last updated - october 2025

Privacy Policy

The MySign Electronic Signature Platform is operated by TrustLink Digital Limited.

TrustLink Digital is a TPP under UK eIDAS regulation.

  1. Introduction

TrustLink Digital Limited (trading as MySign) is committed to protecting your privacy and personal data.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use MySign to sign documents electronically.

This Privacy Policy should be read in conjunction with our Signatory Terms and Conditions.

We process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

  1. Who we are

Data Controller

TrustLink Digital Limited is the data controller for personal data processed through MySign when you sign documents.

Contact Details

Company Name: TrustLink Digital Limited (trading as MySign)

Email: help@trustlink.co.uk

If you have any questions about how we process your personal data, please contact us using the details above.

  1. What personal data we collect

When you use MySign to sign a document, we collect the following categories of personal data:

Identity and Contact Information

  • Full name

  • Email address

  • Phone number (if provided)

  • Job title and organisation (if signing on behalf of an organisation)

Identity Verification Data

To verify your identity and ensure the security of the signing process, we collect:

  • Know Your Customer (KYC) data: Information obtained from official identity verification databases

  • Anti-Money Laundering (AML) screening results: Checks against financial crime databases

  • Politically Exposed Person (PEP) status: Screening for prominent public positions

  • Sanctions screening results: Checks against international sanctions lists

  • Credit reference data: Information from credit reference agencies used solely for identity verification (soft credit check that does not affect your credit score)

  • Knowledge-Based Authentication (KBA) responses: Your answers to security questions based on your credit history

Technical and Device Information

  • IP Address: The internet protocol address from which you access MySign

  • Device Fingerprint: Technical characteristics of your device including operating system, browser type and version, screen resolution, and device identifiers

  • Location data: Geographic location derived from your IP address

  • Browser and device information: Details about the web browser and device you use to access MySign

Signing Activity Data

  • Signature data: Your electronic signature and signature image (if applicable)

  • Timestamps: Date and time of signing activities

  • Document metadata: Information about the document you signed (but not necessarily the content)

  • Audit trail: Complete record of your signing session including all verification steps

Communications

  • Email correspondence with us

  • Records of any support requests or complaints

  1. How we collect your personal data

Directly from you

When you provide information during the signing process, including your name, email, and responses to verification questions.

From the document sender

The person or organisation requesting your signature may provide us with your contact details.

Automatically

We automatically collect technical data such as IP address, device fingerprint, and location when you use MySign.

From third-party verification providers

We obtain identity verification data from:

  • Credit reference agencies (Experian, Equifax, TransUnion)

  • KYC and AML verification service providers

  • PEP and sanctions screening databases

  • Qualified Trust Service Providers (QTSPs)

  1. How and why we use your personal data

We use your personal data for the following purposes:

To Provide the Electronic Signature Service

  • Processing your electronic signature

  • Enabling you to sign documents electronically

  • Delivering signed documents to relevant parties

  • Sending you notifications about signing requests

Legal basis: Performance of a contract (facilitating your signature of documents)

To Verify Your Identity

  • Confirming you are who you claim to be

  • Preventing fraud and identity theft

  • Conducting AML, KYC, PEP, and sanctions checks

  • Performing credit reference checks for identity verification

Legal basis: Consent (which you provide when proceeding to sign), legitimate interests (preventing fraud and ensuring signature authenticity), and legal obligation (compliance with financial crime regulations where applicable)

To Maintain Audit Trails and Records

  • Creating and maintaining comprehensive audit trails

  • Recording timestamps, IP addresses, and verification results

  • Providing evidence of the signing process

Legal basis: Legitimate interests (maintaining evidence of transactions), legal obligation (compliance with eIDAS and electronic signature regulations)

To Ensure Security and Prevent Misuse

  • Detecting and preventing fraud

  • Protecting against unauthorised access

  • Monitoring for suspicious activity

  • Maintaining system security

Legal basis: Legitimate interests (protecting our service and users from fraud and security threats)

To Comply with Legal Obligations

  • Complying with eIDAS and UK electronic signature regulations

  • Meeting anti-money laundering requirements

  • Responding to legal requests and court orders

  • Cooperating with law enforcement and regulatory authorities

Legal basis: Legal obligation

To Improve Our Service

  • Analysing service usage (in anonymised or aggregated form)

  • Identifying and fixing technical issues

  • Improving user experience

Legal basis: Legitimate interests (improving and developing our service)

To Communicate with You

  • Sending signing requests and reminders

  • Providing signing confirmations

  • Responding to your enquiries

  • Sending service-related notifications

Legal basis: Performance of a contract, legitimate interests (communicating effectively with users)

  1. Who we share your personal data with

We may share your personal data with the following categories of recipients:

Document Senders

The person or organisation that requested your signature will receive:

  • Your signed document

  • Audit trail and verification data

  • Confirmation of signature completion

Qualified Trust Service Providers (QTSPs)

We work with QTSPs to provide certain eIDAS-compliant signature services.

These providers may process your signature data in accordance with their own obligations under eIDAS.

Identity Verification Providers

We share necessary personal data with:

  • Credit reference agencies (Experian, Equifax, TransUnion) for identity verification purposes only

  • KYC and AML verification service providers to confirm your identity and screen for financial crime

  • PEP and sanctions screening providers to check against watchlists

IT and Service Providers

We use third-party service providers for:

  • Cloud hosting and storage

  • Email delivery services

  • Analytics and monitoring

  • Technical support and maintenance

These providers act as data processors on our behalf and are contractually obligated to protect your data.

