Legal
Privacy Policy
Last updated: May 21, 2026
Note: This English translation is provided for convenience. In the event of any discrepancy between the German and English versions, the German version shall prevail.
Legal
Last updated: May 21, 2026
Note: This English translation is provided for convenience. In the event of any discrepancy between the German and English versions, the German version shall prevail.
Table of content
Controller
Overview
Visit to Our Website (signivo.io)
Use of Our Product (app.signivo.io)
Microsoft 365 Integration
Platform API Data Use Declarations
Data Security
Processors and Third-Party Providers (Sub-Processors)
Data Retention and Deletion
Third-Country Transfers
Your Rights
Revocation of Platform Access
Changes to this Privacy Policy
MonsJovis Holding UG (haftungsbeschränkt)
c/o Aurich
Eichenallee 37
14050 Berlin, Germany
Commercial register: Charlottenburg Local Court (Amtsgericht Charlottenburg), HRB 214851 B
Managing Director: Markus Aurich
Email: hello@signivo.io
Telephone: +43 681 81627408
The appointment of a data protection officer is not required by law.
This privacy policy informs you about how Signivo (hereinafter "we", "us", or "Signivo") processes personal data, both during visits to our website signivo.io and during use of our SaaS product at app.signivo.io.
Signivo is a cloud-based service for the central management, deployment, and updating of email signatures for Google Workspace and Microsoft 365. We process your data exclusively on the basis of applicable data protection laws, in particular the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
Within the scope of the product, Signivo takes on different data protection roles:
For the website, the administration of user accounts, and support communications, Signivo acts as an independent controller within the meaning of Art. 4 No. 7 GDPR.
For the processing of employee and directory data of the customer in the course of email signature management, Signivo acts as a processor within the meaning of Art. 28 GDPR. The customer (the company using Signivo) is in this case the controller within the meaning of data protection law for the data of its employees. The details of this processing on behalf of the controller are governed by a separate data processing agreement (DPA) between Signivo and the customer.
Our website is hosted by Webflow, Inc. (398 11th Street, Floor 2, San Francisco, CA 94103, USA). When our website is accessed, technical access data (IP address, browser type, operating system, time of access, page accessed) are automatically transmitted to Webflow's servers. These data are technically necessary for the delivery of the website.
Webflow is certified under the EU-U.S. Data Privacy Framework (DPF); the transfer to the USA is therefore carried out on the basis of the adequacy decision pursuant to Art. 45 GDPR. As a supplementary measure, Standard Contractual Clauses (SCC) pursuant to Art. 46 (2) (c) GDPR have been concluded. A data processing addendum has been concluded with Webflow.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in providing the website).
Our website uses cookies. Technically necessary cookies ensure basic functionality and are set without consent. For all other cookies (analytics, marketing), we obtain your consent via our consent management tool Cookiebot (Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark).
You can adjust or withdraw your cookie settings at any time via the corresponding link in the footer of our website.
Legal basis for necessary cookies: Art. 6 (1) (f) GDPR.Legal basis for all other cookies: Art. 6 (1) (a) GDPR (consent).
We use Google Analytics 4 (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland) to analyse user behaviour on our website. IP anonymisation is enabled. Data are retained for 14 months.
Google LLC is certified under the EU-U.S. Data Privacy Framework (DPF); the transfer to the USA is carried out on the basis of the adequacy decision pursuant to Art. 45 GDPR.
Legal basis: Art. 6 (1) (a) GDPR (consent via the consent banner).
We use Google Ads conversion tracking (Google Ireland Ltd.) to measure the effectiveness of our advertising. In this context, cookies are set and data such as IP address, browser information, and referrer URL are transmitted to Google. The transfer to the USA is carried out on the basis of Google's DPF certification (adequacy decision pursuant to Art. 45 GDPR).
Legal basis: Art. 6 (1) (a) GDPR (consent via the consent banner).
We use the LinkedIn Insight Tag (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) to analyse our advertising campaigns. In this context, browser data, IP address, and page views are recorded. A joint controllership arrangement pursuant to Art. 26 GDPR is in place between Signivo and LinkedIn. The essential contents of this arrangement are available via the LinkedIn page "Legal Agreements for Marketing Solutions".
LinkedIn Corporation is certified under the EU-U.S. Data Privacy Framework (DPF); the transfer to the USA is carried out on the basis of the adequacy decision pursuant to Art. 45 GDPR.
Legal basis: Art. 6 (1) (a) GDPR (consent via the consent banner).
For the analysis of the use of our website, we additionally use PostHog (PostHog, Inc., EU instance at eu.i.posthog.com); the integration of PostHog within the product is documented in Section 4.6. Tracking requests are technically routed through the Signivo subdomain b.signivo.io and from there forwarded to PostHog's servers in the EU (reverse proxy). This serves exclusively technical purposes (avoidance of ad blockers, consistent presentation under signivo.io) and changes neither the purpose nor the recipient of the processing.
