Legal
Privacy policy
Effective July 14, 2026
Punctilio is a document sharing and e-signature service operated by PumpKin Baby Inc. and available at punctil.io. This policy explains what information we handle, why we handle it, where it lives, how long we keep it, and the choices you have.
Who this policy covers
Three kinds of people interact with Punctilio:
- Account holders: people who sign up, create workspaces, upload documents, and send links or signature requests.
- Viewers and visitors: people who open a shared link, request access, or upload files to a request list. You don’t need an account for this.
- Signers: people invited to sign a document.
For account and billing information, and for inquiries you send us directly, we decide how the information is used and this policy is the full story. For everything a viewer, visitor, or signer provides through a shared link or signing request, the workspace that invited you decides why that information is collected, and we process it on that workspace’s behalf. If you have questions about why a workspace collected your information, contact the person or company that sent you the link. We’ll help them respond.
What we collect
If you have an account
- Login details. Your email address and a password. That’s all: we don’t ask for your name. Passwords are hashed by our authentication provider and we never see them in plain text. Your login session is stored in your browser’s local storage, not in a cookie.
- Preferences. Your chosen theme and your active workspace.
- Workspace details. Workspace name, logo, brand color, public link slug, signing company name, room names and descriptions, and team invitations (the invited email address and who sent the invite). Workspace logos are stored in a public storage bucket, which means anyone with the URL can view them. Don’t upload confidential material as a logo.
- Billing. Punctilio costs $29.99 per month after a 7-day trial. Payments run through Stripe. Card and payment details are entered on Stripe’s hosted pages and never touch our systems. We store your Stripe customer and subscription identifiers, plan, seat count, and trial and billing period dates. When we create your Stripe customer record, we send Stripe your workspace name and the billing admin’s email address.
- Enterprise inquiries. If you submit our custom plan form, we store the contact email, company, seat and storage needs, budget, your free-text notes, and the IP address and browser details of the submission.
If you view a shared link
What we collect depends on how the workspace owner configured the link:
- Email-gated links. Your email address, plus any access fields the owner turned on: company, role, and reason for access. If the link requires it, an NDA acceptance timestamp and password verification state.
- Email verification codes. For links that verify your email, we send a 6-digit code. We store only a salted hash of the code, never the code itself. Codes expire within minutes. A record that your email was verified for a given link is kept for 30 days so you don’t have to re-verify constantly.
- Access logs. We record events such as link opened, file opened, page viewed, time spent per page, downloads, NDA acceptance, and security events. These events can include your email, your IP address, and your browser details. Workspace owners see this activity in their analytics, can receive it in notification emails, and can have it delivered to webhooks they configure. If the owner enabled watermarking, viewed pages may be stamped with your email address.
- Session security. Viewer sessions store your IP address and browser details, plus hashed fingerprints derived from them, to detect session hijacking. Failed password attempts are counted against a hashed version of your IP in 15-minute windows and cleared on success. Viewer session tokens expire after 8 hours, and link owners can revoke access instantly at any time.
When workspace members preview their own links, those views are excluded from recipient analytics and notifications. Viewer tracking applies to external recipients.
If you sign a document
- Signer details. Your name, email, role, and signing order, entered by the person who sent the request.
- Your signature. The typed or drawn signature and initials you provide, including a small image of a drawn signature, plus field values you fill in.
- Consent evidence. Before signing, you accept an electronic signature disclosure. We record the disclosure version, the time you accepted, and your IP address and browser details. This is the legal evidence of your consent to sign electronically.
- Audit trail. Every step of the signing ceremony (viewing, page views, field focus, access code checks, consent, decline, submission, sealing) is logged with a timestamp, IP address, and browser details. The completed envelope’s audit trail can be downloaded by the sender as a PDF or CSV that includes signer names, emails, and per-event IP addresses. Completed envelopes are locked against modification.
- Optional identity codes. If the sender requires it, a one-time access code is emailed to you. We store only a hash of the code, with an expiry and an attempt limit.
Documents and uploads
- Documents. Files uploaded to data rooms, their version history, and metadata (filename, size, type, uploader). Document buckets are private and served only through authorization-checked functions.
- Preview conversion. Office files are converted to PDF for preview by a conversion service we host. File bytes pass through it transiently during conversion.
- Optional room encryption. Workspaces can enable per-room encryption, where each file is encrypted with its own key. The room key is held on our servers, so this hardens storage at rest but is not zero-knowledge: we can still decrypt files to serve them.
- Visitor uploads. Files uploaded against a request list are held in a staging area (50 MB cap, documents and images only) and scanned for malware by a private scanning service before they’re accepted. We record the uploader’s email, filename, size, and scan result.
Emails and delivery records
All product email (verification codes, signing invites and reminders, view and download notifications, digests, security alerts) is sent through Resend. We keep delivery ledgers (recipient email and timestamp) to avoid duplicate sends, and a suppression list of addresses that bounced or complained. View and download notification emails sent to workspace owners include the viewer’s email, IP address, and browser details.
