Who We Are & Scope

PolarPath Technology Inc. (“PolarPath”, “we”, “us”, “our”) provides PolarSign, a tool that helps organizations prepare, send, and track documents for e signature. This Policy explains how we collect, use, disclose, and protect information when you use PolarSign, visit our sites, or interact with us.

We comply with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, the EU/UK General Data Protection Regulation (GDPR) and U.S. state privacy laws (e.g., California CPRA).

By accessing or using PolarSign or our websites, you acknowledge this Policy. If you do not agree, please do not use our services.

PIPEDAGDPRCPRA
Back to top ↑

Our Role (Controller vs. Processor)

• Controller: We act as a controller for account, billing, website, and support information we collect directly from you.
• Processor/Service Provider: For content you and your organization process through PolarSign (e.g., documents, recipient details, signatures, and audit trails), we act on your organization’s instructions. Your organization’s agreement with PolarPath governs that processing; please contact your administrator for requests about that data.

Back to top ↑

Information We Collect

1) Information You Provide

• Account & profile. Name, email, organization, role, and preferences provided at sign up or by your administrator.
• Billing. Subscription plan, renewal dates, payment status, and limited payment metadata from our processor (e.g., Stripe). We do not store full card numbers.
• Support & feedback. Messages, attachments, and diagnostic logs you submit via email, chat, or in product feedback.
• Document content. Files and fields you upload or select for e signature workflows, plus recipient names/emails and routing instructions.

2) Information Collected Automatically

• Usage & device logs. IP address, locale, time zone, device/browser details, feature interactions, timestamps, performance metrics, and error diagnostics.
• Cookies/local storage. Session tokens, CSRF tokens, preferences, and analytics identifiers used on our sites and dashboards.

3) Information from Google APIs

PolarSign accesses Google Workspace data only with your explicit authorization (OAuth). Depending on the features you use, we may access:

• Drive & editors. File metadata (title, type, ID, owner) and, when you request actions, file content to export or convert Google Docs/Sheets/Slides/Drive files to PDF for e signature.
• Basic profile. userinfo.email to associate actions with your organization and display your identity in activity logs.
• Script runtime context. Locale and UI container details to render the add on interfaces.

We access the minimum Google data required to perform requested actions and honor Google’s Limited Use requirements.

4) Third Party Integrations (Optional)

At your direction, we may receive data from integrations you connect (e.g., accounting, CRM, or helpdesk tools). Examples include QuickBooks or HubSpot metadata required to populate envelopes or contact fields.

5) Recipients & Signers

When you send documents, we process recipient contact details, signing status, timestamps, IP addresses at signing, and audit trail events.

6) Aggregated/De identified Data

We may create aggregate or de identified statistics (e.g., feature adoption, performance metrics) that do not identify individuals. We use these to improve reliability and user experience.

Back to top ↑

How We Use Information

• Deliver, operate, and improve PolarSign (e.g., export files, route PDFs to recipients, show tracking dashboards).
• Authenticate users, enforce access controls, and protect accounts.
• Process payments, manage subscriptions, and send transactional notices (status updates, reminders, invoices).
• Provide support, troubleshoot issues, perform debugging and auditing.
• Monitor performance, conduct analytics, and enhance reliability, quality, and security.
• Comply with legal obligations, enforce terms, and prevent abuse or fraud.

AI/ML. We do not use customer document content or Google user data to train generalized advertising or third party models. Any product analytics uses aggregated or de identified data.

Back to top ↑

Legal Bases (EEA/UK GDPR)

• Contract: To provide the services you or your organization requested.
• Legitimate interests: To secure, improve, and support the services, and to prevent fraud, balanced against your rights.
• Consent: Where required (e.g., certain cookies, optional communications). You can withdraw consent at any time.
• Legal obligations: To meet tax, accounting, or compliance requirements.

Back to top ↑

How We Share Information

• Service providers. Vendors that host infrastructure (e.g., Google Cloud Platform), process payments (e.g., Stripe), send emails, or provide analytics, bound by confidentiality and data protection terms.
• Recipients you designate. Documents, envelopes, notifications, and audit trails are shared with the people you specify.
• Legal compliance & safety. When required by law or to protect the rights, safety, or property of PolarPath, users, or the public.
• Business transfers. In a merger, acquisition, or reorganization, data may transfer to the successor subject to this Policy.

We do not sell personal information and do not “share” it for cross context behavioral advertising.

Back to top ↑

Data Retention

• Account & profile data: Kept while you maintain an account, then deleted or anonymized within a reasonable period unless retention is required by law or to resolve disputes.
• Documents & envelopes: Retained per your organization’s settings and instructions. Admins may request deletion of specific documents or accounts; we will honor requests unless retention is legally required.
• Audit logs: Retained for security and compliance for a period consistent with organizational needs and applicable law.
• Transactions & invoices: Minimum seven (7) years to satisfy tax requirements (e.g., CRA).
• Integration/implementation data (where applicable): Purged within 90 days after project end unless otherwise agreed.
• Analytics: Aggregated or de identified data may be kept for trend analysis; personal analytics identifiers are typically rotated or anonymized within 24 months.

