Curanor Privacy Policy

Version 1.0 · Effective May 27, 2026 · Last Updated May 27, 2026

Plain-English summary. Curanor is operated by Viciens, LLC. We collect the information needed to deliver an electronic-signature service: names, email addresses, IP addresses, and the documents you upload and sign. We keep signed documents and their audit trails for seven years because that is the recordkeeping window the law expects for contracts in South Carolina. We do not sell your data, we do not use your data for advertising, and we do not use your documents to train AI models. We operate in the United States. To exercise any privacy right, email privacy@curanor.com. This summary is provided for convenience; the binding policy is below.

1. Who We Are and What This Policy Covers

Curanor is an electronic-signature and document-management platform operated by Viciens, LLC, a South Carolina limited liability company doing business as 127 Foundry (“Company,” “we,” “us,” or “our”). Our website and platform are accessible at curanor.com and at tenant-specific subdomains.

This Privacy Policy describes how we collect, use, store, and share personal information when you interact with Curanor — whether you are a business customer (“Admin”) who uses our platform to create and send documents, or a counterparty (“Signer”) who receives and signs a document through a tokenized link we send on behalf of an Admin.

This Policy applies to all users of Curanor. It does not apply to data that Admins collect from their own customers or counterparties through documents they create using our platform — for that data, the Admin is the controller and the Admin's own privacy policy governs.

We operate exclusively in the United States. Our services, infrastructure, and Subprocessors are US-based.

2. Categories of Personal Data We Collect

Curanor has two distinct categories of people whose personal data we process. Each has a different data footprint.

2.1 Admin Data (Platform Customers)

Admins are individuals or businesses that create accounts on Curanor to manage, send, and track documents. We collect:

Account information:name, email address, password (stored as a salted cryptographic hash — never plaintext).
Billing information: payment-method details processed by Stripe, Inc. We do not store card numbers or CVVs directly; Stripe holds those under their own PCI DSS controls.
Usage data: IP address and user-agent string logged on each authenticated request; timestamps of key account actions.
Document content: any templates, uploaded PDFs, field layouts, or text content that Admins upload or configure on the platform.
Audit log entries: every significant action taken on a document or account (create, send, view, sign, void, download) is logged with IP, user agent, and timestamp for legal-compliance purposes.

2.2 Signer Data (Counterparties — No Account Required)

Signers are individuals who receive a document link via email and sign without creating an account. Signers interact through a unique tokenized URL. We collect:

Identity information provided by the sending Admin: name and email address entered by the Admin when setting up the envelope.
Network data: IP address and user-agent string at the time of each signing-related action (link click, document view, consent to electronic signatures, signature submission).
Signature image: a PNG image of the drawn or typed signature captured at the time of signing.
Signed document content: the completed PDF containing all fields filled by all parties, sealed cryptographically at completion.
Consent record:timestamp of the Signer's explicit consent to conduct business electronically, as required by ESIGN/UETA.

We do not require Signers to create passwords, payment methods, or persistent accounts. Signer contact with us ends when the document is sealed, except for the Sealed Document that is emailed to them on completion.

3. How We Use Personal Data

We use personal data only for the purposes listed below. We do not sell personal data. We do not use personal data for targeted advertising. We do not use Customer Content to train artificial-intelligence or machine-learning models.

Purpose	Data used	Basis
Provide and operate the platform (create accounts, send documents, process signatures)	Admin account data, Signer identity and signature data	Performance of contract / service delivery
Authenticate users and verify signing tokens	Email, password hash, token, IP	Security; contractual necessity
Maintain legally required audit trails for signed documents	IP, user agent, timestamps, consent records, signature images, Sealed Documents	Legal obligation; ESIGN/UETA compliance
Process billing and manage subscriptions	Billing info (via Stripe)	Performance of contract
Send transactional emails (signing invitations, completion notifications, receipts)	Signer and Admin email	Performance of contract
Detect fraud, abuse, and unauthorized access	IP, user agent, log patterns	Legitimate interest
Respond to support requests	Account data, relevant contract context	Legitimate interest; contractual necessity
Comply with legal obligations (court orders, subpoenas, regulatory demands)	As minimally required	Legal obligation

4. How We Share Personal Data

We do not sell, rent, or trade personal data to third parties. We share personal data only with the Subprocessors listed below, for the stated purposes, and only to the extent necessary.

