GDPR Compliance

Effective Date: July 16, 2025
Last Updated: July 16, 2025

OpenSign is committed to protecting your personal data and complying with the General Data Protection Regulation (GDPR) for our users in the European Union and European Economic Area.

Data Controller and Data Processor Roles

When We Are a Data Controller

OpenSign acts as the data controller for:

Your account information and authentication data
Billing and payment information
Communications with our support team
Usage analytics and service improvement data

As a controller, we determine the purposes and means of processing this data.

When We Are a Data Processor

OpenSign acts as a data processor for:

Content you upload to create digital signage displays
Data you store and manage through our platform
Information your end-users/viewers may provide through interactive displays

When acting as a processor, our business customers are the data controllers, and we process data according to their instructions and our Data Processing Agreement (DPA).

Legal Basis for Processing

We process your personal data under the following legal bases:

Contract (Article 6(1)(b)): To provide our digital signage service and fulfill our contractual obligations
Legitimate Interest (Article 6(1)(f)): To improve our service, prevent fraud, ensure security, and maintain service quality
Consent (Article 6(1)(a)): For marketing communications and optional features (where explicitly obtained)
Legal Obligation (Article 6(1)(c)): To comply with applicable laws and regulations

When we rely on legitimate interests, we have conducted legitimate interest assessments (LIA) to ensure our processing does not override your rights and freedoms.

Data We Collect

Personal Data

Name and contact information (email address, company name)
Account credentials and authentication data
Payment information (processed by third-party payment processors - we do not store full credit card numbers)
Communication records (support tickets, emails, chat logs)
Profile preferences and settings

Technical Data

IP addresses and device information
Browser type, version, and language settings
Usage analytics and performance data
Log files and error reports
Cookie identifiers and tracking data

Content Data (When Acting as Processor)

Digital signage content uploaded by customers
Display configurations and schedules
End-user interaction data (if applicable)

How We Use Your Data

We use your personal data to:

Provide, maintain, and improve our digital signage service
Process payments and manage subscriptions
Provide customer support and respond to inquiries
Send service-related notifications and updates
Analyze usage patterns to improve our service
Ensure security, prevent fraud, and detect abuse
Comply with legal obligations and enforce our terms
Send marketing communications (only with your consent, which can be withdrawn)

We may share your data with the following categories of recipients:

Service Providers (Sub-processors)

Amazon Web Services (AWS): Cloud hosting infrastructure (US)
Payment Processors: Secure payment processing (SPECIFY: Stripe, PayPal, etc.)
Analytics Services: Service usage analysis (SPECIFY if using Google Analytics, etc.)
Email Service Providers: Transactional and marketing emails (SPECIFY provider)
Customer Support Tools: Support ticket management (SPECIFY if applicable)

A complete list of our sub-processors is available upon request.

Legal Requirements

We may disclose your data when required by law, court order, or government regulation, or to protect our rights and safety.

Business Transfers

In connection with mergers, acquisitions, or asset sales, your data may be transferred. We will notify you of any such change and your options.

We do not sell your personal data to third parties.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

Maintain your session and authentication
Remember your preferences
Analyze service usage (with your consent)
Improve service performance

Strictly Necessary Cookies: Required for service operation (no consent needed)
Functional Cookies: Remember your preferences and settings
Analytics Cookies: Help us understand how you use our service (consent required)
Marketing Cookies: Track marketing campaign effectiveness (consent required)

You can manage your cookie preferences through our cookie consent banner and browser settings. Note that disabling certain cookies may affect service functionality.

For detailed information, see our Cookie Policy.

Data Retention

We retain personal data only as long as necessary for the purposes outlined in this notice:

Account data: Retained while your account is active and for 90 days after account closure (unless legal requirements mandate longer retention)
Usage and analytics data: Typically retained for 26 months
Support communications: Retained for 3 years to maintain service quality and resolve disputes
Payment data: Retained as required by financial regulations (typically 7 years)
Marketing consent records: Retained to demonstrate compliance
Content data (as processor): Retained according to customer instructions and our DPA

When data is no longer needed, we securely delete or anonymize it.

As a data subject in the EU/EEA, you have the following rights:

Right of Access (Article 15)

You can request a copy of the personal data we hold about you, including information about how we process it.

Right to Rectification (Article 16)

You can ask us to correct inaccurate or incomplete personal data.

Right to Erasure - "Right to be Forgotten" (Article 17)

You can request deletion of your personal data when:

It's no longer necessary for the purposes we collected it
You withdraw consent (where processing was based on consent)
You object to processing and there are no overriding legitimate grounds
The data was unlawfully processed
Legal obligations require erasure

Note: We may retain certain data where we have a legal obligation or legitimate interest to do so.

Right to Restrict Processing (Article 18)

You can limit how we use your personal data in certain situations, such as when you contest the accuracy of the data.

Right to Data Portability (Article 20)

You can request your data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and transmit it to another service provider.

Right to Object (Article 21)

You can object to:

Processing based on legitimate interests
Direct marketing (we will always stop marketing upon your objection)
Profiling related to direct marketing

Where processing is based on consent, you can withdraw it at any time. This will not affect the lawfulness of processing before withdrawal.

Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you.

We do not currently engage in automated decision-making or profiling that produces legal effects.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with GDPR requirements.

