1. Introduction

Patagrowth LLC, operating as Vindato ("we", "us", or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our NDA creation and signing platform at vindato.com ("Service").

2. Information We Collect

2.1 Information You Provide

Party Information: Names, email addresses, and contact details of NDA parties
Document Information: NDA terms, confidential information descriptions, and governing jurisdiction
Payment Information: Processed securely by Stripe — we do not store credit card numbers
Identity Documents: Document type and number (encrypted with AES-256-GCM)

2.2 Information Collected Automatically

IP Address: Recorded for audit trail and security purposes
User Agent: Browser and device information for audit logging
Timestamps: Date and time of all actions (creation, signing, downloads)

3. How We Use Your Information

We use the collected information to:

Create and generate NDA documents based on your input
Facilitate digital signatures between parties
Generate and store signed PDF documents
Send transactional emails (signing invitations, confirmations, reminders)
Process payments through Stripe
Maintain an audit trail for document integrity and verification
Provide public NDA verification (only non-personal data is exposed)
Detect and prevent fraud, abuse, and security incidents

4. Data Security

We implement industry-standard security measures to protect your data:

Encryption at Rest: Sensitive data (identity documents) is encrypted using AES-256-GCM with versioned keys
Encryption in Transit: All communications use HTTPS/TLS
Token Security: Magic link tokens are hashed (SHA-256) before storage; originals are never stored
Access Control: PDF documents are stored in private S3 buckets with time-limited signed URLs
Rate Limiting: API endpoints are protected against abuse
Audit Logging: All significant actions are logged for security monitoring

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data based on the following legal grounds under GDPR Article 6:

Contract Performance: Processing necessary to create, sign, and deliver NDA documents you request
Legitimate Interest: Security monitoring, fraud prevention, and audit logging
Legal Obligation: Retaining payment records as required by financial regulations
Consent: Where you have given explicit consent (e.g., electronic signature consent)

6. Data Retention

We follow a strict data retention policy to minimize the amount of personal data we store:

NDA Documents: Retained for 90 days from creation, then permanently deleted
PDF Files: Stored for up to 90 days from NDA creation, then permanently deleted from storage
Audit Logs: Deleted along with the associated NDA after the retention period
Payment Records: Retained as required by financial regulations and Stripe

We send email notifications 7 days and 1 day before deletion so you can download your documents.

7. Third-Party Services

We use the following third-party services to operate the platform:

Stripe (stripe.com) — Payment processing. Subject to Stripe's Privacy Policy
Resend (resend.com) — Transactional email delivery
NeonDB (neon.tech) — Database hosting (PostgreSQL)
Hostman (hostman.com) — S3-compatible object storage for PDFs
Netlify (netlify.com) — Application hosting

8. Public Verification

The NDA verification feature (/verify) allows anyone with a verification code to confirm that an NDA exists and its current status. This feature only exposes:

NDA status (draft, paid, sent, signed, rejected, expired)
Country code
Creation date
Truncated document hash (first 12 characters)

No personal information (names, emails, document numbers) is exposed through the verification endpoint.

9. Your Rights (GDPR)

If you are located in the EEA, you have the following rights under GDPR:

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate personal data
Deletion: Request deletion of your personal data (subject to legal obligations)
Portability: Request your data in a portable format
Objection: Object to certain processing of your personal data
Restriction: Request restriction of processing in certain circumstances
Withdraw Consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@vindato.com

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you
Right to Delete: You may request deletion of your personal information, subject to certain exceptions
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
Do Not Sell: We do not sell personal information to third parties

To exercise your CCPA rights, contact us at privacy@vindato.com

11. Cookies and Local Storage

Vindato uses minimal browser storage. We use localStorage (not cookies) for theme preferences and temporary session data during the NDA creation flow. We do not use tracking cookies, third-party analytics cookies, or any advertising technologies.

12. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

13. International Data Transfers

Your data may be processed and stored in the United States. By using the Service, you consent to the transfer of your information to the United States and other jurisdictions where our service providers operate.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Us

For questions or concerns about this Privacy Policy or our data practices, contact us at:

Email: privacy@vindato.com
Website: vindato.com