Spectra-C – Privacy Policy

Effective Date: November 15, 2025

Governing Entity: SecureSign, Inc., a Delaware corporation

1. Purpose and Scope

SecureSign, Inc. (“Spectra-C”, “SecureSign,” “we,” “our,” or “us”) respects your privacy and is committed to protecting personal information in accordance with applicable laws and regulations.

This Privacy Policy describes how we collect, use, disclose, store, and protect personal information obtained through our website, web applications, and identity-verification services (the “Platform”). It applies to all users located in the United States and, where applicable, to data subjects located in the European Economic Area (“EEA”), the United Kingdom (“UK”), and other jurisdictions with comparable data protection laws.

This Policy is designed to comply with:

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA);
The Virginia Consumer Data Protection Act (VCDPA);
The Colorado Privacy Act (CPA);
The Connecticut Data Privacy Act (CTDPA);
The Texas Data Privacy and Security Act (TDPSA);
The Illinois Biometric Information Privacy Act (BIPA);
The Children’s Online Privacy Protection Act (COPPA); and
The EU General Data Protection Regulation (GDPR) and UK GDPR.

This Policy is designed to comply with:

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA);
The Virginia Consumer Data Protection Act (VCDPA);
The Colorado Privacy Act (CPA);
The Connecticut Data Privacy Act (CTDPA);
The Texas Data Privacy and Security Act (TDPSA);
The Illinois Biometric Information Privacy Act (BIPA);
The Children’s Online Privacy Protection Act (COPPA); and
The EU General Data Protection Regulation (GDPR) and UK GDPR.

This Policy is designed to comply with:

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA);
The Virginia Consumer Data Protection Act (VCDPA);
The Colorado Privacy Act (CPA);
The Connecticut Data Privacy Act (CTDPA);
The Texas Data Privacy and Security Act (TDPSA);
The Illinois Biometric Information Privacy Act (BIPA);
The Children’s Online Privacy Protection Act (COPPA); and
The EU General Data Protection Regulation (GDPR) and UK GDPR.

2. Information We Collect

SecureSign collects the following categories of information to operate our identity-security and electronic-signature platform:

2.1 Personal Identifiers

Name, email address, postal address, phone number, date of birth, and account credentials.

2.2 Verification and Biometric Information

Government-issued ID numbers and images;
Facial images, video selfies, or voiceprints used for identity verification;
Device identifiers, IP address, and transaction metadata used for fraud prevention.

All biometric and ID verification data are processed through Spectra-C, SecureSign’s proprietary verification and anti-deepfake system. Spectra-C acts as a processor under SecureSign’s control and operates solely within the United States.

2.3 Usage and Technical Data

Log files, browser type, operating system, time stamps, and referring URLs.
Analytics data used to improve performance, security, and usability.

2.4 Communication Data

Content of communications with SecureSign (support requests, legal inquiries, or verification disputes).

SecureSign collects the following categories of information to operate our identity-security and electronic-signature platform:

2.1 Personal Identifiers

Name, email address, postal address, phone number, date of birth, and account credentials.

2.2 Verification and Biometric Information

Government-issued ID numbers and images;
Facial images, video selfies, or voiceprints used for identity verification;
Device identifiers, IP address, and transaction metadata used for fraud prevention.

2.3 Usage and Technical Data

Log files, browser type, operating system, time stamps, and referring URLs.
Analytics data used to improve performance, security, and usability.

2.4 Communication Data

Content of communications with SecureSign (support requests, legal inquiries, or verification disputes).

SecureSign collects the following categories of information to operate our identity-security and electronic-signature platform:

2.1 Personal Identifiers

Name, email address, postal address, phone number, date of birth, and account credentials.

2.2 Verification and Biometric Information

Government-issued ID numbers and images;
Facial images, video selfies, or voiceprints used for identity verification;
Device identifiers, IP address, and transaction metadata used for fraud prevention.

2.3 Usage and Technical Data

Log files, browser type, operating system, time stamps, and referring URLs.
Analytics data used to improve performance, security, and usability.

2.4 Communication Data

Content of communications with SecureSign (support requests, legal inquiries, or verification disputes).

