EGraph Website Privacy Notice (EGraph Signatures and Forms Inc.)

Effective date: [EFFECTIVE DATE]

This Privacy Notice explains how EGraph Signatures and Forms Inc. (“EGraph,” “we,” “us,” “our”) collects, uses, and shares Personal Information in connection with the EGraph corporate company website located at https://www.esigforms.com (the “EGraph Site”). This Notice is intended to be read by site visitors, business contacts, and applicants interacting with the EGraph Site (not the EGraph SaaS products themselves, except as expressly cross-referenced below).

Important: EGraph also owns and/or provides SaaS products operated on separate domains (AORForms at https://www.AORForms.com and Respectly at https://www.Respectly.AI). Those products have separate product privacy disclosures that describe product-specific data practices, including B2B2C “processor/service provider” processing of Customer Data.

  • AORForms Product Privacy Disclosures: https://www.aorforms.com/privacy
  • Respectly.AI Product Privacy Disclosures: https://www.respectly.ai/privacy

If there is a conflict between this EGraph Site Privacy Notice and a product privacy policy/supplement for a specific product, the product privacy policy/supplement controls for that product.

1. Definitions

For clarity, the following terms apply in this Notice:

  • “Personal Information” means information about an identifiable individual, or information that can reasonably be used to identify an individual, as defined under applicable privacy laws (including Canadian privacy laws).
  • “Customer” means an organization (for example, a business, government entity, or nonprofit) that subscribes to and uses EGraph’s SaaS products (such as AORForms or Respectly) under a contract with EGraph.
  • “End-Recipient” means an individual who receives a form, document, message, or communication sent by a Customer through an EGraph SaaS product and who may complete, sign, or otherwise interact with that content.
  • “Customer Data” means data (which may include Personal Information) that a Customer or End-Recipient submits to, transmits through, or processes using an EGraph SaaS product, including the content of forms, documents, communications, and related metadata.

2. Scope

This Notice applies only to Personal Information collected through the EGraph Site (esigforms.com), such as when you:

  • browse the EGraph Site (including through cookies/analytics);
  • submit a contact request or inquiry;
  • apply for a job (if careers functionality is offered);
  • or contact us as a vendor, partner, investor, or other business counterparty.

This Notice does not govern Customer Data processed through EGraph’s SaaS products (including AORForms and Respectly). For Customer Data, EGraph generally acts as a “processor” (under laws like the GDPR) and/or “service provider” (under the CCPA/CPRA) on behalf of the applicable Customer, which is typically the “controller”/“business” that determines how and why Customer Data is processed. Please review the applicable product privacy disclosures listed above for product-specific information.

3. Personal Information We Collect on the EGraph Site

The categories of Personal Information collected depend on how you interact with the EGraph Site:

  • Device and usage information (automatically collected): IP address, browser type, device type, operating system, language, approximate location derived from IP address, pages viewed, referring URLs, and timestamps.
  • Cookies and similar technologies: identifiers and usage data collected via cookies, pixels, local storage, and similar tools.
  • Contact and inquiry information (if you submit forms or email us): name, email address, phone number, company name, job title, and the content of your message.
  • Recruiting information (if applicable): resume/CV, work history, education, references, and information you choose to provide during the application process.
  • Vendor/partner/investor communications (if applicable): business contact details and communications content.

We do not intentionally collect sensitive personal information through the EGraph Site. Please do not submit highly sensitive regulated data through the EGraph Site (for example, government ID numbers, financial account numbers, precise geolocation, health/medical information, HIPAA/PHI, biometric identifiers, or similar).

4. Age Restrictions

The EGraph Site is not intended for, and should not be used by, individuals under 16 years of age. We do not knowingly collect Personal Information from individuals under 16. If you believe a child under 16 has provided Personal Information to us through the EGraph Site, please contact us using the details in Section 12.

5. How We Use Personal Information (Purposes)

We use EGraph Site Personal Information to:

  • operate and secure the EGraph Site (including detecting, preventing, and responding to security incidents and abuse);
  • respond to inquiries and communicate with you;
  • evaluate recruiting applications (if applicable) and manage hiring processes;
  • manage vendor/partner relationships and business communications;
  • understand EGraph Site performance and improve the EGraph Site through analytics;
  • and comply with legal obligations and enforce our rights.

We may also use Personal Information to:

  • maintain our internal records, reporting, and administration;
  • prevent fraud, unauthorized access, and other misuse; and
  • defend and enforce our legal rights (including contractual and intellectual property rights).