Legal and Regulatory Authorities

We may share your personal data with:

  • Law enforcement agencies

  • Regulatory authorities

  • Courts and tribunals

  • Government agencies

We only share data when legally required or to protect legal rights.

Professional Advisers

We may share data with lawyers, auditors, accountants, and other professional advisers where necessary for legal, audit, or business advisory purposes.

Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your personal data may be transferred to the new owner, subject to the same privacy protections.

  1. International data transfers

Some of our service providers and verification providers may be located outside the United Kingdom.

Where we transfer your personal data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the UK Information Commissioner's Office

  • Adequacy decisions by the UK Government recognising equivalent data protection

  • Other legally approved transfer mechanisms

You can request more information about specific international transfers by contacting us.

  1. How long we keep your personal data

We retain your personal data for different periods depending on the purpose:

Signature Data and Audit Trails

Retention period: Minimum of 6 years from the date of signature

Reason: Legal and regulatory requirements, including the Limitation Act 1980 and evidence retention obligations

Identity Verification Data

Retention period: 6 years from the date of verification

Reason: Fraud prevention and compliance with financial crime regulations

Technical and Device Data

Retention period: 6 years as part of the audit trail

Reason: Evidence of the signing process and fraud prevention

Communications

Retention period: 3 years from the last communication

Reason: Customer service and record-keeping

After the retention period expires, we will securely delete or anonymise your personal data unless we are required by law to retain it longer (for example, if the data is subject to legal proceedings).

  1. Your rights

Under UK data protection law, you have the following rights:

Right of Access

You have the right to request a copy of the personal data we hold about you.

This is known as a Subject Access Request (SAR).

Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances.

However, this right is limited where we are required to retain data for legal or regulatory purposes (such as maintaining audit trails and signature records).

Right to Restrict Processing

You have the right to request that we restrict processing of your personal data in certain circumstances, such as while we verify the accuracy of disputed data.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another data controller where technically feasible.

Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis.

We will stop processing unless we have compelling legitimate grounds that override your interests.

Right to Withdraw Consent

Where we process your data based on consent, you have the right to withdraw consent at any time.

However, this will not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your personal data properly.

ICO Contact Details:

Website: www.ico.org.uk

Helpline: 0303 123 1113

Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

How to Exercise Your Rights

To exercise any of these rights, please contact us using the details in Section 2.

We will respond to your request within one month, although this may be extended by up to two months for complex requests.

  1. Security of your personal data

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

These measures include:

  • Encryption of data in transit and at rest

  • Access controls and authentication mechanisms

  • Regular security assessments and penetration testing

  • Employee training on data protection and security

  • Secure data centres with physical security measures

  • Regular backups and disaster recovery procedures

  • Monitoring and logging of system access

While we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is completely secure.

We cannot guarantee absolute security.

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the ICO as required by law.

  1. Credit reference agencies

Important Information About Soft Credit Checks:

  • We use soft credit searches solely for identity verification purposes

  • Soft searches do NOT affect your credit score or credit rating

  • The search will be recorded on your credit file but will only be visible to you

  • Lenders and other organisations will not see soft searches when assessing your credit applications

  • We do not use credit reference data to assess your creditworthiness or financial situation

Credit reference agencies we work with may include Experian, Equifax, and TransUnion.

When we search your records, the credit reference agencies will record this as a soft search quotation search.

For more information about how credit reference agencies process your data, please visit their websites or contact them directly.

  1. Cookies and tracking technologies

MySign uses cookies and similar tracking technologies to:

  • Enable the service to function properly (essential cookies)

  • Collect device fingerprint information for security purposes

  • Analyse service usage and performance (analytics cookies)

  1. Children's privacy

MySign is not intended for use by individuals under the age of 18.

We do not knowingly collect personal data from children.

If you are under 18, you must not use MySign to sign documents.

If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information as soon as possible.

  1. Changes to this privacy policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make material changes, we will notify you by:

  • Posting the updated Privacy Policy on our website

  • Displaying a notice during the signing process

  • Sending you an email notification (if we have your email address)

The updated Privacy Policy will take effect on the date specified at the top of the document.

Your continued use of MySign after changes are made constitutes your acceptance of the updated Privacy Policy.

We recommend that you review this Privacy Policy periodically.

  1. Contact us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

Data Protection Contact:

TrustLink Digital Limited (trading as MySign)

Email: help@trustlink.co.uk

We will respond to all privacy-related enquiries within one month of receipt.

Summary of key points

What data we collect

Name, email, identity verification data (including soft credit checks), device information, IP address, location, and signature data.

Why we collect it

To provide the electronic signature service, verify your identity, prevent fraud, maintain audit trails, and comply with legal obligations.

Who we share it with

Document senders, QTSPs, verification providers (including credit reference agencies), service providers, and legal authorities when required.

How long we keep it

Minimum 6 years for signature data and audit trails, as required by law.

Your rights

Access, rectification, erasure (with limitations), restriction, portability, objection, and the right to complain to the ICO.

Credit checks

Soft searches ONLY - they do NOT affect your credit score and are only visible to you.