IndiSign Privacy Notice

This Privacy Notice is intended for clients and users accessing or utilizing the "IndiSign" digital documentation platform, which is owned and operated by Indiconnect Paytech Private Limited ("Indiconnect", "we", "us", or "our"). This Notice explains, clearly and transparently, how Indiconnect collects, uses, stores, processes, and protects personal data in connection with the provision and use of the IndiSign Services.

It further outlines the purposes for which such personal data may be processed and disclosed, consistent with applicable data protection and privacy laws.

This Privacy Notice applies to you in the following circumstances:

• If you are a Client or Signer using the IndiSign digital documentation services provided by Indiconnect Paytech Private Limited ("Indiconnect");
• If you provide personal, financial, or regulatory data during registration, KYC, or transactions;
• If you are visiting or accessing our IndiSign informational website; or
• If you have received a signing link or invitation to execute a document through IndiSign from another entity (the "IndiSign Client");
• Interact with us as merchants, partners, clients or affiliates.

In such cases, you are also advised to review the privacy policy of the respective IndiSign Client who has sent you the document for signing. Indiconnect processes your personal data in accordance with the instructions received from such IndiSign Client.

Please note that this Privacy Notice also applies to information relating to Signers that is provided to Indiconnect (IndiSign) by its Clients. In such cases, the Indiconnect (IndiSign) Client providing such information represents and warrants that it has obtained all necessary authority and consent from the relevant Signers to share their personal information with Indiconnect (IndiSign).

• If you are an "Indiconnect (IndiSign) Client" (i.e., you use IndiSign to initiate document signing processes and are the paying customer of our services): Indiconnect (IndiSign) acts as the Data Fiduciary with respect to your personal data and your use of IndiSign. However, with respect to any personal data included in or shared through IndiSign (such as information relating to counterparties, signatories, or content contained in documents), Indiconnect (IndiSign) acts as a Data Processor, processing such data solely on your behalf.
• If you are a "Signer" (i.e., you sign a document through IndiSign): Indiconnect (IndiSign) acts as a Data Processor, processing your personal data on behalf of and in accordance with the instructions of the IndiSign Client who has provided your information to us, or as required under applicable law. In such cases, the IndiSign Client is the Data Fiduciary and is responsible for ensuring compliance with applicable data protection laws.
• If you are a visitor to this website: Indiconnect (IndiSign) acts as the Data Fiduciary for personal data collected about your usage of the website and any personal data you voluntarily provide through the website.

We may collect, receive, and process the following categories of information in connection with your use of IndiSign and related services:

• Identification Details: Name, mobile number, and/or email address as provided by the IndiSign Client for the purpose of facilitating e-signing of documents and verifying the identity of the Signer.
• Location Information: GPS coordinates or location details of the device used to access IndiSign may be collected, based on the verification settings enabled by the IndiSign Client. Such information forms part of the audit trail associated with the e-signing transaction.
• Photographs and Video Recordings: We may capture your photograph or conduct AI-based liveliness verification for additional identity confirmation, subject to the configuration enabled by the IndiSign Client. These details form part of the e-signing audit trail.
• Access Credentials: Your login credentials (email address, mobile number, and password) may be collected to facilitate access to our services, enable communications relating to e-signing transactions, and verify Signer identity.
• Device and Technical Information: We collect information such as your device type, IP address, browser details, and activity timestamps (including login, document access, and OTP verification events) for identification, security monitoring, and maintenance of audit trails.
• Digital Signature: Details relating to your digital signature certificate, including name, address, and permissible Aadhaar-related information, as received from the Certifying Authority upon successful certificate issuance.
• Payment Information: Payment and billing information of IndiSign Clients and Signers may be collected and retained by IndiSign and/or its authorised payment service providers in compliance with applicable laws.
• Biometric Information: Your fingerprint may be collected as evidence of consent during the e-signing process, where the eSign type selected by the IndiSign Client requires such verification.
• Stamp Duty Information: We may collect details relating to stamp paper procurement, including order value, delivery address, organisational information, and party details.
• Documents Uploaded: Documents uploaded for e-signing or otherwise shared on the platform are stored for the duration necessary to fulfil contractual obligations or as required under applicable law.
• Cookies, Usage Data, and Analytical Information: We may use cookies and similar technologies to collect information such as URL clickstreams, pages viewed, response times, time spent on pages, and user interactions.
• Use of Integrated Applications: Information may be collected about your interaction with third-party applications or linked services to enable integration and provide a seamless user experience.
• Personal Information: We may collect personal data such as your name, mobile number, email address, organisation details, social media profile, and other information you provide through marketing forms, advertisements, or public sources.

We do not collect, store, or retain any biometric information or One-Time Passwords (OTPs) used for Aadhaar eKYC or eSign transactions.

Any biometric data utilized in connection with an Aadhaar-based eSign transaction is collected directly by the licensed Certifying Authority (CA), in accordance with applicable laws and regulations. Such biometric data is encrypted immediately upon capture and used solely for the purpose of completing the specific eKYC or eSign transaction.

The Certifying Authority is responsible for processing and securing Aadhaar-related information in strict compliance with the guidelines issued by the Unique Identification Authority of India (UIDAI).