Pseudonymised usage data for reach and behaviour analytics are recorded (anonymised visitor IDs, page views, click events, referrer, truncated IP address, technical browser and device information). Session replays are not used on the website.
PostHog tracking functionality is enabled exclusively after prior consent of the user via the consent management tool (see Section 3.2). Prior to consent being granted, no tracking requests are sent to b.signivo.io or PostHog.
Legal basis: Art. 6 (1) (a) GDPR (consent), as well as § 25 (1) TDDDG (consent for access to terminal equipment information).
On our website we embed videos from YouTube (Google Ireland Ltd.) in the extended privacy mode (youtube-nocookie.com). In this mode, cookies are only set and data (IP address, device information) are only transmitted to YouTube/Google when a video is played.
Legal basis: Art. 6 (1) (a) GDPR (consent via the consent banner).
On our website, you can sign up for our newsletter. In doing so, we collect your email address. Sign-up is performed using a double opt-in process: after entering your email address, you receive a confirmation email and are only added to the mailing list after clicking the confirmation link.
The newsletter is dispatched via Brevo (Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany). Brevo processes your email address exclusively in the EU on our behalf.
Legal basis: Art. 6 (1) (a) GDPR (consent). You may withdraw your consent at any time via the unsubscribe link in any newsletter email.
Upon registration, we collect your email address and, if you choose to register by email and password, a password defined by you that is stored exclusively in hashed form. Alternatively, you may sign in via Google OAuth or Microsoft Entra ID, in which case we receive your email address from the respective identity provider.
Upon conclusion of the user agreement (click-to-accept), we additionally record the time of acceptance, the version of the agreement accepted, the account ID, and the IP address as evidence of the conclusion of the contract.
Legal basis: Art. 6 (1) (b) GDPR (performance of the contract) for the email address and the password or Google OAuth sign-in; Art. 6 (1) (f) GDPR (legitimate interest in evidence of conclusion of the contract) for the contract-conclusion log.
We store information about workspace membership (role as Owner, Admin, or Member), timestamps (creation, last modified), and invitation data (email of the invitee, inviting person).
Legal basis: Art. 6 (1) (b) GDPR (performance of the contract).
When your organisation's administrator connects Google Workspace with Signivo, the administrator grants Signivo a set of read-only permissions on the workspace directory and limited write access on Gmail signature settings. Signivo uses these permissions to read the directory data for populating personalised signatures, to manage signatures centrally, and to deploy them to the mailboxes of workspace users.
https://www.googleapis.com/auth/admin.directory.user.readonly - Read access to the tenant's user directory. Per user, the following are read: first and last name, email address, job title, department, telephone number(s) including mobile number, profile picture URL, address (formatted primary address), website URL, manager email address, and assignment to organisational units (OU path). Operational account metadata (suspended, archived, creationTime, lastLoginTime) are read in order to exclude inactive accounts from synchronisation. Custom attributes (customSchemas) defined by the workspace administrator in the Google admin directory are read exclusively in respect of a previously maintained Signivo allowlist of signature-relevant schemas and are made available as signature variables; without an allowlist, custom schemas are not requested. At API level, Signivo requests only the fields listed above via an explicit fields= filter. These data serve to populate the signature fields and as the basis for assignment rules. The scope is restricted to pure read access; users cannot be created, modified, or deleted.https://www.googleapis.com/auth/admin.directory.group.readonly - Read access to the group list, group metadata, and group memberships (Admin SDK groups.list/get and members.list). Per group, the following are read: unique ID, email address, display name, description, number of direct members, and the admin-created flag. Per group member, the following are read: member ID and email address. At API level, Signivo requests only the fields listed above via an explicit fields= filter. These data serve administrative group targeting for signatures (e.g. a separate signature for the "Sales" group) and are held short-term in memory; they are not persistently stored in the Signivo database. The scope is restricted to pure read access; groups and memberships cannot be created, modified, or deleted.https://www.googleapis.com/auth/admin.directory.orgunit.readonly - Read access to the tenant's hierarchy of organisational units (OUs). Per OU, the following are read: unique ID, display name, OU path, parent path, and description. These data serve exclusively to render an OU tree as a selection aid in the Signivo console when configuring administrative signature assignments (e.g. a separate signature for the "Customer Success" OU). The OU hierarchy is held short-term in memory and is not persistently stored in the Signivo database; the actual resolution of OU assignments to individual users is subsequently effected via the OU path stored on the respective user record (see admin.directory.user.readonly). The scope is restricted to pure read access; OUs cannot be created, modified, or deleted.https://www.googleapis.com/auth/admin.directory.domain.readonly - Read access to the tenant's domains and domain aliases (Admin SDK domains.list and domainAliases.list). Per domain, the following are read: domain name, primary status, and verification status; per domain alias, additionally the name of the parent domain. These data are stored in a separate domain table in the Signivo database and updated on each synchronisation run; domains that are no longer verified or have been removed