Article 1 (General Provisions)

1. This MediaSign Privacy Policy (hereinafter referred to as the “Policy”) is established by MediaSign, a company incorporated in the United Kingdom (hereinafter referred to as the “Company”), to protect the personal data of data subjects (hereinafter referred to as “Users”) who use the MediaSign service (hereinafter referred to as the “Service”), and to ensure the prompt and smooth handling of any related concerns or complaints.
2. The Company complies with applicable data protection legislation, including the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) (collectively referred to as “Applicable Laws”). Through this Policy, the Company informs Users of the purposes and methods by which their personal data is processed and the protective measures taken to ensure its security.
3. The key terms used in this Policy are defined as follows:
• “Personal Data” refers to any information relating to an identified or identifiable living individual. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• “Data Subject” refers to the natural person who can be identified, directly or indirectly, by the processed personal data. In this Policy, the User is the Data Subject.
• “MediaSign AI” refers to the artificial intelligence technology embedded within the Service, which provides contract-related assistance such as contract analysis and clause suggestions.
• “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The Company acts as a Controller with respect to personal data it directly collects from Users for the purpose of providing the Service (e.g., account information).
• “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. The Company may act as a Processor when handling personal data included in contract content created or submitted by Users while using the Service.
4.  This Policy is publicly available through the privacy policy section of the Company’s website or mobile application, and Users may access and review it at any time.

Article 2 (Categories and Purposes of Personal Data Collection)

1. The Company collects only the minimum personal data necessary to provide the Service, manage user accounts, respond to inquiries, and fulfill legal obligations. The categories of personal data collected are as follows:
1. Account Registration and Management: Email address (The Service uses an email-based authentication method. The Company does not collect or store user passwords.)
2. Information Generated or Provided During Use of the Service:
• Data related to contract creation and execution: Personal data included in contract content entered or uploaded by the user via the Service, such as audio, video, document files, electronic signatures, and metadata (e.g., location, time, log records that may serve as evidence of contractual context).
• Use of MediaSign AI Contract Analysis Features: Information contained within the contract subject to analysis.
3. Customer Support and Inquiry Handling: Inquiry details, and if necessary, additional information required for verification.
4. Payment for Paid Services (if applicable): Subscription billing information (Note: Payments are processed through third-party payment providers or payment applications. The Company does not collect or store sensitive payment information, such as full credit card numbers.)
2. The Company uses the collected personal data for the following purposes:
• Provision of Services: To provide functionalities for contract execution (including on-site contracts, remote contracts, file upload contracts, screen-recorded contracts, and Zoom plugin-based contracts), to generate and transmit digital contracts, to identify and authenticate users.
• User Account Management: To verify user identity for membership-based services, to prevent unauthorized or fraudulent use by malicious actors, to confirm user intent at the time of registration.
• Provision of MediaSign AI Functionality: To support AI-based contract assistance, including content analysis, detection of missing clauses, risk evaluation, and recommendation of templates.
• Customer Support: To respond to inquiries or complaints, and to provide important service notices.
• Compliance with Legal Obligations: To fulfill obligations under applicable laws and regulations, toretain evidence in the event of a dispute.
• Provision of Paid Services: To process and manage service payments and billing. The Company uses personal data strictly within the scope of the purposes stated above and does not use it for any other purposes without the User’s explicit consent. The only personal data continuously retained and accessible by the Company for service operation and management is the User’s email address. Procedures are in place to ensure that Users may exercise their rights regarding their personal data, including access, rectification, and erasure, in accordance with applicable laws. Personal data such as audio, video, documents, and other contract-related content processed by Users through the Service for purposes such as contract support or contract generation and delivery, is immediately deleted from any Company-accessible servers after use. Thereafter, the data is compressed, securely encrypted, and stored on the InterPlanetary File System (IPFS), with its hash recorded on the blockchain. This encrypted data is designed such that it cannot be decrypted or accessed arbitrarily by the Company. All personal data is strictly managed in accordance with Applicable Laws and internal policies to ensure secure processing and to prevent unnecessary retention. Data is promptly deleted once its intended purpose has been fulfilled or the retention period has expired.
3. In accordance with the UK GDPR and the Data Protection Act 2018, the Company does not collect or use any additional personal data beyond the categories specified in Clause 1 of this Article without the User’s explicit consent.

