Privacy Policy

Effective Date: July 16, 2025
Last Updated: July 16, 2025

⚠️ IMPORTANT LEGAL NOTICE - FOR INTERNAL REVIEW ONLY:
THIS PRIVACY POLICY IS NOT YET COMPLIANT FOR PUBLIC USE. Before publishing, you MUST:
Form an LLC - You're currently operating as a sole proprietorship with no liability protection
Add Physical Address - Required by GDPR, CCPA, and CAN-SPAM Act. Get a virtual mailbox service.
Legal Review - Have an attorney review before going live
Implement Cookie Consent Banner - Required for Google Analytics under GDPR/ePrivacy
Set up Data Request Process - Systems to handle access/deletion requests
Estimated cost to fix: $500-1,500 (LLC formation + virtual mailbox + basic legal review)
DELETE THIS NOTICE BEFORE PUBLISHING

Our Commitment to Your Privacy

At OpenSign, we take your privacy seriously. We collect only the data necessary to provide you with our digital signage service, and we never sell your personal information to third parties. Your data is yours, and we're committed to protecting it with industry-leading security measures and transparent practices.

This commitment to privacy is fundamental to our values and how we operate.

Introduction

OpenSign ("we," "our," or "us") provides cloud-based digital signage software and services. This Privacy Policy explains:

What information we collect and why
How we use and protect your information
Your rights and choices regarding your data
How to contact us with privacy questions

This policy applies to all users of opensign.us and our related services, applications, and platforms.

By using OpenSign, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our services.

Quick Summary

For those who want the key points:

✅ We collect only what's necessary to run our service
✅ We never sell your personal information
✅ We use trusted service providers (AWS, Stripe, Google) who are bound by strict agreements
✅ You can access, correct, or delete your data at any time
✅ We use encryption and security best practices
✅ We're transparent about our practices

Who We Are

OpenSign
⚠️ LEGAL ADDRESS REQUIRED - ADD BEFORE LAUNCH
North Carolina, USA

Email: support@opensign.us
Website: https://opensign.us

Note: We are currently in the process of establishing our legal entity structure. A complete physical mailing address will be provided before public launch to comply with GDPR, CCPA, and CAN-SPAM requirements.

Information We Collect

1. Information You Provide to Us

Account Information

When you create an account:

Full name
Email address
Company name (optional)
Password (encrypted using bcrypt and never stored in plain text)
Profile picture (optional)
Account preferences and settings

Billing Information

For paid subscriptions:

Billing name and address
Payment method information (processed securely by Stripe - we do NOT store full credit card numbers)
Purchase history and transaction records
Tax identification information (if applicable for business accounts)

Content and Communications

Digital signage content you upload (images, videos, HTML, text)
Display configurations and playlists
Content scheduling information
Communications with our support team (emails, support tickets)
Feedback and survey responses (when you choose to provide them)

2. Information We Collect Automatically

Usage Data

Features you use and how you interact with our service
Pages viewed and navigation paths
Time spent on different pages
Frequency and duration of use
Content creation and modification history
Error logs and performance data

Device and Browser Information

IP address
Device type and operating system
Browser type and version
Screen resolution
Language preferences
Referring website URLs
Time zone and location data (approximate, based on IP address)

Cookies and Tracking Technologies

We use cookies and similar technologies to:

Keep you logged in
Remember your preferences
Analyze how our service is used (Google Analytics)
Improve service performance

See our detailed Cookie Policy section below.

3. Information from Third Parties

We may receive information about you from:

Stripe - Transaction status and billing information for payment processing
Google - Basic profile information if you sign in with Google (name, email, profile picture)
Facebook - Basic profile information if you sign in with Facebook (name, email, profile picture)
Public sources - For business account verification purposes only

How We Use Your Information

We use your information for the following purposes:

Service Delivery (Legal Basis: Contract)

Create and manage your account
Authenticate your identity and prevent unauthorized access
Process your subscriptions and payments through Stripe
Store and deliver your digital signage content
Display your content according to your schedules and playlists
Provide customer support and respond to inquiries
Troubleshoot technical issues and bugs

Service Improvement (Legal Basis: Legitimate Interest)

Analyze usage patterns to improve features and performance
Conduct research and development for new features
Monitor service health and diagnose technical problems
Optimize content delivery and display performance
Conduct user experience testing and research
Generate anonymized, aggregated statistics about service usage

Send service-related notifications (account, security, technical updates)
Respond to your questions and support requests
Send billing and payment confirmations
Provide product updates and important announcements
Request feedback and conduct surveys (with your consent)
Send promotional emails about new features and offers (only with your explicit consent)

Legal and Security (Legal Basis: Legal Obligation & Legitimate Interest)