are automatically removed in the next synchronisation. Signivo uses these data so that signatures are correctly applied to all of a user's send-as addresses across all verified domains of the organisation; without this scope, signatures would only deploy correctly for the respective primary domain. The scope is restricted to pure read access; domains cannot be created, modified, or deleted.https://www.googleapis.com/auth/userinfo.profile - Read access to the full display name of the connected administrator (for displaying the admin identity in the Signivo console and for identifying the acting administrator in audit logs), as well as to the profile picture URLs of the administrator and the synchronised workspace users (for display in the directory, in the signature editor, and in the console). Profile picture requests per workspace user are made in the background via the People API (people.get('people/me')) with domain-wide delegation impersonation. No further profile fields are read or stored. This is the minimum scope necessary for reading this profile information; broader profile access is not requested.https://www.googleapis.com/auth/gmail.settings.basic - Narrowly scoped access to individual users' Gmail settings. With read access, only the user's send-as entries are listed (send-as email address, display name, primary/default flag, alias flag, verification status); this metadata is stored in the Signivo database in order to assign the correct sender addresses to the central signature and to display send-as configurations in the console. No HTML signatures are read from existing send-as configurations or stored; SMTP credentials are not accessible via this scope. With write access, only the signature HTML is set on existing send-as entries. There is no access to email contents, subject lines, metadata, attachments, mailboxes, filters, forwarding settings, out-of-office settings, IMAP/POP settings, or language settings; in particular, neither the reply address nor the SMTP configuration of individual send-as entries is modified.https://www.googleapis.com/auth/gmail.settings.sharing - Narrowly scoped write access for creating send-as aliases for shared mailboxes and delegated sender addresses. Signivo uses this scope so that signatures can also be correctly configured for secondary sender addresses (e.g. support@, info@). Signivo uses this scope exclusively for send-as configurations and not for setting up, modifying, or reading forwarding rules, delegations, or any other Gmail sharing settings. The scope is restricted to send-as configuration and does not permit any access to email contents or other mailbox data.For administrator sign-in to Signivo via Google OAuth, the following OpenID Connect scope is additionally used:
email - Read access to the primary Google email address of the connected administrator, as well as to the hosted-domain attribute (hd) provided by Google, which identifies the Google Workspace tenant domain. These data are required so that Signivo can associate the signed-in administrator with their workspace account, verify the existence of a Google Workspace tenant (private Gmail accounts are rejected), and store the tenant domain as a reference on the workspace. The email address and the hosted domain are stored in the Signivo database, in each case until the connection is disconnected or the workspace is deleted. The Google consent dialog additionally displays an OpenID Connect notice; this is triggered automatically by requesting the email scope and is not declared as a separate scope.Signivo does not access email contents, subject lines, metadata or attachments, contacts, Google Drive files, calendar entries, or any other workspace data that do not serve email signature management. All directory scopes are read-only; write permissions exist exclusively on Gmail signature and send-as settings as described above. Signivo cannot create, modify, or delete users, groups, organisational units, or domains.
Directory data are stored in the PostgreSQL database of Signivo, which is operated on Google Cloud Platform in Frankfurt, Germany (europe-west3), without replication outside the European Union. Profile pictures are stored in Supabase Storage in Frankfurt. Google OAuth tokens are stored encrypted with AES-256-GCM (see Section 7).
Directory data are reconciled and overwritten with each synchronisation cycle with your Google Workspace tenant. No historical snapshots are stored. Upon termination of the contractual relationship, all directory data are deleted within 30 days in accordance with Section 9.
If your administrator disconnects the Google Workspace connection via the Signivo console, the synchronised directory data (domain records, profile pictures, send-as metadata, sync markers) and all fields associated with the Google integration (tokens, hosted domain, connected admin email address, sync status) are immediately and transactionally deleted from the Signivo database. Profile picture files are additionally removed from the associated object storage. If domain-wide delegation is revoked exclusively in the Google Admin Console without the administrator disconnecting the connection in Signivo, Signivo can no longer retrieve any further data from Google Workspace. Automatic deletion of already synchronised data does not currently take place in this case; the administrator must perform the disconnection in the Signivo console subsequently or delete the entire workspace.
The reaffirmation of the Limited Use commitments under the Google API Services User Data Policy, as well as their substantive implementation, are set out in Section 6.1 and in the general platform API data use declaration (Section 6).
Legal basis: Art. 6 (1) (b) GDPR (performance of the contract).
Administrators may enter the following information as part of the branding kit: company name, website URL, telephone number, address, legal disclaimers, and social media links (LinkedIn, X/Twitter, Facebook, Instagram, WhatsApp).
In addition, files may be uploaded (e.g. company logos). In doing so, we store the file itself as well as metadata (file name, file size, file type, uploading person).