Article 3 (Processing and Retention Period of Personal Data)

1.  The Company processes and retains personal data only within the period permitted under applicable laws or the period consented to by the data subject at the time of collection. The Company adheres to the principles of data minimization and storage limitation.
2. The retention periods for each category of personal data are as follows:
• Account registration information (email address): Until the user withdraws membership or for the duration required under applicable laws. As a general rule, the Company deletes account information immediately upon a user’s request for account deletion. However, in cases where legal obligations require, a minimum amount of information may be retained for the statutorily mandated period.
• Personal data within contract content collected during contract creation (not included in the finalized MediaSign Digital Contract): Such data is deleted without delay from Company-accessible servers after contract completion, or in accordance with internal policy (e.g., immediate deletion of incomplete contracts).
• MediaSign Digital Contracts (final contract artifacts sent via email): The Company does not retain the finalized digital contracts separately and transmits them once to the designated email address of the user. The responsibility for managing and storing the digital contract lies entirely with the user.
• Customer support and inquiry records: Retained for the duration required under relevant laws (typically three years) or until the resolution of related disputes, after which they are securely destroyed.
• In cases involving investigations or legal inquiries due to violations of the law: Retained until the conclusion of the investigation or legal proceedings.
• For the settlement of claims or obligations arising from use of the Service: Retained until the resolution of such matters.
3. Upon expiration of the applicable retention period, personal data is securely and irreversibly destroyed. Electronic files are deleted using technical methods that prevent recovery or reconstruction. Paper records are destroyed through secure shredding or incineration.

Article 4 (Provision of Personal Data to Third Parties and Outsourcing of Processing)

1. The Company provides personal data to third parties only where there is a lawful basis under the UK GDPR, such as the data subject’s explicit consent, legal obligations, or the performance of a contract with the data subject.
2. When providing personal data to a third party, the Company will inform the data subject in advance of the purpose of provision, specific data items, recipients, retention period, and other relevant details, and will obtain consent if required. To facilitate effective personal data processing, the Company may outsource certain personal data processing tasks to trusted third-party processors. In such cases, the Company enters into a data processing agreement that stipulates the following obligations for the processor, in compliance with the UK GDPR and other applicable laws:
• Cloud service providers: Data storage and management (where personal data is transferred abroad, the Company will inform users of the transfer and the legal basis for such transfer)
• Payment service providers: Processing of payments for paid services
• Customer support service providers: Handling user inquiries and support requests
• IPFS (InterPlanetary File System) and blockchain service providers: Supporting the decentralized storage and recording of hash values for encrypted contract content
3. If there are any changes to the outsourced processing activities or the identity of processors, the Company will promptly disclose such changes through this Privacy Policy.

Article 5 (Rights and Obligations of Data Subjects and Legal Guardians, and Methods of Exercising Them)

1. In accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable laws, Users have the right to: Access their personal data, request rectification or erasure, restrict processing, object to specific types of processing, exercise the right to data portability, and withdraw previously given consent at any time where processing is based on consent. The Company ensures that Users, as data subjects, are able to exercise these rights in accordance with the law and will promptly cooperate with any such request in compliance with applicable legal requirements. Details regarding the methods and procedures for exercising these rights are set forth in Paragraph 2 of this Article.
2. Users may exercise their rights under Paragraph 1 by submitting a request in writing or via email to the contact details specified in Article 9 of this Policy. The Company will take appropriate measures without undue delay, in accordance with applicable laws.
3. If the data subject requests the rectification or erasure of their personal data due to errors or inaccuracies, the Company will refrain from using or providing the relevant data until the requested correction or deletion has been completed.
4. Individuals under the age of 16—or under the minimum digital consent age as defined by the applicable laws of their country of residence—are not permitted to use this Service.
5. Data subjects must not infringe upon the personal data or privacy of themselves or others by violating applicable laws in the course of their interactions with the Company.
6. Users are responsible for ensuring that the personal data they provide is accurate and up to date in order to prevent accidental or unauthorized issues. The User shall be liable for any damages resulting from the submission of inaccurate or false information. If a User provides false or misappropriated information (e.g., using someone else's personal data), their membership may be revoked or restricted.

