CipherSign  ›  Privacy Policy

Privacy Policy

CipherSign — published by CIPHERPLUS PTE. LTD.  ·  Last updated: June 2026  ·  Effective: June 2026
Plain-English summary: CipherSign signs documents entirely on your device. We do not upload your documents, your signing keys, or any analytics. The only time we receive any data from you is when you email us to request a paid signing license — in which case we receive your email address and a one-way hash of your hardware identifier (so the license can be bound to your machine).

1. Who we are

This Privacy Policy is published by CIPHERPLUS PTE. LTD. (UEN 202316039M, Singapore), the developer and publisher of CipherSign, a quantum-safe document signing desktop application distributed via the Microsoft Store and direct download.

Contact: [email protected]  ·  Website: cipherplus.io/ciphersign

2. What data CipherSign handles, where, and why

This section satisfies the disclosure requirements of GDPR Article 13, Singapore PDPA Section 13, and Microsoft Store ADA Section 5(h).

ActivityData handledWhere it goes
Reading documents you sign or verify The document bytes you explicitly select via the file picker Stays on your device. Read into memory only.
Creating a signing identity Name, organisation, ML-DSA key pair you enter / generate Local storage only: %LOCALAPPDATA%\CipherSign\keys\ and a backup copy in ~\Documents\CipherSign\keys\
Signing a document A .proof file containing the original document, signer name, organisation, public-key fingerprint, signed timestamp Written to your chosen output folder. CipherSign does NOT upload it. You may then send it to recipients (which is your choice and outside our control).
Verifying a document The .proof file you select Stays on your device. Verification uses only the public keys you have imported as Contacts.
Importing a Contact Card The signer's name, organisation, public key, fingerprint (from a .card file) Local storage only.
Requesting a paid license Your email address (you send it to us) plus a one-way cryptographic hash of a hardware identifier (the underlying identifier never leaves your machine — only its irreversible hash) Sent to us by email at [email protected]. We use it to bind the issued license file to your specific machine.
Using the app day-to-day None No telemetry. No analytics. No crash reports. CipherSign performs no network communication during normal operation.
Documents you sign may themselves contain personal information. CipherSign does not inspect document content, but a signed contract typically contains names, addresses, and other personal data of the parties involved. The privacy of document content is governed by you — you decide what to sign and who to send the signed copy to. CipherSign is the cryptographic tool; it is not a data controller for document content.

3. What we DO NOT collect

For total clarity, CipherSign and CIPHERPLUS PTE. LTD. do not collect, store, or transmit any of the following:

  • The bytes of documents you sign or verify
  • Your signing keys (private or public) — they stay on your device
  • Your Contact Cards or contact list
  • Usage analytics, telemetry, or performance metrics
  • Crash reports (unless you choose to email us a crash log manually)
  • Your IP address, geolocation, browser fingerprint, or similar identifiers
  • Advertising identifiers — CipherSign serves no ads
  • Your underlying hardware identifier — only an irreversible, one-way hash of it (for license binding) is ever transmitted, and only when you request a license

4. The Machine ID hash — why it's safe

Paid signing licenses are bound to a specific machine. To do this, CipherSign computes a one-way cryptographic hash of a stable hardware identifier on your device. The hash is irreversible — given the hash, no party (including us) can recover the original identifier or use it to identify your device on a network.

When you request a paid license, you email us this Machine ID hash. We sign a license file binding that hash to a subscription expiry date. The license file is delivered back to you by email. We never request, receive, or store the underlying hardware identifier itself — only its irreversible hash.

5. Storage and security

All data CipherSign handles stays on your device, protected by Windows' built-in user-profile permissions. We recommend backing up your signing keys (the application provides guidance for this).

On our side, we store only your email address, Machine ID hash, license tier, and license expiry date in our internal customer records, used solely to support license re-issuance, renewal, and dispute resolution. These records are kept in a Singapore-based system protected by industry-standard access controls.

6. Third parties

CipherSign uses no third-party services in its operation: no analytics SDK, no advertising network, no cloud storage, no remote logging, no third-party fonts, no third-party telemetry.

The application is distributed via the Microsoft Store and direct download. When distributed via Microsoft Store, Microsoft may provide us, the publisher, with aggregate acquisition statistics (downloads, country breakdown, ratings) through its standard developer dashboards. This data is aggregated and does not identify individual users to us. Microsoft's own privacy practices for Store users are governed by the Microsoft Privacy Statement.

7. Your rights

Because CipherSign collects no personal data through the application itself, there is no application-side data to access, modify, or delete on our side. Your local data (keys, contacts, signed documents) is in your control on your own device.

For customer records on our side (email, Machine ID hash, license expiry):

  • Access: email [email protected] to request a copy of your records.
  • Correction: email us to update your email address or correct any record.
  • Deletion: email us to delete your customer records. Note that deletion ends your ability to renew or re-issue a license under your existing record.
  • Portability: the data we hold is so minimal that we can provide it as a plain-text email on request.

EU and UK users have these rights under GDPR / UK-GDPR. California users have equivalent rights under the CCPA / CPRA. Singapore users have equivalent rights under the PDPA. We respond to all such requests within 30 days.

8. Children

CipherSign is a business productivity tool and is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has supplied us with personal information, contact us and we will delete it.

9. International transfers

Because CipherSign processes data only locally on your device, no cross-border transfer of personal data occurs through the application itself. Customer records on our side are stored in Singapore. If you contact us by email from another country, that email is transmitted via your email provider and ours under their respective privacy practices.

10. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by updating the "Last updated" date at the top and (where the change is significant) by a notice on the CipherSign product page. The current version is always available at cipherplus.io/ciphersign/privacy.html.

11. Governing law

This policy is governed by the laws of the Republic of Singapore, in accordance with the Personal Data Protection Act 2012. The application is also designed to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the California Consumer Privacy Act ("CCPA"), to the extent those laws apply to non-EU / non-California developers serving users in those jurisdictions via international app distribution.

12. Contact

CIPHERPLUS PTE. LTD.
BLK 223, Bukit Batok East Ave 3, Singapore 650223
Email: [email protected]
Product page: cipherplus.io/ciphersign

For privacy-related queries please write to the email above with subject line "Privacy request — CipherSign" so we can route the request appropriately.