Legal basis: Art. 6 (1) (b) GDPR (performance of the contract).
We log certain actions within the product (e.g. signature created, deployed, updated) with user ID, email, name, type of action, and timestamp. This serves traceability and error analysis. Activity logs are retained for a maximum of 24 months.
Data protection role: To the extent that the logged actions relate to employees and other users of the customer, Signivo processes these data as a processor on behalf of the customer (see Section 2 and the data processing agreement). The legal basis lies with the customer as controller.
We use PostHog (PostHog, Inc., EU instance at eu.i.posthog.com) for the following purposes:
The integration of PostHog for website analytics on signivo.io is documented separately in Section 3.6.
Product analytics: Collection of pseudonymised usage data (user IDs, workspace IDs, event names) for the analysis of product usage, e.g. onboarding progress, signature actions, and feature usage. Email addresses are not transmitted to PostHog.
Feature management (feature flags): PostHog evaluates server-side which functions are active for which workspace or user. In this context, workspace ID, pseudonymised user ID, and workspace properties (e.g. plan type, onboarding status) are transmitted to PostHog in order to evaluate feature flag rules.
Error analysis (issue tracking): For traceability and remediation of errors, error events with pseudonymised context information are collected. No session replays are used.
Analytics and error analysis data are retained in PostHog for a maximum of 12 months.
Legal basis: To the extent that pseudonymised telemetry and feature management data are processed in the course of providing the Service to the customer, this is processing on behalf of the controller; the legal basis lies with the customer as controller. To the extent that Signivo creates aggregated analyses that cannot be traced back to individual customers or users for the purpose of product improvement (see Section 6), this is carried out on the basis of Signivo's legitimate interest in the further development of the Service (Art. 6 (1) (f) GDPR).
As part of the onboarding process, we use the Anthropic Claude API (Anthropic, PBC, San Francisco, USA) to automatically extract publicly available company information and prepare it for signature creation. Only the domain provided by the administrator is transmitted to Anthropic as a string; Anthropic itself retrieves the publicly accessible content of the website. Because public company websites may contain personal data (e.g. contact persons, email addresses, telephone numbers), this transmission is treated as a third-country transfer to the USA and is carried out on the basis of Standard Contractual Clauses (SCC) pursuant to Art. 46 (2) (c) GDPR.
Anthropic retains API input and output data by default for 30 days and does not use API data for training AI models.
Legal basis: Art. 6 (1) (b) GDPR (performance of the contract, as the function forms part of the onboarding process).
Payments are processed via Stripe (Stripe, Inc., San Francisco, USA). When a paid subscription is booked, payment data (e.g. credit card number, expiry date) are transmitted directly to Stripe and processed there. Signivo itself does not store complete payment data; we receive from Stripe only a reference ID, the payment status, and a truncated card number for display in the customer area.
Stripe is certified under the EU-U.S. Data Privacy Framework (DPF); the transfer to the USA is carried out on the basis of the adequacy decision pursuant to Art. 45 GDPR. Stripe is PCI DSS Level 1 certified.
Legal basis: Art. 6 (1) (b) GDPR (performance of the contract).
In the course of providing the Service, we send transactional and lifecycle emails to workspace administrators and workspace members, for example for the confirmation of account actions, invitations, onboarding steps, trial and subscription status, password reset, security notifications, and product-related notices. Emails are sent via Brevo (Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany) exclusively in the EU. For this purpose, Brevo processes the email address and name of the recipients on our behalf.
Legal basis: Art. 6 (1) (b) GDPR (performance of the contract) for operationally necessary transactional emails (e.g. account confirmation, invitations, password reset, invoices); Art. 6 (1) (f) GDPR (legitimate interest in functioning product communication) for lifecycle and status emails (e.g. trial notices, feature announcements). Such emails are sent independently of the newsletter sign-up (see Section 3.8); the right to object to processing based on legitimate interest may be exercised at any time in accordance with Section 11.
Signivo provides two independent integrations with Microsoft 365: first, the central directory connection through which administrators manage signatures for their organisation; and second, the "Signivo for Outlook" Outlook add-in, which inserts the assigned signature when a user composes a new email in Outlook. Both integrations are operated under the same Microsoft Entra application registration but have separate permission models, data flows, and consent points. They are described separately below.
When your organisation's IT administrator connects Microsoft 365 with Signivo, the administrator grants Signivo a set of read-only Microsoft Graph permissions on your tenant. Signivo uses these permissions to read the directory data required to populate personalised signatures and to assign signatures to individual users or groups.