Back to top ↑

Security

We employ administrative, technical, and physical safeguards aligned with industry standards, including:

• TLS 1.2+ for data in transit and encryption at rest (e.g., AES 256) where supported by our cloud providers.
• Least privilege, role based access; enforced MFA for privileged access.
• Audit logging, monitoring, intrusion alerts, and separation of environments.
• Vulnerability management (e.g., periodic scans) and regular security assessments.
• Secure software development practices and change management.

No system is perfectly secure. Please protect your credentials and notify us promptly of any suspected unauthorized access.

Back to top ↑

International Transfers

We store and process data primarily in the United States and Canada and may use cloud infrastructure in other regions. Where required, international transfers rely on appropriate safeguards (e.g., Standard Contractual Clauses).

Back to top ↑

Your Choices & Rights

Your rights depend on your location and the context of processing. Subject to legal limits, you may:

• Access a copy of your personal information.
• Correct inaccuracies or update details.
• Delete data or withdraw consent (where processing is based on consent).
• Object to or restrict certain processing.
• Request data portability.

Region Specific

• EEA/UK: You may object to processing based on legitimate interests and lodge a complaint with your data protection authority.
• Canada (PIPEDA): You may access and challenge the accuracy of your personal information; complaints can be directed to the Office of the Privacy Commissioner of Canada.
• California (CPRA): Right to know, delete, correct, and opt out of sale/sharing (noting we do neither). We honor legally required browser based opt out signals where applicable.

How to submit a request: Email privacy@polarpath.ca. We may need to verify your identity and, if you use PolarSign via your employer, we may direct you to your administrator. We aim to respond within 30 days, or the period required by law.

Back to top ↑

Cookies & Analytics

We use necessary cookies to operate our sites and dashboards (e.g., session and CSRF tokens), and analytics to understand usage and improve performance. You can control cookies via your browser settings; disabling some cookies may affect functionality.

Back to top ↑

Children

PolarSign is not directed to individuals under 16. We do not knowingly collect personal information from children. If we learn that a child has provided personal information, we will delete it promptly.

Back to top ↑

Third Party Links

Our sites or emails may link to third party services. Their privacy practices are governed by their own policies; please review those before submitting information.

Back to top ↑

Changes to This Policy

We may update this Policy from time to time. We will post updates here and revise the effective date above. Significant changes may also be communicated via email or in app notification. Your continued use after changes take effect signifies acceptance.

Back to top ↑

Contact

You may also contact your local data protection authority if you believe we have not addressed your concerns.

Back to top ↑

Annex A, Google API Services User Data Policy Compliance

• PolarSign uses Google OAuth scopes (e.g., https://www.googleapis.com/auth/drive, drive.file, documents, spreadsheets, presentations, userinfo.email, script.container.ui) only to perform actions explicitly requested by the user.
• We access and store the minimum Google user data required to execute requested functionality (e.g., exporting a Google Doc to PDF and routing it to specified recipients).
• We do not transfer Google user data to third parties except as necessary to provide the requested functionality (e.g., secure cloud storage or email delivery to recipients you designate).
• We do not use Google user data for advertising or marketing.
• Users/organizations can request deletion of their PolarSign account or data by emailing privacy@polarpath.ca. Associated Google data held by us will be deleted unless retention is legally required for obligations or audit purposes.
• We honor Google API Services User Data Policy, including Limited Use requirements.

Back to top ↑

Annex B, Key Service Providers

We use vetted service providers to deliver PolarSign:

• Google Cloud Platform (GCP), Infrastructure hosting, storage, and security services.
• Stripe, Payment processing (PolarPath receives limited payment metadata; full card data is handled by Stripe).
• Email delivery provider, Transactional notifications and status updates to recipients you designate.
• Analytics provider, Aggregated usage metrics to improve reliability and user experience.

A current list of subprocessors is available upon request at privacy@polarpath.ca.

Back to top ↑

Annex C, Definitions

• “Personal information” / “personal data” means information that identifies or reasonably relates to an identified or identifiable person.
• “Sell” / “Share” have the meanings given in the California Consumer Privacy Laws (CPRA).
• “Processor” / “Service Provider” means an entity that processes personal information on behalf of a controller/business.
• “Document content” means files, fields, and data you submit to PolarSign for e signature workflows, including recipient details and audit events.

This Policy is for transparency and does not limit any rights you may have under applicable law or your organization’s agreement with PolarPath.

Back to top ↑