Security and anti-abuse
Rate limiting uses one-way hashes of truncated IP addresses; raw IPs are deliberately not stored there. Suspicious viewer activity can trigger a Cloudflare Turnstile challenge, which sends the challenge token and your IP address to Cloudflare for verification. Vercel BotID screens protected routes for automated traffic. None of this is used for advertising.
Why we use this information
- To provide the service: hosting documents, controlling access to links, running signing ceremonies, and delivering notifications.
- To give workspace owners the access records and audit trails they configured, which is a core feature of the product.
- To bill subscriptions through Stripe.
- To keep the service secure: malware scanning, rate limiting, session hijack detection, and bot screening.
- To create legally meaningful e-signature records, including consent evidence and audit trails.
- To respond when you contact us.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use your documents for anything other than providing the service.
Cookies, browser storage, and analytics
We are deliberately minimal here:
- One first-party cookie:
sidebar:state, which remembers whether your sidebar is open. It lasts 7 days and does no tracking. - No advertising or cross-site tracking cookies. None.
- Browser storage: your login session, theme, and a security token live in your browser’s local and session storage.
- Analytics: we use Vercel Analytics for page analytics. It is cookieless and does not track you across sites. We use no other product analytics, no Google Analytics, no advertising pixels, and no session replay tools.
Service providers
We share information with these providers, each only to do its job:
- Supabase. Database, authentication, file storage, and server functions. Handles most data described in this policy.
- Vercel. Web hosting, page analytics, and bot screening. Handles request data and cookieless analytics.
- Stripe. Billing. Handles payment details (entered on Stripe’s pages), the billing admin’s email, and the workspace name.
- Resend. Email delivery. Handles recipient addresses and email content.
- Cloudflare. Turnstile security challenges. Handles challenge tokens and the challenged visitor’s IP address.
- Railway. Hosts our document conversion and malware scanning services. Handles file bytes in transit during conversion and scanning.
Workspace owners also receive viewer and signer information as described above, including through notification emails and webhooks they configure. Once information reaches a workspace owner’s own systems, their practices apply.
Our infrastructure runs on Supabase and Vercel. Contact us if you need details about current hosting regions.
How long we keep information
- Account data: until you close your account. Closing your account removes your workspace memberships and preferences. We keep your login email and a closure record, including any reason you provide, so we can honor the closure and prevent abuse.
- Workspace data: until the workspace is deleted. Workspace deletion is real deletion: the database records cascade, stored files (documents, sealed PDFs, audit reports, logos, staged uploads, archives) are removed, and the Stripe subscription is cancelled. A cleanup job retries until everything is gone.
- Rooms: deleting a room removes its files, versions, share links, viewer sessions, and request uploads.
- Viewer email verification codes: deleted within 10 minutes, or immediately on use. Verified-email records last 30 days.
- Viewer sessions: tokens expire after 8 hours; session records are removed when the link is deleted.
- Access log events: retained indefinitely, including after the related link, room, or workspace is deleted. These records, which can include viewer emails and IP addresses, are kept as a security and audit history. You can ask us to delete records about you (see your rights below).
- Signing records: signer details, signatures, consent evidence, and audit trails are kept until the envelope or workspace is deleted, since they are the legal record of the signature.
- Staged visitor uploads: cleaned up 24 hours after they’re superseded, rejected, or filed. Files flagged as malware are quarantined for 30 days, then deleted.
- Email suppression: soft bounces expire after 7 days; hard bounces and complaints are kept permanently so we don’t email those addresses again.
- Enterprise inquiries: kept until you ask us to delete them.
- Data held by Stripe follows Stripe’s own retention practices.
Security
Passwords, link passwords, share tokens, session tokens, verification codes, and signer access codes are all stored as hashes, never in plain text. Document buckets are private and access-checked; the only public bucket is workspace logos. Optional room encryption adds per-file encryption at rest. Visitor uploads are malware-scanned before acceptance. Rate limiting and fingerprinting use hashed, truncated identifiers.
Your rights
Depending on where you live, you may have the right to access, correct, delete, or export your personal information, and to object to or restrict certain processing. California residents have rights under the CCPA, including the right to know, delete, and correct; as stated above, we do not sell or share personal information as those terms are defined there, so there is nothing to opt out of.
To exercise any right, email support@punctil.io from the address involved. We may ask you to verify the request. If your information was collected because a workspace shared a link with you or asked you to sign, we may refer the request to that workspace or coordinate with them, since they control why it was collected. We will not discriminate against you for exercising your rights.
You can also act directly: account holders can close their account or delete workspaces from settings, and workspace admins can delete rooms, revoke links, and cancel sessions at any time.
Children
Punctilio is a business tool and is not directed at anyone under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.
Changes to this policy
When we make material changes, we’ll update the effective date at the top and, for significant changes, notify account holders by email or in the app. Continued use after the effective date means the updated policy applies.
Contact
PumpKin Baby Inc.
support@punctil.io