User profiles (via Microsoft Graph GET /users): Microsoft object ID (id), primary email address (mail), user principal name (userPrincipalName), display name (displayName), first name (givenName), surname (surname), job title (jobTitle), department (department), telephone number(s) (businessPhones, mobilePhone), account activation status (accountEnabled), creation time (createdDateTime), user type (userType, exclusively for filtering on member accounts), and the 15 extension attributes usable by the tenant (onPremisesExtensionAttributes 1 to 15). The latter may be used by the IT team for company-specific fields (e.g. cost centre, location). Other extension mechanisms such as Directory Extensions, Schema Extensions, or Open Extensions are not used.
Manager relationship (via GET /users/{id}/manager): enables the assignment of signatures based on the reporting chain.
Profile pictures (via GET /users/{id}/photo/$value): for inclusion in signatures.
Groups and group membership (via GET /groups and GET /groups/{id}/members): for assigning signatures at group level.
Tenant domains (via GET /domains): per domain, the domain name, default flag, and verification status are read, for the purpose of validating that your tenant controls the email addresses being managed.
We do not access email contents, subject lines, metadata, attachments, calendar entries, OneDrive or SharePoint files, Teams messages, or any other tenant contents. We do not request any write or administration permissions on the directory; Signivo cannot create, modify, deactivate, or delete users, groups, organisational units, or other directory objects. The full list of requested permissions is shown to your administrator on the Microsoft consent page at the time of connection.
Directory data are stored in the PostgreSQL database of Signivo, which is operated on Google Cloud Platform in Frankfurt, Germany (europe-west3), without replication outside the European Union. Profile pictures are stored in Supabase Storage in Frankfurt. Microsoft access and refresh tokens are stored encrypted with AES-256-GCM (see Section 7).
Directory data are updated daily from your Microsoft 365 tenant; outdated records are reconciled and overwritten on each synchronisation. No historical snapshots are stored. Upon termination of the contractual relationship, all directory data are deleted within 30 days in accordance with Section 9.
If the workspace administrator disconnects the Microsoft 365 connection in the Signivo console, the synchronised directory data (domain records, profile pictures, stored extension-attribute schema lists) and all fields associated with the Microsoft 365 integration (tokens, tenant ID, tenant domain, delta tokens, sync metadata) are immediately and transactionally deleted from the Signivo database. Profile picture files are additionally removed from the associated object storage.
If the permission is revoked exclusively in the Microsoft Entra admin centre without the workspace administrator disconnecting the connection in Signivo, Signivo can no longer retrieve any further data from Microsoft 365. Automatic deletion of already synchronised data does not currently take place in this case; the workspace administrator must perform the disconnection in the Signivo console subsequently or delete the entire workspace.
The following Application Permissions are granted once by the tenant administrator:
User.Read.All - reading user profiles and profile picturesGroup.Read.All - reading groups and their members. Signivo uses this permission exclusively for reading group master data and group memberships required for signature assignments. Contents of Microsoft 365 groups, in particular files, conversations, notes, Planner or Teams contents, are not queried or processed.Domain.Read.All - reading tenant domainsThese three permissions are the only permissions requested for the directory integration. In particular, Signivo does not request any Mail.*, Calendars.*, Files.*, Sites.*, Directory.ReadWrite.*, or comparable write or administration permissions. During the one-off tenant admin consent flow, Microsoft additionally displays standard OpenID Connect sign-in dialogs; from this flow, Signivo uses exclusively the tenant ID to identify the connected tenant and no further profile fields of the consenting administrator.
Microsoft 365 directory data are not transmitted to website analytics, marketing analytics, or tracking services such as Google Analytics, Segment, Mixpanel, or comparable providers.
Legal basis: Art. 6 (1) (b) GDPR (performance of the contract).
The "Signivo for Outlook" Outlook add-in automatically inserts the signature centrally configured in the Signivo console as soon as a user composes a new email in Outlook. The inserted signature is visible to the user in the compose window before the email is sent; the user can review the email including signature before sending. The add-in is rolled out to users by the IT administrator via Microsoft 365 add-in distribution; no separate consent step by the end user is required.
When composing a new message, the add-in reads via the Office.js API:
Office.context.mailbox.userProfile.emailAddress)Office.context.mailbox.item.from) - relevant when sending from shared mailboxes or via aliasesOffice.context.mailbox.item.body.getTypeAsync - HTML or plaintext) for correct formatting of the signature to be insertedThe add-in does not access the message body, recipients, subject, or attachments of the email being edited. It also does not access other mailbox folders (Inbox, Sent, Drafts, etc.). The requested Microsoft permission MailboxItem.ReadWrite.User refers to the currently open or composed Outlook item; Signivo uses this permission exclusively to insert the configured signature into this compose item. The add-in does not contain any tracking, advertising, or analytics SDKs from third-party providers.
The three fields listed above are transmitted to the Signivo servers (api.app.signivo.io) so that the correct signature template can be determined and rendered together with the data available from the directory integration (see Section 5.1). Processing of this request takes place via the Signivo backend infrastructure on Google Cloud Platform in Frankfurt, Germany (europe-west3). The email address and display name are retained in diagnostic logs for up to 30 days; they are not used for marketing purposes.