Comply with applicable laws and regulations (including tax and financial reporting)
Respond to legal requests and prevent fraud
Enforce our Terms of Service and End User License Agreement
Protect our rights, property, and safety
Detect and prevent security threats, abuse, and unauthorized access
Maintain records required by law

Understand how users interact with our service (via Google Analytics)
Measure feature adoption and engagement
Identify areas for improvement
Conduct market research (aggregated and anonymized)

You can opt out of marketing communications at any time by clicking "unsubscribe" in any marketing email or contacting support@opensign.us.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

We share your information only in the following limited circumstances:

Service Providers (Sub-Processors)

We work with trusted third-party companies that help us operate our service. These providers have access to your information only to perform specific tasks on our behalf and are obligated to protect it:

Cloud Infrastructure

Amazon Web Services (AWS)
- Purpose: Hosting, data storage, content delivery, email services
- Location: US East (Northern Virginia) - us-east-1 region
- Services Used: AWS Amplify, Lambda, RDS PostgreSQL, S3, CloudFront, SES
- Data Stored: Account data, user content, application databases, backups
- Security: SOC 2, ISO 27001 certified, encryption at rest and in transit

Payment Processing

Stripe, Inc.
- Purpose: Secure payment processing, subscription management, billing
- Location: United States (global operations)
- Data Shared: Billing name, email, payment method, transaction amounts
- Note: We do not store your full credit card information - Stripe handles this securely
- Compliance: PCI DSS Level 1 certified
- Privacy Policy: https://stripe.com/privacy

Analytics Services

Google Analytics (Google LLC)
- Purpose: Website and application usage analytics
- Data Collected: Page views, session duration, user flows, device information
- Location: United States (global data centers)
- Data Retention: 26 months
- Anonymization: IP addresses are anonymized where possible
- Privacy Policy: https://policies.google.com/privacy
- Opt-out: You can opt out using Google's browser add-on or your account settings

Authentication Services

Google Sign-In (Google LLC)
- Purpose: Social authentication option
- Data Received: Name, email address, profile picture (with your permission)
- Privacy Policy: https://policies.google.com/privacy
Facebook Login (Meta Platforms, Inc.)
- Purpose: Social authentication option
- Data Received: Name, email address, profile picture (with your permission)
- Privacy Policy: https://www.facebook.com/privacy/policy/

Email Delivery

Amazon Simple Email Service (AWS SES)
- Purpose: Send transactional emails, support communications, service notifications
- Location: US East (Northern Virginia)
- Data Shared: Email addresses, message content, delivery status

All service providers are carefully vetted and bound by contractual obligations to protect your data according to GDPR, CCPA, and other applicable regulations.

A complete, current list of our sub-processors is available upon request by contacting support@opensign.us.

Legal Requirements

We may disclose your information when required by law or in response to:

Valid legal process (subpoenas, court orders, search warrants)
Government or regulatory requests (with valid legal authority)
Requests to protect our legal rights and safety
Prevention of fraud, security threats, or illegal activity
Emergency situations to protect personal safety

We will notify you of such requests when legally permitted, unless:

Prohibited by law or court order
The request involves imminent harm or emergency
Notice would be counterproductive or futile

Business Transfers

If OpenSign is involved in a merger, acquisition, asset sale, or bankruptcy proceeding, your information may be transferred as part of that transaction. We will:

Provide advance notice before your information is transferred
Ensure the new entity is bound by this Privacy Policy or obtain your consent for a new policy
Give you options regarding your data, including deletion before transfer (where feasible)

We may share your information with third parties when you:

Explicitly consent or direct us to do so
Use integration features that require data sharing
Participate in surveys or research (with identifying information only if consented)

Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you personally for:

Industry research and reports
Service performance metrics and benchmarks
General usage statistics
Marketing materials (e.g., "OpenSign serves over X displays globally")

This data is processed to ensure it cannot be used to identify individual users.

Data Security

We implement comprehensive security measures to protect your data from unauthorized access, alteration, disclosure, or destruction:

Technical Safeguards

Encryption:
- Data in transit: TLS 1.2+ encryption for all communications
- Data at rest: AES-256 encryption for databases and file storage
- Password storage: bcrypt hashing with individual salts
Access Controls:
- Role-based access control (RBAC) with principle of least privilege
- Multi-factor authentication available for all accounts
- Administrative access requires MFA and is logged
Authentication:
- Secure session management with automatic timeout
- OAuth 2.0 for social sign-in integrations
- API authentication using secure tokens
Network Security:
- AWS security groups and network ACLs
- Web Application Firewall (WAF) for DDoS protection
- Intrusion detection and prevention systems
- Regular vulnerability scanning
Application Security:
- Regular security audits and code reviews
- Automated security testing in CI/CD pipeline
- Dependency scanning for known vulnerabilities
- Input validation and output encoding to prevent injection attacks
Monitoring and Logging:
- Real-time security monitoring and alerting
- Comprehensive audit logs of data access
- Automated anomaly detection