IndiSign undergoes periodic information security, application security, and compliance audits conducted by independent third-party auditors empanelled with the Indian Computer Emergency Response Team (CERT-In). Indiconnect is certified under PCI-DSS, CICRA, and ISO/IEC 27001:2022.

IndiSign does not collect, process, or store any cardholder details, including card numbers, CVV, or expiry dates.

All payments are processed through our PCI-DSS compliant payment gateway partner, which manages the complete collection, processing, and secure storage of card data in accordance with applicable laws and industry standards. IndiSign only receives limited transaction status information and never has access to full cardholder details.

IndiSign is a document execution and contracting service directed to and intended for use only by those who are 18 years of age or over. We do not target IndiSign at children, and we do not knowingly collect any personal data from any person under 18 years of age.

If you are under 18 or not legally able to enter into a contract, you cannot use our services or share any information with us.

All personal data collected by IndiSign is stored and processed on servers. Such storage and processing are carried out in compliance with applicable Indian laws, including the Digital Personal Data Protection Act, 2023 (DPDP), and the rules and regulations framed thereunder.

We implement comprehensive security controls to safeguard your data against loss, misuse, and unauthorised access. Data is protected through multiple layers of defence, including encryption in transit and at rest, network segmentation, and secure infrastructure configurations.

IndiSign maintains a comprehensive information security management framework certified under the following international standards:

• Information Security Management Systems (ISMS)
• Security Controls for Cloud Services
• Protection of Personally Identifiable Information in Cloud Environments
• Security, Availability, and Confidentiality

Access to systems and data is governed by strict access control policies aligned with the principle of least privilege. Access is granted only on a verified need-to-know basis through formal approval processes and is continuously monitored.

Limitations: While IndiSign implements appropriate technical and organisational measures to safeguard personal data, no system can be guaranteed to be entirely secure. IndiSign shall not be liable for any unauthorised access, data breach, or security incident arising from circumstances beyond its reasonable control or not resulting from its wilful misconduct.

• We use secure servers to protect your data; however, using any online service carries some risks. We encourage you to follow good security practices like keeping your login details and passwords private.
• If you notice any suspicious activity, please reach out to our support team immediately on Grievances@indiconnect.in

IndiSign engages carefully selected third-party service providers to support the delivery, maintenance, and enhancement of its services. These service providers perform essential functions such as platform hosting, SMS and email communication, payment processing, Aadhaar authentication, and electronic signature facilitation.

To enable these services, limited personal data may be shared with third parties strictly on a need-to-know basis. Where data is shared, IndiSign ensures that appropriate contractual, technical, and organisational safeguards are implemented.

IndiSign may also process and share anonymised or aggregated data with third parties for statistical, analytical, or service improvement purposes. Such data does not identify any individual.

Additionally, IndiSign may disclose personal data when required to do so by law, regulation, or pursuant to valid requests from courts, law enforcement agencies, or other competent authorities.

You have the right to access, update, or delete your personal data. We respect your rights over your personal data and strive to make it easy for you to exercise them.

You can reach out to us to access information about what personal data we hold about you; manage your consent; correct, update or delete your personal data with IndiSign.

You can also nominate someone to manage your information if you are unable to do so yourself.

We will make the changes promptly unless we are required to retain the personal data records and information as is under any applicable law or contractual obligations to IndiSign Clients. We will also inform you and keep you updated about the action taken to process your request.

If you wish to make any changes, withdraw your consent, or raise concerns about how we handle your data, feel free to reach out to us.

We're here to help and will do our best to address your concerns as quickly as possible.

You can enable or block cookies by activating a setting on your browser allowing you to refuse cookies, or by using the cookie consent tool on our website. You can also delete cookies through your browser settings. If you turn off cookies, you can continue to use the website and IndiSign, but certain services might not work effectively.

We will inform you (before collecting your personal data) if we intend to use your data for marketing. You can opt out of marketing by emailing us at marketing@indisign.co.in

IndiSign is an entity established and operating in India, and this Privacy Notice has been prepared in accordance with applicable Indian laws, including the Digital Personal Data Protection Act, 2023, and related rules and regulations.

While our platform may be accessible from jurisdictions outside India, IndiSign does not actively market, promote, or offer its services outside India. Any access or use of our platform from outside India is undertaken at your own initiative and risk, and you are solely responsible for compliance with the laws applicable in your jurisdiction.

IndiSign does not represent or warrant that this Privacy Notice or its practices comply with the data protection or privacy laws of any jurisdiction other than India. If the laws of your country or region conflict with this Notice or with applicable Indian laws, you are advised to refrain from using our services.

If there's a disagreement about this Privacy Notice, we will resolve it in accordance with Indian laws and through arbitration. The sole arbitrator shall be appointed by the mutual consent of the parties, the process will be in English, and it'll take place in Pune, Maharashtra, India.

IndiSign may update or revise this Privacy Notice from time to time to reflect changes in legal, regulatory, or operational requirements, or to clarify our practices. Any material changes will be communicated to users through appropriate means, such as email notifications or prominent updates on this page.

We encourage you to review this Privacy Notice periodically to stay informed about how we protect and process your personal data.

This Privacy Notice was last updated on 05/02/2026