The signature HTML rendered by the server is cached via the Microsoft mechanism Office.context.roamingSettings, so that the add-in is also available faster on subsequent use and on a limited basis offline. In addition, the add-in places a transient status marker per compose item in Office.context.mailbox.item.sessionData in order to detect whether the signature has already been set in this item and to prevent duplicate insertions. The technical storage and synchronisation of these data take place entirely within the user's Microsoft 365 environment; Signivo receives neither the cache content nor the session marker. For tenants with Microsoft Roaming Signatures enabled, the signature is additionally cached in the user's Exchange Online mailbox; hosting and data residency of this mailbox data are governed by the Microsoft 365 settings of your tenant and do not constitute processing on behalf of the controller by Signivo.
The following Delegated Permission is requested:
MailboxItem.ReadWrite.User (resource-specific) - technically permits read and write access to properties of the currently open or composed Outlook item. Signivo uses this permission exclusively to insert the configured signature into the currently open compose item. Signivo does not read or process the message body, recipients, subject, attachments, or contents of other mailbox folders. This permission is named MailboxItem.ReadWrite.User in the Microsoft Graph permission model; in the Office add-in manifest, it is declared in line with Office.js taxonomy as ReadWriteItem.For the single sign-on of the add-in, Signivo requests from Microsoft Entra ID only the standard OpenID Connect scopes openid and profile; these provide Signivo with neither the email address nor additional profile data. Instead, the email address of the signed-in Outlook user is read at runtime from the Office context (Office.context.mailbox.userProfile.emailAddress) in order to associate the user with their Signivo account. On the basis of this identification, no Microsoft Graph, mailbox, or Exchange calls are made.
No further Microsoft Graph or Outlook permission is requested for the Outlook add-in.
Note on employee data protection: The decision to use Signivo in relation to employees, including the information of employees and any co-determination or employment law requirements, lies with the respective customer as controller. Signivo processes such data exclusively on behalf of the customer.
Legal basis: Art. 6 (1) (b) GDPR (performance of the contract).
To the extent that Signivo receives personal data via the APIs of the productivity platforms used by our customers (currently Google Workspace and Microsoft 365), the following commitments apply across all platforms. Platform-specific additions are set out in Sections 6.1 and 6.2.
Purpose limitation: Signivo uses platform API data exclusively to provide and improve user-facing, product-related functions of email signature management. Specifically, directory data are used to populate signature fields and to implement assignment rules; signature and mailbox write access serve exclusively the central management and deployment of signatures.
Transfer restriction: Signivo does not share platform API data with third parties, with the exception of the following cases:
The processors with access to platform API data are listed by name in Section 8; all other third-party providers listed in Section 8 do not receive access to platform API data.
Prohibited uses: Signivo does not use platform API data for, in particular:
Personnel access: Signivo personnel do not have manual access to platform API data of individual customers, unless:
In addition to the commitments set out in Section 6, Signivo provides the following binding affirmation with respect to data from Google Workspace APIs:
"The use of information received from Google Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements."
The wording above is the verbatim disclosure language required by the Google Workspace API user data and developer policy.
The commitments set out in this Section 6 apply equally to all personal data that Signivo receives via the Microsoft Graph API or the Office.js API from our customers' Microsoft 365 tenants (see Section 5).
Signivo has successfully completed the Microsoft Publisher Verification procedure.
We implement technical and organisational measures to protect your data:
Encryption: Google OAuth tokens and Microsoft Entra access and refresh tokens are stored encrypted with AES-256-GCM (with a randomly generated initialisation vector per encryption operation and a GCM authentication tag for protection against tampering).
Access control: The PostgreSQL database uses Row Level Security (RLS). Anonymous access is not possible. Authenticated users see exclusively data from their own workspace. Sensitive columns (e.g. OAuth tokens) are excluded from client queries.
Transport encryption: All data transmissions are carried out via TLS/SSL.
Infrastructure: The core infrastructure of Signivo (database, application servers, file storage) is operated within the EU (Frankfurt region). To the extent that third-party providers are used, data transfers to third countries may occur to the extent described in Section 10.