Organizational Safeguards

Limited Access:
- Personal data accessible only on a need-to-know basis
- Separate development and production environments
- Data access is logged and monitored
Employee Security:
- Security awareness training for all team members
- Background checks where applicable
- Confidentiality and non-disclosure agreements
Vendor Management:
- Security assessments of all third-party providers
- Contractual data protection obligations
- Regular vendor compliance reviews
Incident Response:
- Documented security incident response procedures
- Breach notification processes compliant with GDPR (72 hours) and state laws
- Regular tabletop exercises and response drills
Policy and Compliance:
- Regular security policy reviews and updates
- Compliance monitoring for GDPR, CCPA, and other regulations
- Internal privacy impact assessments

Physical Safeguards

AWS Data Centers:
- SOC 1, SOC 2, SOC 3 certified facilities
- ISO 27001 certified information security management
- Physical security with 24/7 monitoring
- Biometric access controls
- Environmental controls and redundancy
Backups and Recovery:
- Automated daily backups with encryption
- Geographic redundancy across availability zones
- Tested disaster recovery procedures
- Point-in-time recovery capability (up to 35 days)

Your Responsibility

No system is 100% secure. While we use industry-standard practices and continuously work to improve security, we cannot guarantee absolute security.

You are responsible for:

Keeping your password confidential and secure
Using a strong, unique password
Enabling multi-factor authentication (recommended)
Logging out when using shared devices
Reporting suspected security issues to support@opensign.us immediately

Data Retention

We retain your information only as long as necessary for the purposes outlined in this policy:

Active Accounts

Account and Profile Data:

Retained while your account is active
Includes: name, email, password, preferences, settings

Content Data:

Retained until you delete it or close your account
Includes: uploaded images, videos, playlists, display configurations
You can delete content at any time from your account dashboard

Usage and Analytics Logs:

Retained for 26 months for service improvement and troubleshooting
Includes: feature usage, page views, session data
Anonymized after 26 months if retained longer

Communication Records:

Support tickets and emails: 3 years for quality assurance and dispute resolution
Chat logs: 2 years
Deleted upon request unless needed for ongoing legal matters

Billing and Transaction Records:

Payment records: 7 years (required by tax and financial regulations)
Subscription history: Duration of subscription plus 7 years
Invoice copies: 7 years

Closed Accounts

Personal Data Deletion:

Deleted within 90 days of account closure
Includes: name, email, profile information, preferences

Content Data Deletion:

Deleted within 30 days of account closure
Includes: all uploaded content, playlists, display configurations
Backups are overwritten according to backup rotation schedule (within 35 days)

Anonymized Data:

Usage statistics may be retained indefinitely after anonymization
Cannot be linked back to you personally
Used for service improvement and research

Legal and Compliance Retention

Some data must be retained longer due to legal obligations:

Tax and Financial Records: 7 years (IRS and state requirements)
Litigation Hold: Duration of legal proceedings plus applicable statute of limitations
Fraud Prevention: Records of fraudulent activity or terms violations may be retained to prevent repeat abuse
Regulatory Compliance: As required by specific regulations

Early Deletion

You can request early deletion of your data at any time by:

Deleting content through your account dashboard
Closing your account (deletes personal data within 90 days)
Contacting support@opensign.us with a deletion request

Note: We may retain certain data where we have a legal obligation, legitimate interest (e.g., fraud prevention), or need to resolve disputes.

Your Privacy Rights

Your rights vary by location, but generally include:

Universal Rights (All Users)

Right to Access

Request a copy of your personal data
Understand how we process your information
Review what data we have collected about you
How to exercise: Contact support@opensign.us or download from account settings

Right to Correction

Update inaccurate information
Complete incomplete data
Correct errors in your profile
How to exercise: Update directly in account settings or contact support@opensign.us

Right to Deletion

Request deletion of your personal data
Close your account and remove your information
Note: Some data may be retained for legal compliance (see Data Retention section)
How to exercise: Account settings > Close Account, or contact support@opensign.us

Right to Data Portability

Receive your data in a portable format (JSON, CSV)
Transfer your data to another service
How to exercise: Account settings > Export Data, or request from support@opensign.us

Right to Opt-Out

Unsubscribe from marketing emails
Disable optional cookies and analytics
Object to certain types of data processing
How to exercise: Click "unsubscribe" in emails, adjust cookie preferences, or contact us

If you're in the European Union or European Economic Area, you have additional rights under GDPR:

Right to Restrict Processing

Limit how we use your data in certain circumstances
When you contest accuracy, processing is unlawful, or you've objected to processing

Right to Object

Object to processing based on legitimate interests
Object to direct marketing (we will always comply immediately)
Object to automated decision-making and profiling

Withdraw consent for processing at any time
Does not affect lawfulness of processing before withdrawal
We will stop processing unless we have another legal basis

Right to Lodge a Complaint

File a complaint with your data protection supervisory authority
We encourage you to contact us first so we can address your concerns

EU Supervisory Authorities: Find your local authority at https://edpb.europa.eu/about-edpb/board/members_en

See our full GDPR Compliance page for detailed information on your European privacy rights.

