Privacy Policy

Last updated: July 4, 2026

This policy describes how Latchwork Systems (“Latchwork,” “we,” “us”) collects, uses, and protects personal data in connection with Latchwork Cadence (the “Service”) and our websites.

Our role

For account, billing, and website data we act as the data controller. For personal data contained in the content your organization stores in the Service — items, documents, signer details, approval decisions — we act as a processor on behalf of that organization, and its instructions and privacy practices govern. If your data is in the Service because an organization invited you to sign, approve, or view something, contact that organization first; we will refer requests to them where appropriate. Processing on behalf of business customers is governed by our Data Processing Addendum.

Data we collect

  • Account data: name, email address, password hash, organization name and membership, and role.
  • Customer content: items, documents, approval decisions, signer names and email addresses, and signatures your organization stores in the Service.
  • Signature audit data: for electronic signing we record authentication events, timestamps, and the IP address and browser of signers, as part of the tamper-evident audit trail.
  • Usage data: log and device information such as IP address, browser type, pages viewed, and actions taken, used for security and product improvement.
  • Billing data: handled by our payment processor (Stripe); we store subscription status and invoice metadata but not full card numbers.
  • Support data: the contents of emails and messages you send to our support and sales addresses.

Cookies

We use strictly necessary cookies for authentication and session security, and product analytics (PostHog) to understand feature usage. We do not use third-party advertising cookies and we do not respond to browser “Do Not Track” signals because there is no common interpretation, but we honor applicable opt-out preference signals where required by law.

How we use data

To provide and secure the Service; authenticate users; send transactional email (reminders, approvals, signing requests, account and billing notices); respond to support requests; monitor for abuse and enforce our Terms of Service; comply with law; and improve the product. We do not sell or rent personal data, we do not share it for cross-context behavioral advertising, and we do not use Customer Data to train machine-learning models.

Legal bases

Where GDPR or UK GDPR applies, we process personal data: to perform our contract with you (providing the Service, billing, support); for legitimate interests such as securing the Service, preventing fraud, and improving the product; to comply with legal obligations; and with consent where required, which you may withdraw at any time.

Sharing

We share personal data only with: the subprocessorsneeded to run the Service (hosting, storage, email delivery, payments, error monitoring, analytics), each under a data protection agreement; your organization and its administrators, for data in your organization’s tenant; professional advisers under confidentiality obligations; authorities when required by law or to protect rights, safety, or the integrity of the Service; and a successor entity in connection with a merger, acquisition, or sale of assets, with notice to you.

International transfers

We are based in the United States and our subprocessors primarily process data there. Where we transfer personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on Standard Contractual Clauses and, for UK transfers, the UK Addendum.

Retention

Account data is retained while your account is active. Customer Data is retained while your organization’s account is active and for 30 days after termination, after which it is deleted. Organizations on eligible plans can configure retention windows for deleted items and archived documents. Signature audit trails are retained with the signed documents they authenticate. Audit and security logs, and billing records, may be retained longer where necessary for security, tax, and legal compliance.

Security

Encryption in transit and at rest, tenant isolation, role-based access, rotated credentials, and comprehensive audit logging. No method of transmission or storage is completely secure; we will notify affected customers of a personal data breach as required by law. See Security for details.

Your rights

Depending on your location, you may have rights to access, correct, export, or delete your personal data, to object to or restrict certain processing, and to withdraw consent. Residents of California and other U.S. states with comprehensive privacy laws may also have the right to know what personal information we collect and to non-discrimination for exercising their rights; we do not sell personal information as those laws define it. To exercise any of these rights, contact legal@latchworksystems.com; we will verify your request and respond within the time required by law (and in any case within 30 days where feasible). You may also lodge a complaint with your local supervisory authority. Where we process data on behalf of a business customer, we may direct your request to that organization.

Children

The Service is a business tool and is not directed to children under 16. We do not knowingly collect personal data from children; if you believe a child has provided us personal data, contact us and we will delete it.

Changes

We will post updates to this page and notify account owners by email of material changes. The “Last updated” date above reflects the current version.

Contact

Privacy questions and requests: legal@latchworksystems.com.