Article 6 (Measures to Ensure the Security of Personal Data)

1. The Company implements appropriate technical, administrative, and physical safeguards in accordance with the requirements of the UK GDPR to ensure the security and protection of personal data. These measures include, but are not limited to:
• Encryption of Personal Data: Important data such as contract content, electronic signatures, and all associated metadata are encrypted using strong encryption algorithms such as AES-256 or equivalent.(The Service uses email-based authentication and does not store any user passwords.)
• Access Control and Authority Management: Access to personal data processing systems is granted on a need-to-know basis with differentiated levels of authorization. Records are maintained for the granting, modification, and revocation of access rights. Unauthorized access is strictly controlled. Notably, the Company is fundamentally restricted from decrypting or directly accessing encrypted contract content stored on the decentralized file system (IPFS).
• Installation and Operation of Security Programs: To prevent leakage or damage to personal data caused by hacking, malware, or other malicious attacks, the Company installs and regularly updates security software, and employs firewalls and intrusion prevention systems to control unauthorized external access.
• Internal Management Plan: An internal data protection management policy is established and enforced to ensure secure processing of personal data. Regular training and compliance audits are conducted for all employees.
• Physical Access Restrictions: Areas where personal data is stored, such as server rooms and archives, are protected by physical access control procedures to prevent unauthorized entry.
• Security of IPFS-Based Storage and Blockchain Logging: Contract files are encrypted and stored in a decentralized manner via IPFS. The unique hash of each contract is recorded on the blockchain, thereby enhancing data integrity and preventing tampering.
• Data Protection by Design and by Default: Data protection principles are embedded into the development and operation of the Service from the outset, ensuring compliance and minimizing risks throughout the data lifecycle.
2. In the event of a personal data breach, the Company will promptly notify the User and the UK Information Commissioner’s Office (ICO) in accordance with applicable laws. Where necessary, the Company will also notify other competent authorities and affected data subjects. The Company has established procedures to ensure such notifications are made without undue delay. The Company will thoroughly investigate the cause of the breach and implement corrective actions to prevent further harm and recurrence.

Article 7 (Processing of Personal Data by MediaSign AI)

1. The Company provides MediaSign AI features within the Service, including contract type classification, clause omission detection, risk evaluation, clause recommendations, multilingual translation, speech-to-text (STT), and natural language processing (NLP)-based contract analysis. These features are used solely for the purpose of AI-based contract review (“AI Contract Review”) of contract content—potentially including personal data—submitted by the User via various channels such as the MediaSign app, SNS integrations, or video conferencing platforms.
2. When the User utilizes the MediaSign AI features, personal data contained in the submitted contract content may be processed to the extent necessary to perform the requested AI Contract Review. Such processing must be based on the User’s explicit and freely given consent. The legal basis for this processing is the performance of a contract at the User’s request or the provision of services explicitly requested by the User.
3. Contract content submitted via the Service (including through the MediaSign app, SNS, or video conferencing platforms) may undergo AI analysis and subsequent editing or supplementation by the User. Once finalized or confirmed by the User, the contract is compressed and securely encrypted, then stored on a decentralized file system (IPFS). The unique hash of the contract is recorded on a blockchain to ensure its integrity. The Company does not retain the encryption keys and cannot decrypt or access the original encrypted contract content.
4. MediaSign AI does not use any user-submitted contract content processed for AI Contract Review as training data for AI models, nor does it store such content separately for model improvement or any other purpose. The AI system processes data exclusively for the User's specific contract review request. After the requested task is completed and the storage procedure outlined in Paragraph 3 is performed, the original contract content is not retained within the AI system or on any server accessible by the Company.
5. The results and suggestions provided by MediaSign AI are generated by an automated tool and are intended solely for informational and reference purposes. They do not constitute legal advice or legal strive(s) to ensure. For matters requiring legal effectiveness, such as contract completeness, legality, or fitness for a particular purpose, Users must seek review and counsel from a qualified legal professional.

Article 8 (International Transfer of Personal Data)

1. For the purpose of providing global services and ensuring operational efficiency in data processing, the Company may transfer and process Users’ personal data in countries outside of the United Kingdom, including or excluding countries within the European Economic Area (EEA).
2. When transferring personal data outside the United Kingdom, the Company will comply with the international transfer requirements set forth in the UK GDPR. These may include, but are not limited to, reliance on: an adequacy decision issued by the UK government, the execution of UK-approved Standard Contractual Clauses (SCCs), or the adoption of Binding Corporate Rules (BCRs). The Company will ensure that Users’ personal data is adequately protected under such legal safeguards.
3. The specific destination countries, categories of personal data transferred, purposes of the transfer, retention periods, and applicable safeguards may be separately notified to Users or described in an updated version of this Policy.

