Global
Countries
Global
Australia
Belgium
Brazil
Canada
France
Germany
India
Indonesia
Italy
Japan
Netherlands
South Korea
United States
Home About Shop FAQs Help Contact
Search Campaigns Membership Blog
Compliance
Compliance

The EU General Data Protection Regulation (GDPR) has applied across the European Union since 25 May 2018. It modernises data-protection rules for a digital world and gives people stronger rights over their personal data. As a platform that helps people start petitions, gather signatures, and — where enabled — raise funds for causes, SignItNow processes personal data and takes these responsibilities seriously.

Our commitment

SignItNow (“we”, “us”, “our”) is committed to protecting the personal information we handle and to applying GDPR’s principles of transparency, fairness, security and privacy-by-design. We maintain policies, controls and training that aim to keep your information safe and to respect your rights.

How we meet GDPR requirements

1) Information mapping

We maintain records of the personal data we process (e.g., account details, petition content, signatures, comments, donation/payment metadata), where it comes from, why we use it, the legal basis we rely on, who we share it with, and how long we keep it.

2) Policies & governance

  • Data protection & privacy-by-design – Our internal policy sets roles and responsibilities, embeds privacy into product design, and requires DPIAs (impact assessments) where risks are higher.

  • Retention & deletion – We only keep data as long as needed for the purpose it was collected or to meet legal obligations. When no longer needed, data is securely deleted or anonymised.

  • Data breach response – We have procedures to detect, investigate and report personal-data breaches. Where GDPR requires, we notify the relevant authority within 72 hours and, when necessary, inform affected individuals.

3) International transfers & third parties

We host and process data with trusted providers. When data is transferred outside the EEA/UK, we rely on approved safeguards such as the EU Standard Contractual Clauses (and UK equivalents), plus technical and organisational measures to protect the data. We conduct due diligence on our vendors (e.g., hosting, email delivery, analytics, payment processors) and put written data-processing agreements in place.

4) Lawful bases for processing

Depending on the context, we process personal data because:

  • Contract – to create and manage your account, publish petitions, collect signatures, run campaigns, or provide supporter tools you request.

  • Consent – for optional features such as certain marketing emails or cookies; you may withdraw consent at any time.

  • Legitimate interests – to keep our services secure, prevent abuse, improve the platform, and support campaigns, provided those interests are not overridden by your rights.

  • Legal obligations – to comply with tax, accounting, fraud-prevention, or other legal requirements.

5) Privacy notices

Our Privacy Policy explains what we collect, how we use it, who we share it with, how long we keep it, international transfers, and your rights. We keep these notices clear and up-to-date.

6) Direct marketing

Where we send campaign or product updates, we include an easy opt-out link. We honour opt-outs promptly and record preferences.

7) Data Protection Impact Assessments (DPIAs)

For high-risk processing (e.g., large-scale petition data, sensitive categories if applicable), we run DPIAs to identify and reduce risk before launch.

8) Special-category data

We avoid collecting special-category data (e.g., health, political opinions) unless strictly necessary and lawful. If collected, we rely on an appropriate Article 9 GDPR condition, apply heightened security, and limit access.

Your GDPR rights

You can exercise your rights by contacting us at [contact@signitnow.org] (or via the in-product tools where available). Subject to limited exceptions under GDPR, you have the right to:

  • Access – request a copy of your personal data.

  • Rectification – ask us to fix inaccurate or incomplete data.

  • Erasure – request deletion of your data in certain circumstances (“right to be forgotten”).

  • Restriction – ask us to limit processing in specific situations.

  • Portability – receive your data in a structured, commonly used, machine-readable format and/or request we transmit it to another controller where technically feasible.

  • Object – object to processing based on legitimate interests or to direct marketing.

  • Withdraw consent – where processing is based on consent, you can withdraw it at any time (this doesn’t affect processing already performed).

  • Automated decisions – request human review and express your point of view where we use automated decision-making with legal or similar significant effects (not typical for SignItNow’s core services).

We respond to verified requests without undue delay and within one month (extendable by two months for complex requests, as permitted by GDPR).

You also have the right to lodge a complaint with your local supervisory authority (for example, in the EEA your national Data Protection Authority; in the UK the ICO).

Security measures

We implement layered technical and organisational measures designed to keep data secure, including but not limited to:

  • Encryption in transit and at rest where appropriate

  • Privacy-by-design and secure development practices

  • Network segmentation and firewalls

  • Role-based access controls and least-privilege principles

  • Strong authentication and passphrase policies

  • Monitoring, logging and alerting

  • Regular patching and vulnerability management

  • Encrypted backups and tested recovery procedures

  • Periodic security testing by internal teams and independent specialists

Our data protection role

We have appointed a privacy lead (and, where required, a Data Protection Officer) to oversee our GDPR program, train staff and monitor compliance. Privacy training is part of onboarding and refreshed periodically.