6. Legal Bases / Authority for Processing (Canada + EEA/UK Visitors)

Canada (and similar jurisdictions): We process Personal Information where we have a lawful basis/authority to do so, including:

  • with your consent (express or implied), such as when you submit a contact request or apply for a role;
  • as permitted by law for legitimate business purposes, such as operating, securing, and improving the EGraph Site, and responding to business inquiries;
  • and to comply with applicable legal obligations and to establish, exercise, or defend legal claims.

EEA/UK visitors (where applicable): If you are located in the EEA or the UK, our processing is based on one or more of the following legal grounds:

  • your consent (for example, for certain non-essential cookies where required);
  • our legitimate interests (for example, securing the EGraph Site, responding to inquiries, and improving performance), where those interests are not overridden by your rights;
  • performance of a contract or steps at your request prior to entering into a contract (for example, responding to certain business inquiries);
  • and compliance with legal obligations.

We aim to follow privacy-by-design principles, including data minimization, purpose limitation, access controls, and retention limits appropriate to the EGraph Site’s corporate website functions.

7. How We Share Personal Information

We may share Personal Information collected through the EGraph Site with:

  • Service providers that help us operate the EGraph Site (for example, hosting, security monitoring, analytics, communications tools). These providers are permitted to process Personal Information only to provide services to us and must protect it consistent with applicable contractual obligations.
  • Professional advisors (for example, legal, accounting) where necessary for business operations and compliance.
  • Authorities or third parties when required by law or to protect rights, safety, and security.
  • Transaction counterparties in connection with a merger, acquisition, financing, reorganization, or sale of assets (subject to appropriate confidentiality protections).

We may also disclose Personal Information:

  • to our affiliates and corporate group members (if any), for internal administration, security, and business continuity purposes;
  • to comply with lawful requests, court orders, subpoenas, or other legal process;
  • to investigate, prevent, or take action regarding suspected or actual illegal activity, fraud, security incidents, or violations of our policies;
  • and with your direction or where you choose to interact with third-party links or services.

No sale/sharing for cross-context behavioral advertising: We do not sell Personal Information for money. We also do not “share” Personal Information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act/California Privacy Rights Act (“CCPA/CPRA”), to the extent applicable.

8. Product Data (AORForms / Respectly): Controller/Processor Roles and DSAR Routing

This section is provided for clarity because some EGraph Site visitors may also be End-Recipients or users of EGraph’s SaaS products.

Customer Data in our SaaS products. When EGraph processes Customer Data through AORForms or Respectly, EGraph acts as a “processor” and/or “service provider” (as applicable) on behalf of the Customer. The Customer is typically the controller/business that determines the purposes and means of processing and is responsible for providing notices and collecting any required consents.

End-Recipient requests (access, deletion, correction, etc.). If you are an End-Recipient and want to exercise rights regarding Customer Data (for example, request access or deletion), you must direct your request to the Customer (the organization that sent you the form or message). EGraph will provide reasonable assistance to the Customer in responding to such requests, consistent with applicable law and the Customer’s contract with EGraph. After we receive documented instructions from the Customer, EGraph requires up to fifteen (15) days to manually process deletion (or comparable) requests in our systems, where feasible and legally permitted.

Not for highly sensitive regulated data. EGraph’s SaaS products are not designed for, and must not be used to process, store, or transmit highly sensitive regulated data (for example, HIPAA/PHI, biometric identifiers/templates, or similar regulated categories). Please refer to the applicable product disclosures and contract terms for additional restrictions.

9. Retention (More Specific)

We retain Personal Information only as long as reasonably necessary for the purposes described in this Notice, unless a longer period is required or permitted by law. In general:

  • Website technical logs and security records are retained for a period consistent with operational and security needs, then deleted or de-identified, unless we need to retain them longer to investigate abuse, ensure site integrity, or comply with law.
  • Contact/inquiry communications are retained for as long as needed to respond and maintain appropriate business records, and then deleted or archived consistent with our retention practices and legal obligations.
  • Recruiting/applicant information (if applicable) is retained for the duration of the hiring process and a reasonable period thereafter, consistent with legal requirements and legitimate business purposes.