California Rights (CCPA/CPRA)

If you're a California resident, you have the right to:

Right to Know

What personal information we collect about you
Categories of sources from which we collect information
Business purposes for collecting information
Categories of third parties with whom we share information

Right to Access

Request a copy of your personal information (up to twice per year, free of charge)
Specific pieces of information we've collected

Right to Delete

Request deletion of your personal information
Exceptions: Legal obligations, fraud prevention, security, ongoing transactions

Right to Correct

Request correction of inaccurate personal information
Update outdated information

Right to Opt-Out of Sale/Sharing

We do not sell your personal information
We do not share your information for cross-context behavioral advertising
If this changes, we will provide a "Do Not Sell or Share My Personal Information" link

Right to Limit Use of Sensitive Personal Information

We do not use sensitive personal information for purposes other than providing services
Sensitive information includes: precise geolocation, racial/ethnic origin, health data

Right to Non-Discrimination

Exercise your rights without discriminatory treatment
We will not deny services, charge different prices, or provide different service levels

California Shine the Light Law: California residents can request information about third-party disclosure for marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

California Privacy Rights for Minors: If you're under 18 and a California resident, you can request removal of content you posted. Contact support@opensign.us.

Other US State Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws have similar rights to California residents:

Right to access personal information
Right to correct inaccurate information
Right to delete personal information
Right to data portability
Right to opt out of targeted advertising (we don't engage in this)
Right to opt out of sale of personal information (we don't sell data)

Contact support@opensign.us to exercise these rights.

Exercising Your Rights

To exercise any privacy rights:

How to Submit a Request

Email: support@opensign.us
Subject: "Privacy Request - Type of Request"
Examples: "Privacy Request - Data Access", "Privacy Request - Account Deletion"

Include in your request:

Your full name
Email address associated with your account
Specific request details (what you want to access/delete/correct)
Verification information (we may ask security questions to verify your identity)
State/country of residence (helps us apply correct laws)

Response Timeline

GDPR (EU/EEA Users):

Initial response: Within 1 month
Extension: Up to 2 additional months for complex requests (we'll notify you)
We'll explain if we cannot fulfill your request

CCPA (California Users):

Response: Within 45 days
Extension: Up to 45 additional days if necessary (we'll notify you within first 45 days)

Other Jurisdictions:

Response: Within 30-45 days depending on applicable law
We aim to respond to all requests within 5 business days with status update

Identity Verification

To protect your privacy and prevent unauthorized access:

We may request additional information to verify your identity
This may include answering security questions or providing account details
We will not fulfill requests we cannot verify

No Fee

We do not charge a fee for processing privacy requests unless:

The request is manifestly unfounded or excessive
You request multiple copies of the same information
In such cases, we may charge a reasonable administrative fee or decline the request

Authorized Agents

California and other state residents can designate an authorized agent to submit requests on your behalf:

Provide written authorization signed by you
Agent must provide proof of authorization
We may still require you to verify your identity directly

International Data Transfers

OpenSign is based in the United States. If you access our service from outside the US, your data will be transferred to and processed in the United States.

Data Transfer Locations

Your data may be transferred to and processed in:

Primary Location:

United States (AWS us-east-1 - Northern Virginia)

Service Provider Locations:

United States (Stripe, Google Analytics, AWS SES)
May be processed globally where service providers operate data centers

Protections for International Transfers

We protect your data during international transfers through:

1. Standard Contractual Clauses (SCCs)

We use European Commission-approved Standard Contractual Clauses with our US-based service providers
These provide contractual guarantees for data protection equivalent to EU standards
SCCs are supplemented with additional safeguards

2. AWS Data Protection

AWS provides GDPR-compliant data processing agreements
Includes Standard Contractual Clauses for EU-US transfers
Subject to regular audits and certifications

3. Additional Safeguards

Encryption in transit and at rest (AES-256)
Access controls limiting who can access EU user data
Data minimization practices
Regular security assessments

4. Transfer Impact Assessments (TIAs)

We conduct assessments of US law and practices
Ensure level of protection essentially equivalent to EU
Monitor legal developments (e.g., Schrems II implications)

5. EU-US Data Privacy Framework

Some of our service providers participate in the EU-US Data Privacy Framework
This provides an adequacy mechanism for certain transfers
Framework offers redress mechanisms for EU individuals

For UK Users:

UK GDPR applies similar protections as EU GDPR
We use UK-approved International Data Transfer Agreements (IDTAs)
UK adequacy decisions apply where relevant

For All International Users:

Contractual data protection obligations with all processors
Regular compliance monitoring
Commitment to data protection regardless of location

Your Transfer Rights

You have the right to:

Request information about safeguards for your data transfers
Object to transfers in certain circumstances
Receive a copy of applicable Standard Contractual Clauses

Contact support@opensign.us for more information about international data transfer safeguards.