3. How We Use Personal Information

SecureSign processes personal information only for legitimate purposes, including:

1. Identity verification and fraud prevention;

2. Provision of digital signature and authentication services;

3. Compliance with applicable laws, including KYC and anti-fraud requirements;

4. Service improvement, testing, internal analytics, and (unless disabled by the subscriber/enterprise administrator) training and improvement of Spectra-C’s verification, liveness, and deepfake detection systems, including using biometric and verification inputs;

5. Service improvement, testing, and internal analytics;

6. User account management and customer support; and

7. Legal defense, auditing, and regulatory reporting.

Under the GDPR, our lawful bases for processing are:

Performance of a contract (Article 6(1)(b));
Compliance with legal obligations (Article 6(1)(c));
Legitimate interests (Article 6(1)(f)) related to fraud prevention and security; and
Consent (Article 6(1)(a)) where required, particularly for biometric processing.

SecureSign processes personal information only for legitimate purposes, including:

1. Identity verification and fraud prevention;

2. Provision of digital signature and authentication services;

3. Compliance with applicable laws, including KYC and anti-fraud requirements;

5. Service improvement, testing, and internal analytics;

6. User account management and customer support; and

7. Legal defense, auditing, and regulatory reporting.

Under the GDPR, our lawful bases for processing are:

Performance of a contract (Article 6(1)(b));
Compliance with legal obligations (Article 6(1)(c));
Legitimate interests (Article 6(1)(f)) related to fraud prevention and security; and
Consent (Article 6(1)(a)) where required, particularly for biometric processing.

SecureSign processes personal information only for legitimate purposes, including:

1. Identity verification and fraud prevention;

2. Provision of digital signature and authentication services;

3. Compliance with applicable laws, including KYC and anti-fraud requirements;

5. Service improvement, testing, and internal analytics;

6. User account management and customer support; and

7. Legal defense, auditing, and regulatory reporting.

Under the GDPR, our lawful bases for processing are:

Performance of a contract (Article 6(1)(b));
Compliance with legal obligations (Article 6(1)(c));
Legitimate interests (Article 6(1)(f)) related to fraud prevention and security; and
Consent (Article 6(1)(a)) where required, particularly for biometric processing.

4. Biometric and ID Information

Secure Sign and Spectra-C collect and process biometric identifiers used for identity verification, fraud prevention, liveness/deepfake detection, and (unless the enterprise subscriber opts out) improvement/training of those systems.

We comply with Illinois BIPA and similar state statutes by:

Providing advance written notice of collection;
Obtaining affirmative user consent before capturing or processing biometric data;
Limiting use exclusively to verification purposes;
Storing biometric data using encryption and access controls; and
Permanently deleting biometric data within three (3) years of the user’s last interaction, unless required by law to retain it longer.

We do not sell, lease, or disclose biometric information to third parties except as required by law.

We comply with Illinois BIPA and similar state statutes by:

Providing advance written notice of collection;
Obtaining affirmative user consent before capturing or processing biometric data;
Limiting use exclusively to verification purposes;
Storing biometric data using encryption and access controls; and
Permanently deleting biometric data within three (3) years of the user’s last interaction, unless required by law to retain it longer.

We do not sell, lease, or disclose biometric information to third parties except as required by law.

We comply with Illinois BIPA and similar state statutes by:

Providing advance written notice of collection;
Obtaining affirmative user consent before capturing or processing biometric data;
Limiting use exclusively to verification purposes;
Storing biometric data using encryption and access controls; and
Permanently deleting biometric data within three (3) years of the user’s last interaction, unless required by law to retain it longer.

We do not sell, lease, or disclose biometric information to third parties except as required by law.

5. Children’s Privacy (COPPA Compliance)

SecureSign’s services are not directed to children under 13 years of age. We do not knowingly collect, use, or disclose personal information from children.

If we learn that a child under 13 has provided information, we will delete it immediately. Parents or guardians may contact us at privacy@trysecuresign.com to request removal.

