Privacy Policy

Last updated: March 14, 2026

1. Introduction

Plume ("we", "us", "our") is a personal project operated by Robin Bonduelle, based in France. Plume is a document signing platform ("the Service"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Service, in compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and applicable French data protection laws.

2. Data Controller

The data controller for the processing of your personal data is:
Robin Bonduelle (operating as Plume)
Contact: robin.bonduelle@gmail.com

3. Data We Collect

We collect and process the following categories of personal data:

3.1 Account Data

• Email address — used for account creation, authentication, and notifications
• Full name — used for account identification and display
• Password (hashed) — used for authentication (when using email/password login)
• Google account data — name and email only, when using Google SSO login

3.2 Contact Data

• Contact names and email addresses — stored for managing your signatories

3.3 Document Data

• Uploaded PDF documents — stored to provide the signing service
• Signature and paraphe drawings — created and stored during the signing process
• Text field entries — any text entered in document fields during signing
• Signed/completed PDF documents — generated after the signing process

3.4 Audit and Security Data

• IP addresses — logged for audit trail and security purposes
• Timestamps — recorded for all signing events
• User agent information — browser and device details for audit purposes

3.5 Analytics Data

• Usage analytics — collected via Amplitude to understand how the Service is used and improve user experience. This includes page views, feature usage, and interaction patterns. No document content is included in analytics data.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

• Performance of a contract (Art. 6(1)(b)) — processing necessary to provide the Service you requested (account data, document data, contact data)
• Legitimate interest (Art. 6(1)(f)) — processing for security, fraud prevention, audit trail, and service improvement (audit data, analytics data)

5. How We Use Your Data

We use your personal data exclusively for the following purposes:

• Providing and operating the document signing Service
• Authenticating your identity and managing your account
• Sending signing requests and notifications by email
• Generating audit trails for signed documents
• Improving the Service through aggregated, anonymized analytics
• Ensuring the security and integrity of the Service

We do not sell, rent, or share your personal data with third parties for marketing purposes.

6. Data Storage and Transfers

Your data is stored on servers located in the European Union, hosted by our infrastructure provider Supabase. All data processing occurs within the EU.

We use the following third-party processors:

• Supabase (EU region) — database, authentication, and file storage
• Vercel — application hosting and delivery
• Resend — transactional email delivery (signing requests, notifications)
• Amplitude — product analytics

Where any sub-processor transfers data outside the EU, appropriate safeguards are in place (such as Standard Contractual Clauses) in accordance with GDPR Chapter V.

7. Cookies

We use only strictly necessary cookies for authentication and session management. We do not use advertising cookies, tracking cookies, or any non-essential cookies. As these cookies are strictly necessary for the Service to function, no consent is required under the ePrivacy Directive.

8. Data Retention

• Account data — retained as long as your account is active. Deleted upon account deletion request.
• Documents and signatures — retained as long as your account is active. You may delete individual documents at any time.
• Audit trail data — retained for a period of 5 years after document completion, for legal compliance purposes.
• Analytics data — retained in anonymized/aggregated form. Individual-level analytics data is retained for up to 12 months.

9. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of access (Art. 15) — request a copy of your personal data
• Right to rectification (Art. 16) — request correction of inaccurate data
• Right to erasure (Art. 17) — request deletion of your personal data
• Right to restriction (Art. 18) — request limitation of data processing
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
• Right to object (Art. 21) — object to processing based on legitimate interest

To exercise any of these rights, contact us at robin.bonduelle@gmail.com. We will respond within 30 days of receiving your request.

You also have the right to lodge a complaint with the French data protection authority (CNIL — www.cnil.fr) if you believe your data protection rights have been violated.

10. Children's Privacy

The Service is not intended for users under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data promptly.

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS), secure authentication, and access controls. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be effective immediately upon posting on this page. We encourage you to review this page periodically. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.

13. Contact

For any questions or requests regarding this Privacy Policy or your personal data, contact us at: robin.bonduelle@gmail.com