Privacy Policy

1. Data Controller Information

Gatherly acts as a data processor for professional users and their client data. For questions about how your data is handled:

2. Information We Collect

Information You Provide Directly

• Account information: Name, email address, company name, phone number
• Client information: Names, email addresses, phone numbers of clients you add
• Documents: Files uploaded through the platform for intake requests
• Communications: Messages sent through the platform
• Payment information: Processed securely by Stripe (we do not store payment card details)

Information Collected Automatically

• Device information: Browser type, operating system
• Log data: IP address (anonymized where possible), access times, pages viewed
• Usage data: Features used, actions taken within the application

Electronic Signature Data

When you sign documents electronically, we collect:

• Signature image data
• IP address at time of signing (for legal validity)
• User agent/browser information
• Timestamp from RFC 3161 Timestamp Authority
• Consent records

3. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Contract Performance: To provide our services as agreed in our Terms of Service
• Legitimate Interest: For security, fraud prevention, and service improvement
• Consent: For marketing communications and optional features
• Legal Obligation: To comply with applicable laws and regulations

4. How We Use Your Information

• Provide, maintain, and improve our services
• Process transactions and send related information
• Send technical notices, updates, security alerts, and support messages
• Respond to your comments, questions, and customer service requests
• Generate legally valid electronic signatures
• Maintain audit trails for compliance purposes
• Detect, investigate, and prevent fraudulent transactions

5. Third-Party Service Providers

We share data with the following categories of service providers:

All providers have signed Data Processing Agreements (DPAs) and implement appropriate technical and organizational measures.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption of data in transit (TLS 1.3)
• Encryption of data at rest
• SHA-256 checksums for document integrity verification
• Role-based access controls
• Multi-tenant data isolation
• Regular security assessments
• Comprehensive audit logging

7. Data Retention

We retain your data according to the following schedule:

• Account data: Until account deletion request, then anonymized within 30 days
• Client data: According to organization retention policies (configurable), default 90 days after intake completion
• Documents: According to retention policies, or until deletion request (subject to legal holds)
• Signature records: Retained for legal compliance (typically 7 years for signed documents)
• Audit logs: 2 years, then anonymized
• Email delivery logs: 90 days

8. Your Rights

For All Users

• Access and update your account information
• Opt out of marketing communications
• Request deletion of your account
• Export your data in a portable format

For EU/EEA Residents (GDPR)

• Right of Access (Art. 15): Request a copy of all personal data we hold about you
• Right to Rectification (Art. 16): Request correction of inaccurate data
• Right to Erasure (Art. 17): Request deletion of your personal data
• Right to Restrict Processing (Art. 18): Request we limit how we use your data
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interest
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time for consent-based processing

For California Residents (CCPA)

• Right to know what personal information is collected
• Right to request deletion of personal information
• Right to opt out of the sale of personal information (Note: We do not sell personal information)
• Right to non-discrimination for exercising these rights

9. Cookies and Tracking

We use the following cookies:

• Strictly Necessary: Authentication, session management, security
• Functional: Remembering your preferences

We do not use third-party tracking cookies for advertising. You can control cookies through your browser settings.

10. International Data Transfers

Your data may be processed in countries outside the EU/EEA. We ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Vendor due diligence and DPA requirements

11. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.

12. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete such information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page, updating the "Last Updated" date, and sending an email notification for significant changes. We encourage you to review this Privacy Policy periodically.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights:

You also have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.