SignatoPrivacy Policy
1. Data controller
The controller of the Signato platform (the "Service" or "Signato") is:
JR Systems s.r.o.
Registered address: Landererova 8, 811 09 Bratislava - mestská časť Staré Mesto
Company ID: 51413108, Tax ID: 2120693399, VAT ID: SK2120693399
Registration: Obchodný register Mestského súdu Bratislava III, oddiel: Sro, vložka č. 126414/B
E-mail: privacy@signato.sk
(hereafter "Controller", "we" or "us")
2. Two processing roles
Signato operates in two distinct roles depending on the processing context:
- As controller — for the purposes of providing the Service to our customers (beauty salons, PMU studios). We process personal data of account users (salon owners, employees).
- As processor — for personal data of salon clients processed during questionnaires and e-signatures. In this case the salon itself is the controller. Signato only processes the data technically on its behalf.
3. What data we process (as controller)
When you register and use a Signato account, we process:
| Category | Data | Legal basis | Retention period |
|---|---|---|---|
| Identification | First name, last name, e-mail | Contract performance (Art. 6(1)(b) GDPR) | Duration of account + 3 years |
| Business | Company name, ID, VAT ID, billing address | Legal obligation (accounting) | 10 years |
| Payment | Last 4 card digits, card type (via Stripe, not stored with us) | Contract performance | Duration of subscription |
| Technical | IP address, user agent, login sessions | Legitimate interest (security) | 12 months |
| Marketing | E-mail submitted via contact form | Consent | Until consent withdrawn |
4. Salon clients' data (processor role)
If you are a client of a salon that uses Signato for questionnaires and consent: the controller of your data is that salon, not Signato. Please direct access, correction and erasure requests to the salon where you filled the form.
Signato only processes your data based on the salon's instructions and under a data processing agreement (DPA). Data is stored on servers in Germany (Hetzner Online GmbH), encrypted in transit and at rest.
5. Recipients of data
We may share your data with the following recipients:
- Hetzner Online GmbH (Germany) — server hosting
- Stripe, Inc. (USA, Ireland) — payment processing (under SCC)
- Websupport s.r.o. (SK) — domain and e-mail services
- Google LLC (USA, Ireland) — reCAPTCHA (anonymised, public questionnaire only) and Google Sign-In (only if the user signs in via Google: name, email, profile photo)
- Sentry.io — technical error monitoring (pseudonymised)
- Tax and financial authorities where required by law
6. Your rights
Under GDPR you have the right to:
- Access your data (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure ("right to be forgotten") (Art. 17)
- Restriction of processing (Art. 18)
- Portability (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent — where processing is consent-based
- Lodge a complaint with the Slovak Data Protection Authority
Send requests to podpora@signato.sk. We will respond within 30 days of receipt.
7. Security
We implement appropriate technical and organisational measures to protect your data:
- TLS 1.2+ encryption for all connections
- Password hashing (bcrypt), HSTS, CSP headers
- Regular backups and access auditing
- Tenant data isolation (multi-tenant separation)
- Production data access limited to authorised staff
8. Cookies
We use strictly necessary cookies for sign-in and bot protection. See our separate Cookie Policy for details.
9. Changes to this policy
We reserve the right to update this policy. We will notify you of material changes by e-mail or through the Service at least 14 days before they take effect.
10. Contact
For privacy questions contact us at:
E-mail: podpora@signato.sk