Product offboarding reference (SaaS): Retention and deletion timelines for Customer Data in EGraph’s SaaS products are governed by the applicable product disclosures and customer contract terms (including offboarding/export windows). For example, customers who explicitly cancel may have a 90-day period to export data, after which data may be deleted from active systems in accordance with those terms. Account suspension and abandonment scenarios (including non-payment) are governed by the applicable Terms & Conditions.

10. Cookies, Analytics, and Your Choices

We may use cookies and similar technologies (such as pixels, SDKs, local storage, and log files) to:

  • keep the EGraph Site functioning;
  • remember preferences (if any);
  • and measure and improve EGraph Site performance.

Types of cookies/technologies we may use include:

  • Strictly necessary cookies (to enable core site functionality and security).
  • Preference cookies (to remember settings you choose, where applicable).
  • Analytics/performance cookies (to understand how visitors use the EGraph Site and to improve site content and performance).
  • Security-related technologies (to help detect suspicious activity and protect the EGraph Site).

Third-party analytics: We may use third-party analytics providers to help us understand EGraph Site usage and performance. These providers may set their own cookies or similar technologies and collect information about your device and browsing activity on the EGraph Site.

Cookie choices:

  • You may also control cookies through your browser settings. Blocking some cookies may impact site functionality.
  • You may be able to delete existing cookies and configure your browser to block some or all cookies.
  • Your choices are browser- and device-specific. If we implement a cookie banner or consent tool, you may be able to manage non-essential cookies through that tool (where required by law).

Global Privacy Control (GPC): Where the CCPA/CPRA applies and GPC is recognized as a valid opt-out signal, we will treat a detected GPC signal as a request to opt out of “sale”/“sharing” for that browser/device to the extent applicable (noting we do not sell and do not share for cross-context behavioral advertising as described above).

Do Not Track: Some browsers offer “Do Not Track” signals; because there is no common standard, the EGraph Site may not respond to Do Not Track signals.

11. Security

We maintain administrative, technical, and organizational safeguards designed to protect Personal Information collected through the EGraph Site against unauthorized access, use, alteration, disclosure, or destruction. These measures include access controls, least-privilege principles, and monitoring designed to help protect the EGraph Site.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we work to protect Personal Information in a manner appropriate to the nature of the information and the risks involved.

12. Cross-Border Processing and Data Transfers (Canada and U.S. Hosting)

EGraph is headquartered in Canada, and the EGraph Site may be hosted and supported using service providers located in the United States and other jurisdictions. As a result, Personal Information may be processed outside your province/state/country and may be subject to the laws of those jurisdictions.

Product hosting reference: For EGraph’s SaaS products (AORForms and Respectly), primary data hosting is in the United States (including through Microsoft Azure). Product-related transfers and safeguards are addressed in the applicable product disclosures and contractual terms (including any Data Processing Addendum).

Cross-border risk note: When Personal Information is processed outside of your jurisdiction, it may be accessible to law enforcement or other authorities under the laws of the jurisdiction where it is processed.

13. Your Privacy Rights (Canada + U.S. States — High Level)

Depending on your location and applicable law, you may have rights such as:

  • requesting access to, and correction of, Personal Information we control;
  • requesting deletion of certain Personal Information (subject to legal exceptions);
  • withdrawing consent where processing is based on consent (where applicable);
  • and opting out of certain processing (for example, certain cookies).

How to exercise rights: Contact us at privacy@esigforms.com. We may need to verify your identity before responding.

Product data requests: If your request relates to Personal Information processed through an operating SaaS product (for example, as an End-Recipient of a form/message), please use the instructions in the applicable product privacy policy or contact the applicable Customer (the organization that sent you the form/message), as that organization is typically the controller/business for that data. See also Section 8 (DSAR routing and EGraph support).

Authorized agents (where applicable): If permitted by applicable law, you may use an authorized agent to submit certain requests. We may request proof of the agent’s authority and verify your identity directly where permitted or required.

14. Governing Law

This Notice is governed by the laws of the Province of Ontario, Canada, and the applicable federal laws of Canada, without regard to conflict-of-laws rules. This governing law provision applies to the interpretation and application of this Notice.

15. Changes to This Notice

We may update this Notice from time to time. We will post the updated version on the EGraph Site and revise the effective date above. If changes are material, we will take additional steps as required by applicable law.

16. Contact Us

  • Email: privacy@esigforms.com
  • Mail: 133 Richmond St W., Ste 207, Toronto, ON, Canada, M5H 2L3
  • Attention: Privacy Officer, EGraph Signatures and Forms Inc.