Article 9 (Data Protection Officer and Responsible Department)

1. In accordance with the UK Data Protection Act 2018, the Company appoints a Data Protection Officer (DPO)—or, if the appointment of a DPO is not mandatory, a designated data protection representative or team—to take overall responsibility for the Company’s personal data processing activities. The DPO is also responsible for handling data subjects’ complaints and requests for redress. The contact details are as follows:
1. Data Protection Officer (DPO) / Data Protection Representative
• Name/Department: [Insert]
• Title/Position: [Insert]
• Contact (Email): [Insert]
• (Optional) Contact (Address): [Insert]
2. Users may contact the DPO or responsible department with any inquiries, complaints, or requests for redress regarding personal data that may arise during their use of the Service. The Company will respond and take appropriate action without undue delay.

Article 10 (Response to Personal Data Breaches and Remedies for Rights Infringement)

1. The Company has established internal procedures to prepare for potential personal data breaches. In the event of such an incident, the Company will take appropriate actions to minimize damage and will notify affected Users in accordance with applicable laws. Where required, the Company will also report the breach to the UK Information Commissioner’s Office (ICO).
2. If a data subject requires counseling or wishes to seek redress in connection with a personal data breach, they may file a complaint with or contact the UK’s independent regulatory authority, the Information Commissioner’s Office (ICO), as follows:
1. Information Commissioner’s Office (ICO)
• Website: www.ico.org.uk
• Telephone: [Refer to current number on ICO website]
• Address: [Refer to current address on ICO website]

Article 11 (Amendments to the Privacy Policy)

1. This Privacy Policy shall take effect from the effective date specified below. The Company may amend, add to, or delete provisions of this Policy to reflect changes in laws or services. In the event of any such changes, the Company will notify Users at least seven (7) days in advance via the Service website’s announcements section. In cases of material changes, notification will be made at least thirty (30) days in advance, and separate consent from Users may be requested if necessary.
2. Continued use of the Service after the effective date of the revised Policy shall not be deemed as consent unless explicit consent is provided. The Company may request separate consent from the User where required.

Supplementary Provision

This Privacy Policy shall take effect as of September 1, 2025.

Article 1 (General Provisions)

1. This MediaSign Privacy Policy (hereinafter referred to as the “Policy”) is established by MediaSign, a company incorporated in the United Kingdom (hereinafter referred to as the “Company”), to protect the personal data of data subjects (hereinafter referred to as “Users”) who use the MediaSign service (hereinafter referred to as the “Service”), and to ensure the prompt and smooth handling of any related concerns or complaints.
2. The Company complies with applicable data protection legislation, including the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) (collectively referred to as “Applicable Laws”). Through this Policy, the Company informs Users of the purposes and methods by which their personal data is processed and the protective measures taken to ensure its security.
3. The key terms used in this Policy are defined as follows:
• “Personal Data” refers to any information relating to an identified or identifiable living individual. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• “Data Subject” refers to the natural person who can be identified, directly or indirectly, by the processed personal data. In this Policy, the User is the Data Subject.
• “MediaSign AI” refers to the artificial intelligence technology embedded within the Service, which provides contract-related assistance such as contract analysis and clause suggestions.
• “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The Company acts as a Controller with respect to personal data it directly collects from Users for the purpose of providing the Service (e.g., account information).
• “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. The Company may act as a Processor when handling personal data included in contract content created or submitted by Users while using the Service.
4.  This Policy is publicly available through the privacy policy section of the Company’s website or mobile application, and Users may access and review it at any time.

Article 2 (Categories and Purposes of Personal Data Collection)