4.1 Subprocessors

Subprocessor	Country	Purpose
Supabase, Inc.	United States	Primary database (Admin accounts, document metadata, audit logs, signer records) and authentication infrastructure
Vercel, Inc.	United States	Application hosting and edge delivery
Cloudflare, Inc. (R2 Storage)	United States	Storage of document templates, sealed PDFs, and signature images
Resend, Inc.	United States	Transactional email delivery (signing invitations, completion emails, notifications)
Stripe, Inc.	United States	Payment processing and subscription billing for Admin accounts

We do not use third-party analytics services (such as Google Analytics or Mixpanel) on the platform. We do not use third-party advertising networks. We do not use marketing-automation platforms that receive personal data.

4.2 Other Disclosure Scenarios

We may disclose personal data without prior notice if we believe in good faith that disclosure is necessary to: comply with a legal obligation (subpoena, court order, regulatory inquiry); protect the rights, property, or safety of Curanor, our customers, or the public; investigate or prevent fraud or unauthorized use; or enforce our Terms of Service.

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity subject to the same privacy protections described here. We will notify Admin users of any such change of control by email.

5. Sensitive Personal Information

Signature images are biometric-adjacent data — they represent a person's handwritten mark and are used for identity authentication in the context of a legal document. We treat signature images as sensitive personal information. They are:

Collected only at the time of signing and only for the specific document being signed;
Stored encrypted at rest as part of the Sealed Document in Cloudflare R2;
Used solely to complete and authenticate the document to which they are attached;
Never shared with advertisers, data brokers, or any third party except as required by law; and
Not used to train models or derive inferences about the individual beyond the document itself.

We do not collect biometric data for identification purposes independent of the document-signing context, genetic data, health information, precise geolocation, or financial-account credentials.

6. Children's Privacy

Curanor is not directed at, and does not knowingly collect personal information from, individuals under the age of 13. Our platform is a business productivity tool for document execution; it is not designed for or marketed to children.

If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly. If you believe we may have collected information from a minor, contact us at privacy@curanor.com.

7. How Long We Keep Personal Data

Data type	Retention	Rationale
Sealed Documents and Audit Records	7 years from execution	Matches S.C. Code § 15-3-530 statute of limitations for written contracts plus a one-year operational buffer; aligns with common recordkeeping requirements for real-estate and business transactions
Signature images (embedded in Sealed Documents)	Retained indefinitely as part of the Sealed Document	Required to maintain document integrity and non-repudiation; cannot be surgically removed without invalidating the cryptographic seal
Active Admin account data	Duration of account, plus 30 days after deletion request	Allows recovery window
Deleted Admin account data	Purged within 30 days of confirmed deletion	After 30 days, account data is purged from production systems
Signer personal data (name, email, IP, UA)	7 years (with the associated Audit Record)	Cannot be meaningfully separated from the audit record without destroying its evidentiary value
Billing records	7 years	IRS guidance on business records
Active session and signing tokens	Short-lived; cryptographically consumed on use	Security requirement

When a Sealed Document reaches the end of its retention period, it is deleted from storage along with its associated Audit Record entries. We may retain de-identified, aggregated statistics indefinitely.

8. Security

We implement industry-standard technical and organizational safeguards to protect personal data:

All data in transit is encrypted via TLS 1.2 or higher.
Data at rest is encrypted by our storage providers (Supabase and Cloudflare R2).
Sealed Documents include a cryptographic RSA signature over a SHA-256 hash of the document, providing tamper evidence.
Signing tokens are single-use and are cryptographically consumed upon completion of the signing transaction.
Access to production data is limited to authorized personnel with a business need.
Supabase Row Level Security (RLS) policies restrict data access at the database level.

No method of transmission or storage is 100% secure. We will notify affected users and relevant authorities of confirmed data breaches as required by applicable law.

9. Your Privacy Rights — US State Laws

The following rights are available to residents of states with comprehensive consumer privacy laws, including (but not limited to) California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon (OCPA), Texas (TDPSA), Tennessee (TIPA), Montana (MCDPA), Indiana (INCDPA), Maryland (MDDPA), and other states with substantially similar legislation enacted as of the effective date of this Policy.

