email address on file.