Cookies and Tracking Technologies

What Are Cookies?

Cookies are small text files stored on your device when you visit our website or use our application. They help us provide and improve our service.

Types of Cookies We Use

We use four categories of cookies:

1. Strictly Necessary Cookies

Purpose: Essential for service operation
Duration: Session cookies (deleted when you close browser) or up to 1 year
Can be disabled: No - service won't work without them
Legal basis: Necessary for contract performance

These cookies:

Keep you logged in to your account
Remember your authentication state
Maintain security and prevent CSRF attacks
Store essential preferences for service functionality
Enable core features like content management

Examples:

session_id - Maintains your login session
csrf_token - Prevents cross-site request forgery
auth_state - Remembers authentication status

2. Functional Cookies

Purpose: Remember your preferences and enhance functionality
Duration: Up to 1 year
Can be disabled: Yes (but may affect user experience)
Legal basis: Legitimate interest (you can object)

These cookies:

Remember your language preference
Store your display and theme preferences
Remember your region and timezone
Save recently used features for quick access
Store UI customization choices

Examples:

user_language - Remembers preferred language
theme_preference - Dark mode / light mode choice
timezone - Your timezone setting

3. Analytics Cookies

Purpose: Understand how you use our service
Duration: Up to 26 months
Can be disabled: Yes (required by law)
Legal basis: Consent (GDPR), legitimate interest where permitted

We use Google Analytics to collect:

Page views and navigation patterns
Time spent on pages and features
Device and browser information
Referring websites
User flow through the application
Feature adoption rates
Error and performance metrics

Google Analytics Cookies:

_ga - Distinguishes users
_gid - Distinguishes users (24-hour expiration)
_gat - Throttles request rate

Privacy Protections:

IP addresses are anonymized where possible
Data is aggregated and used only for service improvement
You can opt out at any time
Google Analytics privacy policy: https://policies.google.com/privacy

Opt-out options:

Disable in your OpenSign account settings
Use Google's browser opt-out add-on: https://tools.google.com/dlpage/gaoptout
Use browser "Do Not Track" settings (we honor DNT signals)

4. Authentication Service Cookies

Purpose: Enable social sign-in (Google, Facebook)
Duration: Varies by provider
Can be disabled: Yes (use email/password instead)
Legal basis: Consent when you choose social sign-in

When you use Google or Facebook sign-in:

These services set their own cookies
Used for authentication and security
Governed by their respective privacy policies
Google Privacy Policy: https://policies.google.com/privacy
Facebook Privacy Policy: https://www.facebook.com/privacy/policy/

We do not use:

Third-party advertising cookies
Cross-site tracking cookies
Marketing cookies (except with explicit consent)
Social media tracking pixels

Managing Cookies

You have multiple options to control cookies:

When you first visit OpenSign, you'll see a cookie consent banner where you can:

Accept all cookies
Accept only necessary cookies
Customize your preferences by category

Your choice is remembered for 12 months.

2. Account Settings

Logged-in users can manage cookie preferences at:

Account Settings > Privacy > Cookie Preferences
Toggle analytics cookies on/off
Changes apply immediately

3. Browser Settings

All modern browsers allow you to:

Chrome: Settings > Privacy and Security > Cookies and other site data
Firefox: Settings > Privacy & Security > Cookies and Site Data
Safari: Preferences > Privacy > Manage Website Data
Edge: Settings > Privacy, search, and services > Cookies

You can:

Block all cookies (may break site functionality)
Block third-party cookies only (recommended)
Delete existing cookies
Set preferences per-site

4. Browser Privacy Features

Do Not Track (DNT):

We plan to honor DNT browser signals
When DNT is enabled, we will not use analytics cookies
Only strictly necessary cookies will be set

Incognito/Private Browsing:

Cookies are automatically deleted when you close the window
Your OpenSign session will end
No persistent cookies remain

Other Tracking Technologies

Local Storage:

We use HTML5 local storage to cache application data
Improves performance and offline functionality
Can be cleared through browser settings

Session Storage:

Temporary storage cleared when you close the browser
Used for in-session state management

Pixels/Web Beacons:

We do not currently use tracking pixels
Email tracking pixels may be used in support communications only (to confirm delivery)

Third-Party Cookies

We do not allow third-party advertising cookies on our site.

Third-party cookies may be set by:

Google Analytics - Analytics cookies (can be disabled)
Stripe - Payment processing cookies (necessary for checkout)
Google/Facebook - Authentication cookies (only if you use social sign-in)

These third parties have their own privacy policies governing their use of cookies.

