Privacy Policy

Last updated 28 May 2026

Introduction

This Privacy Policy describes how ContractSign ("we", "us", "our"), operated by Happenings Group A/S (CVR 40979956), collects, uses, and protects personal data when you use our digital contract signing platform at contractsign.net.

We are committed to protecting your privacy and handling your data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Danish data protection law.

Data controller

Happenings Group A/S is the data controller for data we collect to provide and operate the ContractSign platform (account data, billing data, analytics).

For contract content and signer data uploaded by our customers, the customer (workspace owner) acts as the data controller and ContractSign acts as the data processor. The terms of this processing are governed by our Data Processing Agreement (DPA).

Data we collect

Account data

When you create an account, we collect your full name, email address, and a hashed password. If you register a company, we also collect company name, registration number (CVR), VAT number, and address.

Contract data

Contracts created within the platform, including titles, content, template data, parties, fields, and uploaded attachments.

Signing & identity data

When signing documents, we collect the signer's name, email, phone number, IP address, user agent, the method used (SMS OTP, MitID), and a timestamp of the signature event.

Audit trail data

Every significant action generates an audit record, including timestamps, IP addresses, user agents, and event descriptions. Audit data provides legal evidence of the signing process.

Usage & analytics data

We collect page views, feature usage patterns, and technical information such as browser type and screen resolution to improve the platform.

Billing data

Payment processing is handled by Stripe. We store your plan type and subscription status. We do not store credit card numbers or full payment details on our servers.

How we use your data

  • Providing and operating the contract signing service
  • Authenticating users and managing sessions
  • Sending transactional notifications (email, SMS) related to signing requests
  • Generating legally binding audit trails for signed documents
  • Processing payments and managing subscriptions
  • Improving the platform through aggregated analytics
  • Responding to support requests and communications
  • Complying with legal obligations

Data sharing

We do not sell personal data to third parties. We share data only with the following categories of service providers, all acting as processors under GDPR:

  • Cloudflare — hosting, CDN, R2 object storage, Workers compute
  • Neon — PostgreSQL database hosting
  • SendGrid (Twilio) — transactional email delivery
  • Twilio — SMS delivery for OTP verification
  • Stripe — payment processing
  • Google Analytics — anonymised web analytics

Each provider processes data only as instructed by us and is bound by data processing agreements.

Data storage & security

Data is primarily stored in the European Union. Our database is hosted on Neon (EU region) and files are stored in Cloudflare R2.

We implement appropriate technical and organizational measures to protect your data, including encrypted transport (TLS), authenticated access, organization-level data isolation, hashed passwords (bcrypt), and audit logging.

Data retention

We retain your data for as long as your account is active or as needed to provide the service. Specific retention periods:

  • Account data: retained until account deletion, then removed within 30 days
  • Contract data: retained until explicitly deleted by the workspace owner
  • Audit trail data: retained for a minimum of 5 years to support legal validity of signed documents
  • Analytics data: anonymised and retained for up to 26 months
  • Billing data: retained as required by Danish bookkeeping law (5 years)

Your rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate personal data
  • Right to erasure — request deletion of your personal data (subject to legal retention requirements)
  • Right to restrict processing — request that we limit how we use your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@contractsign.net. We will respond within 30 days.

You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk.

Children's privacy

ContractSign is a business-to-business service and is not directed at children under the age of 16. We do not knowingly collect personal data from children.

International transfers

While we primarily store data in the EU, some of our sub-processors may process data outside the EEA. In such cases, we ensure appropriate safeguards are in place, such as EU Standard Contractual Clauses (SCCs) or an adequacy decision by the European Commission.

Updates to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice within the platform. We encourage you to review this page periodically.

Contact

For questions about this Privacy Policy or to exercise your data protection rights, contact us at privacy@contractsign.net.

Happenings Group A/S, Klostergade 56B, St., 8000 Aarhus C, Denmark.