1. The Company collects only the minimum personal data necessary to provide the Service, manage user accounts, respond to inquiries, and fulfill legal obligations. The categories of personal data collected are as follows:
1. Account Registration and Management: Email address (The Service uses an email-based authentication method. The Company does not collect or store user passwords.)
2. Information Generated or Provided During Use of the Service:
• Data related to contract creation and execution: Personal data included in contract content entered or uploaded by the user via the Service, such as audio, video, document files, electronic signatures, and metadata (e.g., location, time, log records that may serve as evidence of contractual context).
• Use of MediaSign AI Contract Analysis Features: Information contained within the contract subject to analysis.
3. Customer Support and Inquiry Handling: Inquiry details, and if necessary, additional information required for verification.
4. Payment for Paid Services (if applicable): Subscription billing information (Note: Payments are processed through third-party payment providers or payment applications. The Company does not collect or store sensitive payment information, such as full credit card numbers.)
2. The Company uses the collected personal data for the following purposes:
• Provision of Services: To provide functionalities for contract execution (including on-site contracts, remote contracts, file upload contracts, screen-recorded contracts, and Zoom plugin-based contracts), to generate and transmit digital contracts, to identify and authenticate users.
• User Account Management: To verify user identity for membership-based services, to prevent unauthorized or fraudulent use by malicious actors, to confirm user intent at the time of registration.
• Provision of MediaSign AI Functionality: To support AI-based contract assistance, including content analysis, detection of missing clauses, risk evaluation, and recommendation of templates.
• Customer Support: To respond to inquiries or complaints, and to provide important service notices.
• Compliance with Legal Obligations: To fulfill obligations under applicable laws and regulations, toretain evidence in the event of a dispute.
• Provision of Paid Services: To process and manage service payments and billing. The Company uses personal data strictly within the scope of the purposes stated above and does not use it for any other purposes without the User’s explicit consent. The only personal data continuously retained and accessible by the Company for service operation and management is the User’s email address. Procedures are in place to ensure that Users may exercise their rights regarding their personal data, including access, rectification, and erasure, in accordance with applicable laws. Personal data such as audio, video, documents, and other contract-related content processed by Users through the Service for purposes such as contract support or contract generation and delivery, is immediately deleted from any Company-accessible servers after use. Thereafter, the data is compressed, securely encrypted, and stored on the InterPlanetary File System (IPFS), with its hash recorded on the blockchain. This encrypted data is designed such that it cannot be decrypted or accessed arbitrarily by the Company. All personal data is strictly managed in accordance with Applicable Laws and internal policies to ensure secure processing and to prevent unnecessary retention. Data is promptly deleted once its intended purpose has been fulfilled or the retention period has expired.
3. In accordance with the UK GDPR and the Data Protection Act 2018, the Company does not collect or use any additional personal data beyond the categories specified in Clause 1 of this Article without the User’s explicit consent.

Article 3 (Processing and Retention Period of Personal Data)

1.  The Company processes and retains personal data only within the period permitted under applicable laws or the period consented to by the data subject at the time of collection. The Company adheres to the principles of data minimization and storage limitation.
2. The retention periods for each category of personal data are as follows:
• Account registration information (email address): Until the user withdraws membership or for the duration required under applicable laws. As a general rule, the Company deletes account information immediately upon a user’s request for account deletion. However, in cases where legal obligations require, a minimum amount of information may be retained for the statutorily mandated period.
• Personal data within contract content collected during contract creation (not included in the finalized MediaSign Digital Contract): Such data is deleted without delay from Company-accessible servers after contract completion, or in accordance with internal policy (e.g., immediate deletion of incomplete contracts).
• MediaSign Digital Contracts (final contract artifacts sent via email): The Company does not retain the finalized digital contracts separately and transmits them once to the designated email address of the user. The responsibility for managing and storing the digital contract lies entirely with the user.
• Customer support and inquiry records: Retained for the duration required under relevant laws (typically three years) or until the resolution of related disputes, after which they are securely destroyed.
• In cases involving investigations or legal inquiries due to violations of the law: Retained until the conclusion of the investigation or legal proceedings.
• For the settlement of claims or obligations arising from use of the Service: Retained until the resolution of such matters.
3. Upon expiration of the applicable retention period, personal data is securely and irreversibly destroyed. Electronic files are deleted using technical methods that prevent recovery or reconstruction. Paper records are destroyed through secure shredding or incineration.

Article 4 (Provision of Personal Data to Third Parties and Outsourcing of Processing)

1. The Company provides personal data to third parties only where there is a lawful basis under the UK GDPR, such as the data subject’s explicit consent, legal obligations, or the performance of a contract with the data subject.
2. When providing personal data to a third party, the Company will inform the data subject in advance of the purpose of provision, specific data items, recipients, retention period, and other relevant details, and will obtain consent if required. To facilitate effective personal data processing, the Company may outsource certain personal data processing tasks to trusted third-party processors. In such cases, the Company enters into a data processing agreement that stipulates the following obligations for the processor, in compliance with the UK GDPR and other applicable laws:
• Cloud service providers: Data storage and management (where personal data is transferred abroad, the Company will inform users of the transfer and the legal basis for such transfer)
• Payment service providers: Processing of payments for paid services
• Customer support service providers: Handling user inquiries and support requests
• IPFS (InterPlanetary File System) and blockchain service providers: Supporting the decentralized storage and recording of hash values for encrypted contract content
3. If there are any changes to the outsourced processing activities or the identity of processors, the Company will promptly disclose such changes through this Privacy Policy.