Cookie Name	Type	Duration	Purpose
`session_id`	Necessary	Session	Maintains login session
`csrf_token`	Necessary	Session	Security protection
`user_language`	Functional	1 year	Language preference
`theme_preference`	Functional	1 year	UI theme choice
`_ga`	Analytics	2 years	Google Analytics user ID
`_gid`	Analytics	24 hours	Google Analytics session ID
`cookie_consent`	Necessary	1 year	Remembers your cookie preferences

Complete cookie list available upon request: support@opensign.us

Children's Privacy

OpenSign is not directed to children and we do not knowingly collect personal information from children.

Age Requirements

United States (COPPA):

Our service is not intended for children under 13 years of age
We do not knowingly collect personal information from children under 13
Parental consent required for children under 13

European Union (GDPR):

Our service is not intended for children under 16 years of age without parental consent
Each EU member state may set a lower age (13-16)
Parental authorization required for children under applicable age

General Policy:

Account registration requires users to confirm they meet age requirements
We do not knowingly process data of children without appropriate consent

If We Learn of Child Data Collection

If we become aware that we have collected personal information from a child without appropriate consent, we will:

Immediately suspend the account
Delete all personal information within 30 days
Remove all user-generated content
Notify the account creator (if contact information is available)
Document the incident for compliance purposes

Educational Use

If educational institutions wish to use OpenSign for legitimate educational purposes with students who are minors:

The institution must obtain appropriate parental consent
Institution acts as the data controller (we are the processor)
A Data Processing Agreement is required
Institution is responsible for COPPA/FERPA compliance

Contact support@opensign.us to discuss educational use cases.

Parents and Guardians

If you believe we have collected information from a child under the applicable age without proper consent:

Contact us immediately:

Email: support@opensign.us
Subject: "Child Privacy Concern"
Include: Details about the account and your relationship to the child

We take child privacy extremely seriously and will investigate and respond promptly.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

Changes in our data practices
New legal requirements or regulations
Service updates and new features
User feedback and best practices
Changes to third-party services we use

How We Notify You of Changes

Material Changes:

When changes significantly affect your rights or how we use your data, we will:

Email notification to your registered email address
Prominent banner on our website and in the application
In-app notification when you next log in
30 days' advance notice before changes take effect (where possible)

Material changes include:

New purposes for data processing
New categories of personal data collected
Changes to data retention periods
New third-party data sharing
Changes to international data transfers
Reduction in your privacy rights

Minor Changes:

For non-material changes (clarifications, formatting, additional examples):

Updated "Last Updated" date at the top of this policy
Notice on our website
Available for review in your account dashboard

Your Options

If you agree with the changes:

Continue using OpenSign normally
Your continued use constitutes acceptance

If you disagree with the changes:

You may close your account before changes take effect
Contact us with concerns: support@opensign.us
We'll work with you to address concerns where possible

Policy Version History

We maintain records of previous policy versions:

Previous versions available upon request
Change logs document what was modified
Effective dates for each version

To request previous versions: Contact support@opensign.us

Regular Reviews

We review this Privacy Policy:

Annually as a standard practice
When laws or regulations change
When we update our data practices
When we receive significant user feedback

Last Review Date: July 16, 2025
Next Scheduled Review: January 16, 2026

Contact Us

Privacy Questions and Requests

For any questions about this Privacy Policy, our data practices, or to exercise your privacy rights:

General Privacy Inquiries:

Email: support@opensign.us
Subject Line: "Privacy Policy Inquiry"
Response Time: We aim to respond within 5 business days

Privacy Rights Requests:

Email: support@opensign.us
Subject: "Privacy Request - Request Type"
Response Time: See "Exercising Your Rights" section above

Physical Mail:
OpenSign
⚠️ PHYSICAL ADDRESS REQUIRED - ADD BEFORE LAUNCH
North Carolina, USA

Note: A complete physical mailing address will be provided before public launch to comply with GDPR Article 13, CCPA requirements, and CAN-SPAM Act.

Data Protection Officer

OpenSign is not currently required to appoint a Data Protection Officer under GDPR Article 37, as we:

Do not engage in large-scale processing of special categories of data
Do not engage in large-scale systematic monitoring
Are not a public authority

All data protection inquiries should be directed to:

Email: support@opensign.us
We treat data protection matters with highest priority

If our business grows to require a DPO, we will update this policy with contact information.

For Business/Enterprise Customers

If you're a business customer using OpenSign to process personal data of your end-users:

Data Processing Agreements (DPAs):

Email: support@opensign.us
Subject: "DPA Request"
We'll provide our standard DPA including Standard Contractual Clauses

Security Questionnaires:

We're happy to complete security questionnaires
Allow 10 business days for completion
Contact: support@opensign.us

Supervisory Authorities

EU/EEA Users

You have the right to lodge a complaint with your data protection supervisory authority if you believe we have not complied with privacy regulations.