Exercising Your Rights

To exercise any of these rights, please contact us at:

Email: support@opensign.us
Subject line: "GDPR Request - Your Request Type"
Include: Your account email, specific request details, and verification information

Response Time: We will respond to your request within one month of receipt. In complex cases, we may extend this period by up to two additional months, and we will inform you of the extension and reasons within the first month.

Identity Verification: To protect your privacy, we may request additional information to verify your identity before processing certain requests.

No Fee: We will not charge a fee for processing your request unless it is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse the request.

EU Representative

IF YOU DON'T HAVE AN EU ESTABLISHMENT

As OpenSign does not have an establishment in the European Union but offers services to individuals in the EU, we have appointed an EU representative in accordance with Article 27 GDPR:

EU Representative:
NAME OF REPRESENTATIVE OR SERVICE
ADDRESS
EMAIL

You can contact our EU representative regarding any GDPR matters.

OR IF YOU HAVE EU ESTABLISHMENT

OpenSign operates from EU COUNTRY/ADDRESS and can be contacted directly regarding GDPR matters.

Data Protection Officer

IF REQUIRED - Most small SaaS companies don't need a DPO unless processing at large scale

We have appointed a Data Protection Officer (DPO) who can be contacted at:

Email: dpo@opensign.us
Address: DPO Address

OR IF NOT REQUIRED - Recommended approach for smaller operations

While we are not required to appoint a Data Protection Officer under GDPR, you can direct all data protection inquiries to:

Privacy Team Email: support@opensign.us
Address: Company Address

Data Processing Agreement (DPA)

For business customers who use OpenSign to process personal data of their end-users (where we act as a data processor), we provide a Data Processing Agreement (DPA) that includes:

Standard Contractual Clauses (SCCs) for international data transfers
Sub-processor lists and notification procedures
Security measures and obligations
Data subject rights assistance
Audit rights and breach notification procedures

Business customers can request our DPA by contacting support@opensign.us.

International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States.

We ensure adequate protection through:

1. Adequacy Decisions

We may transfer data to countries that the European Commission has determined provide adequate data protection (e.g., UK, Switzerland, Japan).

2. Standard Contractual Clauses (SCCs)

For transfers to countries without adequacy decisions, we use Standard Contractual Clauses approved by the European Commission, supplemented by additional safeguards where necessary.

3. EU-US Data Privacy Framework

We may transfer data to US-based service providers participating in the EU-US Data Privacy Framework, which provides appropriate safeguards for data transfers.

4. Transfer Impact Assessments

We conduct transfer impact assessments to ensure that the level of protection in the destination country is essentially equivalent to that in the EU.

You can request more information about the safeguards we use for international transfers by contacting us.

Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage:

Technical Measures

Encryption in transit (TLS/SSL) and at rest (AES-256)
Multi-factor authentication options
Access controls and authentication mechanisms
Regular security vulnerability assessments and penetration testing
Secure software development practices
Automated backup and disaster recovery procedures

Organizational Measures

Staff training on data protection and security
Confidentiality agreements with employees and contractors
Access limitation on a need-to-know basis
Incident response and breach notification procedures
Regular security policy reviews and updates
Vendor security assessments

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the Supervisory Authority: Within 72 hours of becoming aware of the breach
Notify Affected Individuals: Without undue delay if the breach is likely to result in a high risk to rights and freedoms
Provide Clear Information: About the nature of the breach, likely consequences, and measures taken or proposed

Our notification will include:

Description of the nature of the breach
Contact point for more information
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate harm

Children's Data

Our service is not directed to children. We do not knowingly collect personal data from children under the age of 16 without parental consent, as required by GDPR.

If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information promptly.

If you believe we have collected data from a child under 16, please contact us immediately at support@opensign.us.

Records of Processing Activities

In accordance with Article 30 GDPR, we maintain records of our data processing activities, including:

Categories of processing activities
Purposes of processing
Categories of data subjects and personal data
Categories of recipients
International transfers and safeguards
Data retention periods
Security measures

These records are available to supervisory authorities upon request.

Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

Lead Supervisory Authority for OpenSign:
IF YOU HAVE EU ESTABLISHMENT: List the specific authority
IF NO EU ESTABLISHMENT: "Your local data protection authority"

You can find your local supervisory authority at: https://edpb.europa.eu/about-edpb/board/members_en

Updates to This Notice

We may update this GDPR compliance notice from time to time to reflect changes in our practices, legal requirements, or service features.

Notification of Changes:

Material changes will be communicated through email or prominent notice on our service
The "Last Updated" date at the top of this page will be revised
Continued use of our service after changes constitutes acceptance of the updated notice

We encourage you to review this notice periodically.

Contact Information

For any questions about GDPR compliance, data protection, or to exercise your rights, please contact us:

General Data Protection Inquiries:

Email: support@opensign.us
Postal Address: Company Address - Must be filled in

EU Representative: If applicable - see EU Representative section above

Response Time: We aim to respond to all inquiries within 5 business days.

Your Data Protection Rights Matter

Your privacy and data protection rights are fundamental to how we operate OpenSign. We are committed to:

Transparency in how we collect and use your data
Respect for your rights and choices
Security in protecting your information
Compliance with GDPR and all applicable data protection laws
Continuous improvement of our privacy practices

Thank you for trusting OpenSign with your digital signage needs.

Last Reviewed: July 16, 2025
Next Review Date: July 16, 2026