9.1 Right to Know / Access

You may request a copy of the personal information we hold about you, including the categories of data collected, the purposes for which it is used, and the third parties with whom it is shared.

9.2 Right to Delete / Erasure

You may request deletion of your personal information. We will honor deletion requests subject to legal retention requirements — for example, we cannot delete signed documents or their audit logs during the seven-year retention period because those records have legal evidentiary obligations. We will delete data outside those mandatory retention categories within 30 days.

9.3 Right to Correct

You may request correction of inaccurate personal information we hold about you. Admin users can update most account information directly in account settings.

9.4 Right to Portability

You may request a portable copy of your personal information in a commonly used machine-readable format.

9.5 Right to Opt Out of Sale

We do not sell personal information. If this changes, you will be notified and given the right to opt out before any such sale occurs.

9.6 Right to Opt Out of Targeted Advertising

We do not use personal data for targeted advertising. We do not share data with advertising platforms.

9.7 Right to Opt Out of Profiling

We do not engage in automated profiling that produces legal or similarly significant effects.

9.8 Right to Non-Discrimination

Exercising any of the above rights will not result in denial of service, different pricing, or different service quality, except where the data is strictly necessary to provide the service you requested (for example, we cannot process a document without a Signer's name and email).

9.9 Right to Appeal

If we decline to act on a rights request, we will explain why in writing within the required timeframe. You may appeal that decision by replying to our response email or by contacting privacy@curanor.comwith the subject line “Privacy Rights Appeal.” We will respond to appeals within 45 days. If your appeal is denied and you are a Colorado resident, you may submit a complaint to the Colorado Attorney General at coag.gov. Other state attorneys general provide similar complaint mechanisms.

10. Global Privacy Control

Curanor honors the Global Privacy Control (GPC) signal as required by the Colorado Privacy Act. If your browser or device transmits a GPC signal indicating a preference to opt out of the sale or sharing of personal data for targeted advertising, Curanor will treat that signal as a valid opt-out request for that browser/device.

Because we do not sell personal data or engage in targeted advertising, receiving a GPC signal will have no practical additional effect on how we handle your data — but we will record and honor it as required by law.

11. How to Exercise Your Rights

To submit a privacy rights request, email privacy@curanor.comwith the subject line “Privacy Rights Request.” Include:

Your full name;
Your email address associated with the account (or the address at which you received a document signing invitation);
The specific right(s) you are exercising (access, delete, correct, portability, other); and
If you are an authorized agent acting on behalf of another individual: a copy of that individual's written authorization.

We will verify your identity before acting on any request. For Admin users, we may require authentication into the account. For Signers who do not have an account, we will verify by sending a confirmation email to the address you provide and requiring a response.

We will respond to verified requests within:

45 days for most requests;
Up to 90 days total if we notify you of an extension within the initial 45-day window; and
45 days for appeal responses after we receive the appeal.

We do not charge a fee for good-faith requests.

12. Auto-Renewal Disclosure

If you subscribe to a paid Curanor plan, your subscription automatically renews at the end of each billing period at the then-current subscription price, unless you cancel before the renewal date. Cancellation instructions are available in your account settings and in our Terms of Service.

At the time of initial purchase, we present the subscription terms (price, billing frequency, and auto-renewal terms) clearly at checkout, and we record your consent to those terms along with the Terms version number and a timestamp, which we retain on your organization's account record. This disclosure is provided to comply with the California Automatic Renewal Law and similar state-level requirements.

13. Changes to This Policy

We will post changes to this Policy on this page with an updated “Last Updated” date. If we make material changes — changes that affect how we use personal data in a way that is less protective than what is described here — we will notify current Admin users by email at least 30 days before the changes take effect. For non-material changes (corrections, clarifications, new Subprocessors that do not expand data use), we will post the update without advance email notice.

Your continued use of Curanor after the effective date of a revised Policy constitutes your acceptance of the changes.

14. Contact

For privacy questions, rights requests, or concerns:

Privacy contact: privacy@curanor.com

Contracting entity: Viciens, LLC d/b/a 127 Foundry

Mailing address: 30 N Gould St, Ste N, Sheridan, WY 82801, USA

We will respond to all inquiries within 10 business days.