For the provision of our Service, we engage the following third-party providers. The overview below contains both processors engaged by Signivo and third-party providers with whom Signivo or the customer cooperates as an independent controller. Providers acting as independent controllers within the meaning of Art. 4 No. 7 GDPR (in particular Stripe for payment processing, and the platform providers Google and Microsoft with respect to the processing activities they control themselves) are marked accordingly below; no processing-on-behalf relationship exists with them. Whether a provider is a processor of Signivo or an independent controller follows from the respective purpose description.
| Provider | Purpose | Processing location | Data | Customer Platform User Data |
|---|---|---|---|---|
| Google Cloud Platform (Google Ireland Ltd.) | Infrastructure (GKE, Redis) | Frankfurt, EU | Application data, directory data, encrypted tokens | Yes - both |
| Supabase, Inc. | Authentication, database, file storage | Frankfurt, EU | Account data, workspace data, directory data, encrypted tokens, uploaded files | Yes - both |
| Google APIs (Google Ireland Ltd.) | Directory sync, Gmail signatures | EU / USA | Directory data, signature HTML, OAuth tokens | Yes - Google (source) |
| Microsoft Graph APIs (Microsoft Ireland Operations Limited) | Directory sync, Outlook add-in signature insertion, authentication via Microsoft Entra ID | EU / USA | Directory data, signature HTML, Entra ID OAuth tokens | Yes - Microsoft (source) |
| PostHog, Inc. (EU instance) | Product analytics, feature management, error analysis, and website analytics | EU | Pseudonymised user/workspace IDs, event names, workspace properties (e.g. plan type); pseudonymised website visitor IDs and page view data | No |
| Anthropic, PBC | AI-assisted company information extraction during onboarding | USA | Customer domain (as a string); Anthropic retrieves website contents itself (may contain personal data) | No |
| Stripe, Inc. | Payment processing (independent controller pursuant to Art. 4 No. 7 GDPR) | USA | Payment data (credit card data, transaction data) | No |
| Brevo (Sendinblue GmbH) | Transactional/lifecycle emails and newsletter dispatch | EU (Germany) | Email addresses of workspace administrators and users (product communication) and newsletter subscribers | No |
| Webflow, Inc. | Website hosting (signivo.io) | USA | Technical access data (IP, browser) | No |
| Cookiebot / Usercentrics A/S | Consent management (signivo.io) | EU | Consent data | No |
| Google Analytics / Google Ads (Google Ireland Ltd.) | Website analytics, conversion tracking | EU / USA | Pseudonymised usage data (website) | No |
| LinkedIn Ireland Unlimited Company | Website campaign analytics | EU / USA | Pseudonymised usage data (website) | No |
Where the US providers listed are certified under the EU-U.S. Data Privacy Framework (DPF) (currently Google, Microsoft, Webflow, LinkedIn, and Stripe), the transfer is carried out on the basis of the adequacy decision pursuant to Art. 45 GDPR. As a supplementary measure, or for providers not certified under the DPF (currently Anthropic), Standard Contractual Clauses (SCC) pursuant to Art. 46 (2) (c) GDPR are used.
For the contractual processing on behalf of the controller, the sub-processors listed in Annex 2 of the data processing agreement as at the time of your acceptance are decisive; this overview reflects the current status.
Note on Microsoft Exchange Online: For tenants with Microsoft Roaming Signatures enabled, signatures inserted by the Outlook add-in are additionally cached in the user's Exchange Online mailbox (see Section 5.2). Hosting and data residency of this mailbox data are governed by the Microsoft 365 settings of your tenant and do not constitute processing on behalf of the controller by Signivo.
Website data:
Product data:
Deletion of individual user accounts:
If an individual user deletes their Signivo account (without deleting the workspace), their personal account data (email, hashed password, authentication data), workspace membership, and associated activity logs are deleted. Workspace data (signatures, settings, directory data) remain in place for the other workspace members.
Deletion upon workspace termination:
Upon manual deletion of a workspace by the Owner, all associated data are removed from the database without undue delay, completely, and irrevocably. The deletion comprises: the workspace itself and its settings, all memberships and invitations, all signatures and signature versions, all deployments and logs, all uploaded files, and the encrypted OAuth tokens. Prior to deletion, Gmail signatures already deployed are automatically removed for all affected users, provided that the corresponding Google permissions still exist at that point in time. For Microsoft 365, deletion of the workspace ends the further provision of signatures via the Outlook add-in; signatures already cached in the Microsoft 365 environment (Office.context.roamingSettings, where applicable Microsoft Roaming Signatures in the Exchange Online cache) remain unaffected (see Section 5.2).
Retention after termination of contract:
After expiry or termination of a subscription, the workspace data are retained for 30 days in order to avoid accidental data deletion and to give the customer the opportunity to reactivate. Upon expiry of this 30-day period, all personal data processed on behalf of the customer are deleted from the production systems, as described above. To the extent that data are temporarily still contained in encrypted, automated backups of the infrastructure providers, these are overwritten upon expiry of the regular backup retention period and are not used productively or restored in the meantime. The customer may trigger immediate deletion at any time by manually deleting the workspace in the Signivo console.
The core infrastructure of Signivo (database, application servers, file storage) is operated within the EU (Frankfurt). Transfers of personal data to third countries take place in the following cases:
Google APIs: Communications with Google servers (Directory API, Gmail API) may be routed via servers in the USA. This is necessary for the core functionality of the Service. Google LLC is certified under the DPF (adequacy decision pursuant to Art. 45 GDPR).