Article 5 (Rights and Obligations of Data Subjects and Legal Guardians, and Methods of Exercising Them)

1. In accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable laws, Users have the right to: Access their personal data, request rectification or erasure, restrict processing, object to specific types of processing, exercise the right to data portability, and withdraw previously given consent at any time where processing is based on consent. The Company ensures that Users, as data subjects, are able to exercise these rights in accordance with the law and will promptly cooperate with any such request in compliance with applicable legal requirements. Details regarding the methods and procedures for exercising these rights are set forth in Paragraph 2 of this Article.
2. Users may exercise their rights under Paragraph 1 by submitting a request in writing or via email to the contact details specified in Article 9 of this Policy. The Company will take appropriate measures without undue delay, in accordance with applicable laws.
3. If the data subject requests the rectification or erasure of their personal data due to errors or inaccuracies, the Company will refrain from using or providing the relevant data until the requested correction or deletion has been completed.
4. Individuals under the age of 16—or under the minimum digital consent age as defined by the applicable laws of their country of residence—are not permitted to use this Service.
5. Data subjects must not infringe upon the personal data or privacy of themselves or others by violating applicable laws in the course of their interactions with the Company.
6. Users are responsible for ensuring that the personal data they provide is accurate and up to date in order to prevent accidental or unauthorized issues. The User shall be liable for any damages resulting from the submission of inaccurate or false information. If a User provides false or misappropriated information (e.g., using someone else's personal data), their membership may be revoked or restricted.

Article 6 (Measures to Ensure the Security of Personal Data)

1. The Company implements appropriate technical, administrative, and physical safeguards in accordance with the requirements of the UK GDPR to ensure the security and protection of personal data. These measures include, but are not limited to:
• Encryption of Personal Data: Important data such as contract content, electronic signatures, and all associated metadata are encrypted using strong encryption algorithms such as AES-256 or equivalent.(The Service uses email-based authentication and does not store any user passwords.)
• Access Control and Authority Management: Access to personal data processing systems is granted on a need-to-know basis with differentiated levels of authorization. Records are maintained for the granting, modification, and revocation of access rights. Unauthorized access is strictly controlled. Notably, the Company is fundamentally restricted from decrypting or directly accessing encrypted contract content stored on the decentralized file system (IPFS).
• Installation and Operation of Security Programs: To prevent leakage or damage to personal data caused by hacking, malware, or other malicious attacks, the Company installs and regularly updates security software, and employs firewalls and intrusion prevention systems to control unauthorized external access.
• Internal Management Plan: An internal data protection management policy is established and enforced to ensure secure processing of personal data. Regular training and compliance audits are conducted for all employees.
• Physical Access Restrictions: Areas where personal data is stored, such as server rooms and archives, are protected by physical access control procedures to prevent unauthorized entry.
• Security of IPFS-Based Storage and Blockchain Logging: Contract files are encrypted and stored in a decentralized manner via IPFS. The unique hash of each contract is recorded on the blockchain, thereby enhancing data integrity and preventing tampering.
• Data Protection by Design and by Default: Data protection principles are embedded into the development and operation of the Service from the outset, ensuring compliance and minimizing risks throughout the data lifecycle.
2. In the event of a personal data breach, the Company will promptly notify the User and the UK Information Commissioner’s Office (ICO) in accordance with applicable laws. Where necessary, the Company will also notify other competent authorities and affected data subjects. The Company has established procedures to ensure such notifications are made without undue delay. The Company will thoroughly investigate the cause of the breach and implement corrective actions to prevent further harm and recurrence.