6. Data Retention

SecureSign retains personal information only as long as necessary to fulfill the purposes outlined in this Policy or to comply with legal, accounting, or regulatory requirements. Retention periods vary by data type but generally do not exceed:

Account data: retained for the duration of the account plus five (5) years.
Verification/biometric data: retained for no more than three (3) years after last use.
Legal records: retained as required by applicable law.

Account data: retained for the duration of the account plus five (5) years.
Verification/biometric data: retained for no more than three (3) years after last use.
Legal records: retained as required by applicable law.

7. Data Security

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including:

Encryption in transit and at rest; - Role-based access controls;
Continuous monitoring and intrusion detection; and
Independent security testing of Spectra-C and Platform components.

Despite these measures, no system is completely secure. SecureSign disclaims liability for unauthorized access or use that is beyond our reasonable control.

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including:

Encryption in transit and at rest; - Role-based access controls;
Continuous monitoring and intrusion detection; and
Independent security testing of Spectra-C and Platform components.

Despite these measures, no system is completely secure. SecureSign disclaims liability for unauthorized access or use that is beyond our reasonable control.

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including:

Encryption in transit and at rest; - Role-based access controls;
Continuous monitoring and intrusion detection; and
Independent security testing of Spectra-C and Platform components.

Despite these measures, no system is completely secure. SecureSign disclaims liability for unauthorized access or use that is beyond our reasonable control.

8. Information Sharing and Disclosure

We do not sell or share personal information as defined by the CPRA.

We may disclose personal information to:

Service providers assisting in hosting, analytics, or support (all bound by confidentiality and data-processing agreements);
Legal or regulatory authorities when required by law or lawful subpoena;
Successor entities in the event of a merger or acquisition, subject to equivalent safeguards.

All such disclosures are made in accordance with applicable law and this Policy.

We do not sell or share personal information as defined by the CPRA.

We may disclose personal information to:

Service providers assisting in hosting, analytics, or support (all bound by confidentiality and data-processing agreements);
Legal or regulatory authorities when required by law or lawful subpoena;
Successor entities in the event of a merger or acquisition, subject to equivalent safeguards.

All such disclosures are made in accordance with applicable law and this Policy.

We do not sell or share personal information as defined by the CPRA.

We may disclose personal information to:

Service providers assisting in hosting, analytics, or support (all bound by confidentiality and data-processing agreements);
Legal or regulatory authorities when required by law or lawful subpoena;
Successor entities in the event of a merger or acquisition, subject to equivalent safeguards.

All such disclosures are made in accordance with applicable law and this Policy.

9. Cross-Border Data Transfers

All SecureSign data is hosted in the United States.

Where personal data is transferred from the EEA, UK, or Switzerland to the United States, SecureSign relies on:

Standard Contractual Clauses (SCCs) adopted by the European Commission; and
Additional technical and organizational measures ensuring equivalent protection.

Data subjects may request a copy of the relevant transfer mechanism at privacy@trysecuresign.com.

All SecureSign data is hosted in the United States.

Where personal data is transferred from the EEA, UK, or Switzerland to the United States, SecureSign relies on:

Standard Contractual Clauses (SCCs) adopted by the European Commission; and
Additional technical and organizational measures ensuring equivalent protection.

Data subjects may request a copy of the relevant transfer mechanism at privacy@trysecuresign.com.

All SecureSign data is hosted in the United States.

Where personal data is transferred from the EEA, UK, or Switzerland to the United States, SecureSign relies on:

Standard Contractual Clauses (SCCs) adopted by the European Commission; and
Additional technical and organizational measures ensuring equivalent protection.

Data subjects may request a copy of the relevant transfer mechanism at privacy@trysecuresign.com.

10. Consumer and Data Subject Rights

Under U.S. State Privacy Laws:

Residents of California, Virginia, Colorado, Connecticut, and Texas have the right to:

Access and obtain a copy of their personal information;
Request deletion or correction of inaccurate data;
Opt out of data sharing or targeted advertising (not applicable to SecureSign’s core services); and
Non-discrimination for exercising privacy rights.

Requests may be submitted to privacy@trysecuresign.com. We will verify your identity before fulfilling any request.