Microsoft Graph APIs and Microsoft Entra ID: Communications with Microsoft servers (directory sync, Outlook add-in, authentication) may be routed via servers in the USA. This is necessary for the core functionality of the Service. Microsoft Corporation is certified under the DPF (adequacy decision pursuant to Art. 45 GDPR); supplementary 2021 Standard Contractual Clauses between Microsoft Ireland Operations Limited and Microsoft Corporation pursuant to Art. 46 (2) (c) GDPR also apply. Signivo itself does not store Microsoft directory data or signature data outside the European Union; a third-country transfer may arise in particular through API communication, routing, or infrastructure services of the platform provider.
Website tools (Google Analytics, Google Ads, LinkedIn Insight Tag): Data may be transferred to servers in the USA, in each case only after consent via the consent banner. Google and LinkedIn are certified under the DPF (adequacy decision pursuant to Art. 45 GDPR).
Webflow: Website hosting may involve data processing in the USA. Webflow is certified under the DPF (adequacy decision pursuant to Art. 45 GDPR); supplementary Standard Contractual Clauses (SCC) pursuant to Art. 46 (2) (c) GDPR have been agreed.
Anthropic (Claude API): As part of the AI-assisted company information extraction during onboarding, the customer domain is transmitted as a string to Anthropic servers in the USA; Anthropic itself retrieves the website contents. Because Anthropic is not certified under the DPF, the transfer is supplementarily based on Standard Contractual Clauses (SCC) pursuant to Art. 46 (2) (c) GDPR. To the extent that no adequacy decision applies to other third-country providers named in this privacy policy or additional safeguards are required, SCC are also used.
Stripe: Payment data are transferred to Stripe in the USA. Stripe is certified under the DPF (adequacy decision pursuant to Art. 45 GDPR).
As a data subject, you have the following rights at any time:
Right of access (Art. 15 GDPR): You may request information about the personal data we process about you.
Right of rectification (Art. 16 GDPR): You may request the rectification of incorrect data.
Right to erasure (Art. 17 GDPR): You may request the erasure of your data, provided that no statutory retention obligations preclude this.
Right to restriction of processing (Art. 18 GDPR): You may request the restriction of processing of your data.
Right to data portability (Art. 20 GDPR): You may request to receive your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21 GDPR): You may object to the processing of your data where it is based on legitimate interest (Art. 6 (1) (f) GDPR).
Right to withdraw consent (Art. 7 (3) GDPR): Consent given may be withdrawn at any time with effect for the future.
To exercise your rights, please contact privacy@signivo.io (for data protection-related requests, including data portability requests pursuant to Art. 20 GDPR). For general enquiries, contractual matters, and support, hello@signivo.io is available.
Note on processing on behalf of the controller: To the extent that Signivo processes personal data on behalf of a customer (in particular employee and directory data in the context of signature management, see Section 2), the respective customer is the controller within the meaning of data protection law. Data subject requests concerning such data should generally be directed to the respective customer. Signivo supports its customers within the scope of statutory and contractual obligations in processing such requests.
Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority. As our seat is in Berlin, the competent supervisory authority is: Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information), Friedrichstraße 219, 10969 Berlin (datenschutz-berlin.de).
Signivo's access to data from Google Workspace or Microsoft 365 may be revoked via various paths. The revocation paths differ depending on the platform, as Signivo integrates the two platforms via different authentication mechanisms (see Sections 4.3 and 5).
Revocation of the workspace connection (domain-wide delegation):
This revocation removes Signivo's authorisation to synchronise directory data in the background and to set signatures for workspace users. Gmail signatures already deployed remain in place until they are manually changed. The handling of directory data already synchronised depends on the path chosen: if disconnection is effected via the Signivo console, the synchronised directory data are immediately and transactionally deleted from the Signivo database; if revocation is effected exclusively in the Google Admin Console, the data already synchronised remain stored initially until the administrator performs the disconnection in the Signivo console subsequently or deletes the workspace (see Section 4.3).
Revocation of Google sign-in (personal account):
This concerns exclusively the sign-in to Signivo via Google OAuth and has no effect on the workspace connection or on deployed signatures.
Microsoft 365 does not have a separate "end-user sign-in" path analogous to Google, since Signivo for Microsoft 365 operates exclusively via the tenant connection and the Outlook add-in, not via per-user OAuth login.
Revocation of the tenant connection:
This revocation removes Signivo's authorisation to synchronise directory data in the background and to set signatures via the Outlook add-in. In addition, the administrator may remove the Outlook add-in via the Microsoft 365 administration or the central add-in distribution for individual users or for the entire tenant. Revocation of the Entra permissions ends the API connection; removal of the add-in ends execution of the add-in in Outlook.
We reserve the right to amend this privacy policy in case of changes to our Service, in case of technical innovations, or in case of changes to legal requirements. We will inform you by email of material changes.