Article 7 (Processing of Personal Data by MediaSign AI)

1. The Company provides MediaSign AI features within the Service, including contract type classification, clause omission detection, risk evaluation, clause recommendations, multilingual translation, speech-to-text (STT), and natural language processing (NLP)-based contract analysis. These features are used solely for the purpose of AI-based contract review (“AI Contract Review”) of contract content—potentially including personal data—submitted by the User via various channels such as the MediaSign app, SNS integrations, or video conferencing platforms.
2. When the User utilizes the MediaSign AI features, personal data contained in the submitted contract content may be processed to the extent necessary to perform the requested AI Contract Review. Such processing must be based on the User’s explicit and freely given consent. The legal basis for this processing is the performance of a contract at the User’s request or the provision of services explicitly requested by the User.
3. Contract content submitted via the Service (including through the MediaSign app, SNS, or video conferencing platforms) may undergo AI analysis and subsequent editing or supplementation by the User. Once finalized or confirmed by the User, the contract is compressed and securely encrypted, then stored on a decentralized file system (IPFS). The unique hash of the contract is recorded on a blockchain to ensure its integrity. The Company does not retain the encryption keys and cannot decrypt or access the original encrypted contract content.
4. MediaSign AI does not use any user-submitted contract content processed for AI Contract Review as training data for AI models, nor does it store such content separately for model improvement or any other purpose. The AI system processes data exclusively for the User's specific contract review request. After the requested task is completed and the storage procedure outlined in Paragraph 3 is performed, the original contract content is not retained within the AI system or on any server accessible by the Company.
5. The results and suggestions provided by MediaSign AI are generated by an automated tool and are intended solely for informational and reference purposes. They do not constitute legal advice or legal strive(s) to ensure. For matters requiring legal effectiveness, such as contract completeness, legality, or fitness for a particular purpose, Users must seek review and counsel from a qualified legal professional.

Article 8 (International Transfer of Personal Data)

1. For the purpose of providing global services and ensuring operational efficiency in data processing, the Company may transfer and process Users’ personal data in countries outside of the United Kingdom, including or excluding countries within the European Economic Area (EEA).
2. When transferring personal data outside the United Kingdom, the Company will comply with the international transfer requirements set forth in the UK GDPR. These may include, but are not limited to, reliance on: an adequacy decision issued by the UK government, the execution of UK-approved Standard Contractual Clauses (SCCs), or the adoption of Binding Corporate Rules (BCRs). The Company will ensure that Users’ personal data is adequately protected under such legal safeguards.
3. The specific destination countries, categories of personal data transferred, purposes of the transfer, retention periods, and applicable safeguards may be separately notified to Users or described in an updated version of this Policy.

Article 9 (Data Protection Officer and Responsible Department)

1. In accordance with the UK Data Protection Act 2018, the Company appoints a Data Protection Officer (DPO)—or, if the appointment of a DPO is not mandatory, a designated data protection representative or team—to take overall responsibility for the Company’s personal data processing activities. The DPO is also responsible for handling data subjects’ complaints and requests for redress. The contact details are as follows:
1. Data Protection Officer (DPO) / Data Protection Representative
• Name/Department: [Insert]
• Title/Position: [Insert]
• Contact (Email): [Insert]
• (Optional) Contact (Address): [Insert]
2. Users may contact the DPO or responsible department with any inquiries, complaints, or requests for redress regarding personal data that may arise during their use of the Service. The Company will respond and take appropriate action without undue delay.

Article 10 (Response to Personal Data Breaches and Remedies for Rights Infringement)

1. The Company has established internal procedures to prepare for potential personal data breaches. In the event of such an incident, the Company will take appropriate actions to minimize damage and will notify affected Users in accordance with applicable laws. Where required, the Company will also report the breach to the UK Information Commissioner’s Office (ICO).
2. If a data subject requires counseling or wishes to seek redress in connection with a personal data breach, they may file a complaint with or contact the UK’s independent regulatory authority, the Information Commissioner’s Office (ICO), as follows:
1. Information Commissioner’s Office (ICO)
• Website: www.ico.org.uk
• Telephone: [Refer to current number on ICO website]
• Address: [Refer to current address on ICO website]

Article 11 (Amendments to the Privacy Policy)

1. This Privacy Policy shall take effect from the effective date specified below. The Company may amend, add to, or delete provisions of this Policy to reflect changes in laws or services. In the event of any such changes, the Company will notify Users at least seven (7) days in advance via the Service website’s announcements section. In cases of material changes, notification will be made at least thirty (30) days in advance, and separate consent from Users may be requested if necessary.
2. Continued use of the Service after the effective date of the revised Policy shall not be deemed as consent unless explicit consent is provided. The Company may request separate consent from the User where required.

Supplementary Provision

This Privacy Policy shall take effect as of September 1, 2025.