We encourage you to contact us first so we can address your concerns, but you have the right to contact authorities at any time.

Find your supervisory authority:https://edpb.europa.eu/about-edpb/board/members_en

Since OpenSign does not have an EU establishment, we have not yet designated a lead supervisory authority. Upon achieving significant EU operations, we will designate one according to GDPR Article 56.

California Users

You may contact the California Attorney General regarding privacy complaints:

California Attorney General
Privacy Enforcement
https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
(916) 210-6276

Other Jurisdictions

Contact your local or state consumer protection agency or attorney general's office for privacy-related complaints in your jurisdiction.

Transparency and Accountability

Our Commitments to You

At OpenSign, we are committed to:

✅ Privacy by Design

Privacy is built into every feature from the start
Data minimization in all systems
Security as a core requirement, not an afterthought

✅ Data Minimization

We collect only what's necessary to provide our service
No unnecessary data collection for future "potential" uses
Regular audits to ensure we're not over-collecting

✅ Transparency

Clear, honest communication about our data practices
Plain language explanations (not just legal jargon)
Proactive disclosure of changes and incidents

✅ Security First

Industry-leading security measures
Regular security audits and testing
Encryption everywhere, by default

✅ Your Control

You own your data and control how it's used
Easy access to your data at any time
Simple processes to correct or delete your data

✅ Accountability

Regular privacy impact assessments
Compliance monitoring and audits
Documented privacy program with clear responsibilities

✅ Continuous Improvement

We actively seek feedback on our privacy practices
Regular reviews of privacy policies and procedures
Staying current with privacy regulations and best practices

Data Protection Impact Assessments (DPIAs)

We conduct privacy impact assessments for:

New features that process personal data
Changes to data processing activities
Introduction of new technologies
High-risk processing activities

Records of Processing Activities

In accordance with GDPR Article 30, we maintain comprehensive records of our data processing activities, including:

Categories of processing and purposes
Categories of data subjects and personal data
Categories of recipients (service providers)
International data transfers and safeguards
Retention periods and security measures

These records are available to supervisory authorities upon request.

Transparency Reports

We plan to publish annual transparency reports (when we have sufficient data to report) that will include:

Number of government/law enforcement requests for user data
Types of requests (subpoenas, court orders, etc.)
Number of accounts affected
Number of requests challenged or rejected
Requests granted in full, in part, or denied
Average response time

Reports will be available at: opensign.us/transparency (when available)

Third-Party Audits and Certifications

Current status: We do not yet hold formal security certifications.

Future plans: As we grow, we plan to obtain:

SOC 2 Type II certification (security and availability)
ISO 27001 information security management
Privacy Shield or successor framework certifications (if applicable)

Current practices: We follow industry best practices based on these frameworks even without formal certification.

Legal Compliance

This Privacy Policy is designed to comply with:

United States Federal Laws

CAN-SPAM Act - Email marketing requirements
COPPA - Children's Online Privacy Protection Act
ECPA - Electronic Communications Privacy Act
CFAA - Computer Fraud and Abuse Act
FTC Act - Federal Trade Commission Act (unfair/deceptive practices)

US State Privacy Laws

California - CCPA/CPRA (California Consumer Privacy Act / Privacy Rights Act)
Virginia - VCDPA (Virginia Consumer Data Protection Act)
Colorado - CPA (Colorado Privacy Act)
Connecticut - CTDPA (Connecticut Data Privacy Act)
Utah - UCPA (Utah Consumer Privacy Act)
Other states - We monitor and comply with new state privacy laws as enacted

International Privacy Laws

European Union - GDPR (General Data Protection Regulation)
United Kingdom - UK GDPR and Data Protection Act 2018
Switzerland - Federal Act on Data Protection (FADP)
Canada - PIPEDA (Personal Information Protection and Electronic Documents Act)
Brazil - LGPD (Lei Geral de Proteção de Dados)

Industry Standards

PCI DSS - Payment Card Industry Data Security Standard (through Stripe)
NIST Cybersecurity Framework - Security best practices
OWASP - Web application security standards

Ongoing Compliance

We:

Monitor regulatory developments in all jurisdictions where we operate
Update our practices to remain compliant with new laws
Conduct regular compliance assessments
Work with legal counsel on complex compliance matters
Maintain documentation to demonstrate compliance

Additional Information

For California Residents

California Privacy Rights Act (CPRA) Disclosures

Personal Information Categories We Collect:

Category	Examples	Collected?	Business Purpose	Shared With
Identifiers	Name, email, IP address	Yes	Service delivery, security	AWS, Stripe, Google Analytics
Commercial Information	Purchase history, payments	Yes	Billing, subscriptions	Stripe
Internet Activity	Browsing, usage patterns	Yes	Service improvement	Google Analytics
Geolocation	Approximate location (IP-based)	Yes	Service delivery, analytics	AWS, Google Analytics
Professional Information	Company name (optional)	If provided	Service customization	None
Sensitive Personal Information	Account credentials (encrypted)	Yes	Authentication	AWS (encrypted storage)

We do not collect:

Social Security numbers
Driver's license numbers
Financial account numbers (handled by Stripe)
Precise geolocation
Racial or ethnic origin
Health information
Sexual orientation
Citizenship or immigration status

Retention Periods:

Account data: Duration of account + 90 days
Usage data: 26 months
Payment records: 7 years (legal requirement)

Sale or Sharing of Personal Information:

We do NOT sell personal information
We do NOT share for cross-context behavioral advertising
Last 12 months: Zero sales or shares

Sensitive Personal Information:

We collect account credentials (passwords) - stored encrypted
Used only for authentication
Not used for any other purpose
You have the right to limit use (though this would prevent service use)

Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

For Nevada Residents

Under Nevada SB 220, Nevada residents may opt out of the "sale" of personal information.

We do not sell personal information as defined by Nevada law and have not done so in the past 12 months.

If this changes in the future, we will:

Update this Privacy Policy
Provide an opt-out mechanism
Honor all opt-out requests

For Virginia, Colorado, Connecticut, and Utah Residents

You have rights similar to California residents under your state's privacy laws:

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA):

Right to access personal information
Right to correct inaccurate information
Right to delete personal information
Right to data portability
Right to opt out of targeted advertising (we don't engage in this)
Right to opt out of sale of personal information (we don't sell)
Right to opt out of profiling (we don't engage in this)

To exercise rights: Contact support@opensign.us with "Privacy Request - Your State" in subject line.

Appeals Process: If we deny your request, you can appeal by replying to our response with "Appeal" in the subject line. We'll respond within the timeframe required by your state's law.

For Canadian Residents (PIPEDA)

If you're in Canada, you have rights under PIPEDA (Personal Information Protection and Electronic Documents Act):

Right to access your personal information
Right to correct inaccurate information
Right to withdraw consent
Right to challenge our compliance
Right to file a complaint with the Privacy Commissioner of Canada

Contact: support@opensign.us
Privacy Commissioner of Canada: https://www.priv.gc.ca

For Brazilian Residents (LGPD)

If you're in Brazil, you have rights under LGPD (Lei Geral de Proteção de Dados):

Right to confirmation of processing
Right to access your data
Right to correct incomplete or inaccurate data
Right to anonymization, blocking, or deletion
Right to data portability
Right to withdraw consent
Right to information about public/private data sharing
Right to oppose processing

Contact: support@opensign.us
Subject: "LGPD Request"

Accessibility

We are committed to making our Privacy Policy accessible to everyone.

Current format: Web-based HTML with semantic structure

If you need this policy in an alternative format:

Large print
Screen reader optimized
Different language
Plain language summary

Contact us: support@opensign.us with "Accessibility Request" in subject line

We will provide the requested format within 10 business days at no charge.

Language

This Privacy Policy is written in English. If translated into other languages, the English version prevails in case of conflicts.

Summary: Your Privacy Matters

Your privacy is not just a policy for us—it's a fundamental principle that guides everything we do at OpenSign.

What This Means in Practice:

🔒 Your Data is Secure

Military-grade encryption (AES-256)
Regular security audits and testing
AWS enterprise-level infrastructure

👤 You're in Control

Access your data anytime
Delete your account and data easily
Export your content in portable formats

🚫 We Never Sell Your Data

Zero sales to advertisers or data brokers
No hidden monetization of your information
Trusted service providers only (AWS, Stripe, Google)

📋 Complete Transparency

Plain language explanations
Clear disclosure of data practices
No hidden tracking or data collection

✅ Legal Compliance

GDPR, CCPA, and all applicable privacy laws
Regular compliance monitoring
Documentation and accountability

💬 We're Here to Help

Responsive privacy support team
Clear processes for exercising rights
Commitment to addressing concerns

Our Privacy Philosophy

At OpenSign, we believe:

Privacy is a fundamental human right, not a premium feature
Transparency builds trust, and trust is everything
Security isn't optional—it's essential
You should own and control your data
Compliance is a minimum standard, not a goal

Thank You

Thank you for trusting OpenSign with your digital signage needs. Your privacy and security are our highest priorities, and we're committed to earning that trust every day.

If you have any questions, concerns, or feedback about our privacy practices, we genuinely want to hear from you at support@opensign.us.

Last Reviewed: July 16, 2025
Next Scheduled Review: January 16, 2026
Policy Version: 2.0

Document Status: ⚠️ DRAFT - Not Yet Compliant for Public Launch
Required Actions Before Publishing: See legal notice at top of document