Under the GDPR and UK GDPR:
Data subjects in the EEA/UK have the right to:

Access, rectify, or erase personal data;
Restrict or object to processing;
Data portability; and
Lodge a complaint with a supervisory authority.

Where processing is based on consent, you may withdraw consent at any time without affecting prior lawful processing.

Under U.S. State Privacy Laws:

Residents of California, Virginia, Colorado, Connecticut, and Texas have the right to:

Access and obtain a copy of their personal information;
Request deletion or correction of inaccurate data;
Opt out of data sharing or targeted advertising (not applicable to SecureSign’s core services); and
Non-discrimination for exercising privacy rights.

Requests may be submitted to privacy@trysecuresign.com. We will verify your identity before fulfilling any request.

Under the GDPR and UK GDPR:
Data subjects in the EEA/UK have the right to:

Access, rectify, or erase personal data;
Restrict or object to processing;
Data portability; and
Lodge a complaint with a supervisory authority.

Where processing is based on consent, you may withdraw consent at any time without affecting prior lawful processing.

Under U.S. State Privacy Laws:

Residents of California, Virginia, Colorado, Connecticut, and Texas have the right to:

Access and obtain a copy of their personal information;
Request deletion or correction of inaccurate data;
Opt out of data sharing or targeted advertising (not applicable to SecureSign’s core services); and
Non-discrimination for exercising privacy rights.

Requests may be submitted to privacy@trysecuresign.com. We will verify your identity before fulfilling any request.

Under the GDPR and UK GDPR:
Data subjects in the EEA/UK have the right to:

Access, rectify, or erase personal data;
Restrict or object to processing;
Data portability; and
Lodge a complaint with a supervisory authority.

Where processing is based on consent, you may withdraw consent at any time without affecting prior lawful processing.

11. Automated Decision-Making and Subscriber Oversight

SecureSign and its proprietary Spectra-C system use automated technologies to assist subscribers with identity verification, document authentication, and fraud-risk analysis. These tools generate data, scores, or recommendations to facilitate a subscriber’s own review and decision-making.

SecureSign and Spectra-C do not themselves make any determinations that produce legal or similarly significant effects on individuals. All final decisions regarding identity verification, access, or transaction approval are made solely by the subscriber organization using the Platform.

Accordingly, SecureSign acts as a service provider or processor on behalf of its subscribers, and subscribers remain responsible for providing appropriate human oversight and ensuring compliance with applicable privacy and data-protection laws when using the Platform’s automated capabilities.

12. Third-Party Links and Services

Our Platform may contain links or integrations to third-party websites and APIs.

SecureSign is not responsible for the content, privacy, or security practices of third parties.

We encourage you to review their respective privacy policies before interacting with those services.

13. Changes to this Policy

SecureSign may amend this Privacy Policy periodically to reflect changes in technology, law, or business operations.

Material updates will be communicated by posting a revised version on our Platform and updating the “Effective Date.” Continued use after such posting constitutes acceptance.

14. Contact and Data Protection Officer

For questions, complaints, or to exercise privacy rights, please contact:

SecureSign, Inc.

Email: privacy@trysecuresign.com

Privacy and Compliance Department

For EU/UK inquiries, SecureSign’s designated Data Protection Officer (DPO) may be reached at the same address with the subject line: “Attn: Data Protection Officer.”

For questions, complaints, or to exercise privacy rights, please contact:

SecureSign, Inc.

Email: privacy@trysecuresign.com

Privacy and Compliance Department

For EU/UK inquiries, SecureSign’s designated Data Protection Officer (DPO) may be reached at the same address with the subject line: “Attn: Data Protection Officer.”

For questions, complaints, or to exercise privacy rights, please contact:

SecureSign, Inc.

Email: privacy@trysecuresign.com

Privacy and Compliance Department

For EU/UK inquiries, SecureSign’s designated Data Protection Officer (DPO) may be reached at the same address with the subject line: “Attn: Data Protection Officer.”

15. Governing Law

This Policy and any related disputes are governed by the laws of the State of Delaware, without regard to conflict-of-law principles.

To the extent GDPR applies, data subject rights will be interpreted consistently with Regulation (EU) 2016/679.